diff --git a/.github/workflows/gitgalaxy-artifacts.yml b/.github/workflows/gitgalaxy-artifacts.yml new file mode 100644 index 00000000..da134c2f --- /dev/null +++ b/.github/workflows/gitgalaxy-artifacts.yml @@ -0,0 +1,53 @@ +name: Generate GitGalaxy Artifacts (Post-Gate) + +on: + push: + branches: + - main + +permissions: + contents: write + security-events: write + +jobs: + generate-compliance-artifacts: + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Install GitGalaxy (Full Precision) + uses: squid-protocol/gitgalaxy@v2.4.0 # Or your composite action path + with: + tool: 'galaxyscope' + target: '.' + full_precision: 'true' + + - name: Generate SARIF, SBOM, and LLM Brief + run: | + # Execute galaxyscope to generate all required outputs + galaxyscope . --sarif-only --output gitgalaxy-results_sarif.json + galaxyscope . --sbom-only --output gitgalaxy-sbom.json + galaxyscope . --llm-only --output gitgalaxy_architecture_brief.md + + - name: Upload SARIF to GitHub Security Tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: gitgalaxy-results_sarif.json + + - name: Upload SBOM as Build Artifact + uses: actions/upload-artifact@v4 + with: + name: gitgalaxy-sbom + path: gitgalaxy-sbom.json + + - name: Commit LLM Brief to Docs + run: | + mkdir -p docs + mv gitgalaxy_architecture_brief.md docs/ || true + git config --global user.name "github-actions[bot]" + git config --global user.email "github-actions[bot]@users.noreply.github.com" + git add docs/gitgalaxy_architecture_brief.md + git diff --quiet && git diff --staged --quiet || (git commit -m "docs: auto-update LLM architectural brief" && git push) \ No newline at end of file diff --git a/.github/workflows/gitgalaxy-audit.yml b/.github/workflows/gitgalaxy-audit.yml index bd913253..22f11013 100644 --- a/.github/workflows/gitgalaxy-audit.yml +++ b/.github/workflows/gitgalaxy-audit.yml @@ -1,40 +1,5 @@ -name: GitGalaxy Zero-Trust Audit - on: push: - branches: [ "main", "feature/*" ] + branches: [ "feature/*" ] pull_request: branches: [ "main" ] - -jobs: - spectral-audit: - runs-on: ubuntu-latest - - steps: - - name: Checkout Repository - uses: actions/checkout@v4 - with: - fetch-depth: 0 # Required for the Chronometer to read full Git history - - - name: Setup Python 3.12 - uses: actions/setup-python@v5 - with: - python-version: "3.12" - cache: "pip" - - - name: Install GitGalaxy & Dependencies - run: | - python -m pip install --upgrade pip - pip install . networkx tiktoken xgboost pandas numpy - - - name: Execute Spectral Audit - run: | - # Relaxed thresholds until --incremental or --ignore are implemented - galaxyscope . --max-risk-exposure 120 --fail-on-malware --sarif-only --output gitgalaxy-results_sarif.json - - - name: Upload SARIF Artifact - if: always() - uses: actions/upload-artifact@v4 - with: - name: gitgalaxy-sarif-report - path: gitgalaxy-results_sarif.json diff --git a/.github/workflows/gitgalaxy.yml b/.github/workflows/gitgalaxy.yml index ba981939..f43279b9 100644 --- a/.github/workflows/gitgalaxy.yml +++ b/.github/workflows/gitgalaxy.yml @@ -1,40 +1,4 @@ -name: GitGalaxy Zero-Trust Pipeline - -on: - pull_request: - branches: [main] - -permissions: - contents: read - -jobs: - vault-sentinel: - name: Vault Sentinel - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - with: - persist-credentials: false - - - uses: ./ - with: - tool: vault-sentinel - target: . - - xray-inspector: - name: X-Ray Inspector - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - with: - persist-credentials: false - - - uses: ./ - with: - tool: xray-inspector - target: . - - supply-chain-firewall: +supply-chain-firewall: name: Supply Chain Firewall runs-on: ubuntu-latest steps: @@ -46,37 +10,4 @@ jobs: with: tool: supply-chain-firewall target: . - version: local - - architectural-report: - name: LLM Structural Brief - needs: [vault-sentinel, xray-inspector, supply-chain-firewall] - runs-on: ubuntu-latest - if: github.event_name == 'push' - permissions: - contents: write - steps: - - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - with: - fetch-depth: 0 - # zizmor: ignore[artipacked] - - - name: Generate GalaxyScope LLM Brief - uses: ./ - with: - tool: galaxyscope - target: . - args: --llm-only - full_precision: 'true' - - - name: Commit and Push LLM Brief to Main - run: | - mkdir -p docs - mv *_galaxy_llm.md docs/gitgalaxy_architecture_brief.md || true - - git config --global user.name "github-actions[bot]" - git config --global user.email "github-actions[bot]@users.noreply.github.com" - - git add docs/gitgalaxy_architecture_brief.md - - git diff --quiet && git diff --staged --quiet || (git commit -m "docs: auto-update LLM architectural brief" && git push) \ No newline at end of file + version: local \ No newline at end of file