-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathgithub-action.yml
More file actions
65 lines (55 loc) · 1.75 KB
/
github-action.yml
File metadata and controls
65 lines (55 loc) · 1.75 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# GuardLink CI — Copy to your project's .github/workflows/guardlink.yml
#
# What it does:
# 1. Validates annotations (syntax errors, dangling refs, duplicate IDs)
# 2. Shows threat model diff on PRs (what security posture changed)
# 3. Uploads unmitigated exposures to GitHub Security tab via SARIF
# 4. Posts a coverage summary as a PR comment
#
# For multi-repo workspaces, see examples/ci/ which adds report JSON
# generation and a weekly workspace merge workflow.
name: GuardLink
on:
pull_request:
branches: [main, master]
push:
branches: [main, master]
permissions:
contents: read
pull-requests: write
security-events: write
jobs:
guardlink:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install GuardLink
run: npm install -g guardlink
# Gate: Fail if annotations have errors
- name: Validate annotations
run: guardlink validate .
# Diff: Show what changed (PRs only)
- name: Threat model diff
if: github.event_name == 'pull_request'
id: diff
run: |
DIFF=$(guardlink diff --from origin/${{ github.base_ref }} --to HEAD 2>&1) || true
echo "diff<<EOF" >> $GITHUB_OUTPUT
echo "$DIFF" >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
# SARIF: Upload to GitHub Security tab
- name: Export SARIF
if: always()
run: guardlink sarif . -o guardlink.sarif
continue-on-error: true
- name: Upload SARIF
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: guardlink.sarif
continue-on-error: true