ci: enforce strict exit codes in workflow tests

- Remove `|| echo "⚠️ ..."` fallbacks that masked failures - Add explicit `exit 1` on port readiness failures and missing test directories - Track port_ready flag in health check loops to fail if services don't start - Replace warning emoji (⚠️) with error emoji (❌) for actual failures - Fix docs-validation to use curated Markdown target list excluding high-noise directories - Update rust-zk-tests paths from gpu_acceleration/research to dev
2026-04-18 11:57:35 +02:00
parent 40698f91fd
commit 23348892b9
34 changed files with 2680 additions and 1445 deletions
--- a/.gitea/workflows/security-scanning.yml
+++ b/.gitea/workflows/security-scanning.yml
@@ -41,7 +41,7 @@ jobs:
          
          python3 -m venv venv
          source venv/bin/activate
-          pip install -q bandit safety pip-audit
+          pip install -q bandit pip-audit
          echo "✅ Security tools installed"

      - name: Python dependency audit
@@ -49,7 +49,7 @@ jobs:
          cd /var/lib/aitbc-workspaces/security-scan/repo
          source venv/bin/activate
          echo "=== Dependency Audit ==="
-          pip-audit -r requirements.txt --desc 2>/dev/null || echo "⚠️ Some vulnerabilities found"
+          pip-audit -r requirements.txt --desc
          echo "✅ Dependency audit completed"

      - name: Bandit security scan
@@ -60,7 +60,7 @@ jobs:
          bandit -r apps/ packages/py/ cli/ \
            -s B101,B311 \
            --severity-level medium \
-            -f txt -q 2>/dev/null || echo "⚠️ Bandit findings"
+            -f txt -q
          echo "✅ Bandit scan completed"

      - name: Check for secrets
@@ -68,8 +68,28 @@ jobs:
          cd /var/lib/aitbc-workspaces/security-scan/repo
          echo "=== Secret Detection ==="
          # Simple pattern check for leaked secrets
-          grep -rn "PRIVATE_KEY\s*=\s*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy" && echo "⚠️ Possible secrets found" || echo "✅ No secrets detected"
-          grep -rn "password\s*=\s*['\"][^'\"]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy\|placeholder" | head -5 && echo "⚠️ Possible hardcoded passwords" || echo "✅ No hardcoded passwords"
+          secret_matches=$(mktemp)
+          password_matches=$(mktemp)
+
+          grep -RInE "PRIVATE_KEY[[:space:]]*=[[:space:]]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy" > "$secret_matches" || true
+          grep -RInE "password[[:space:]]*=[[:space:]]*['\"][^'\"]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy\|placeholder" > "$password_matches" || true
+
+          if [[ -s "$secret_matches" ]]; then
+            echo "❌ Possible secrets found"
+            cat "$secret_matches"
+            rm -f "$secret_matches" "$password_matches"
+            exit 1
+          fi
+
+          if [[ -s "$password_matches" ]]; then
+            echo "❌ Possible hardcoded passwords"
+            head -5 "$password_matches"
+            rm -f "$secret_matches" "$password_matches"
+            exit 1
+          fi
+
+          rm -f "$secret_matches" "$password_matches"
+          echo "✅ No hardcoded secrets detected"

      - name: Cleanup
        if: always()