oib/aitbc
1
0
Fork 0
Code Issues Pull Requests Actions 7 Packages Projects Releases Wiki Activity
Files
2d2b26138495016523d9f1228453a76e1a4cc5dc
aitbc/.gitea/workflows/security-scanning.yml
aitbc1 2d2b261384
All checks were successful
API Endpoint Tests / test-api-endpoints (push) Successful in 29s
Details
CLI Tests / test-cli (push) Successful in 1m20s
Details
Documentation Validation / validate-docs (push) Successful in 12s
Details
JavaScript SDK Tests / test-js-sdk (push) Successful in 21s
Details
Integration Tests / test-service-integration (push) Successful in 44s
Details
Package Tests / test-python-packages (map[name:aitbc-agent-sdk path:packages/py/aitbc-agent-sdk]) (push) Successful in 38s
Details
Package Tests / test-python-packages (map[name:aitbc-core path:packages/py/aitbc-core]) (push) Successful in 19s
Details
Package Tests / test-python-packages (map[name:aitbc-crypto path:packages/py/aitbc-crypto]) (push) Successful in 21s
Details
Package Tests / test-python-packages (map[name:aitbc-sdk path:packages/py/aitbc-sdk]) (push) Successful in 24s
Details
Package Tests / test-javascript-packages (map[name:aitbc-sdk-js path:packages/js/aitbc-sdk]) (push) Successful in 8s
Details
Package Tests / test-javascript-packages (map[name:aitbc-token path:packages/solidity/aitbc-token]) (push) Successful in 29s
Details
Python Tests / test-python (push) Successful in 1m20s
Details
Rust ZK Components Tests / test-rust-zk (push) Successful in 55s
Details
Smart Contract Tests / test-solidity (map[name:aitbc-token path:packages/solidity/aitbc-token]) (push) Successful in 14s
Details
Security Scanning / security-scan (push) Successful in 1m5s
Details
Smart Contract Tests / test-solidity (map[name:zk-circuits path:apps/zk-circuits]) (push) Successful in 52s
Details
Systemd Sync / sync-systemd (push) Successful in 4s
Details
Smart Contract Tests / lint-solidity (push) Successful in 59s
Details
refactor: full rewrite of all CI workflows for Gitea runner 
TOTAL: 3524 → 924 lines (74% reduction)

Per-file changes:
- api-endpoint-tests.yml:    548 →  63 lines (-88%)
- package-tests.yml:        1014 → 149 lines (-85%)
- integration-tests.yml:     561 → 100 lines (-82%)
- python-tests.yml:          290 →  77 lines (-73%)
- smart-contract-tests.yml:  290 → 105 lines (-64%)
- systemd-sync.yml:          192 →  86 lines (-55%)
- cli-level1-tests.yml:      180 →  66 lines (-63%)
- security-scanning.yml:     137 →  72 lines (-47%)
- rust-zk-tests.yml:         112 →  69 lines (-38%)
- docs-validation.yml:       104 →  72 lines (-31%)
- js-sdk-tests.yml:           97 →  65 lines (-33%)

Fixes applied:
1. Concurrency groups: all 7 workflows shared 'ci-workflows' group
   (they cancelled each other). Now each has unique group.
2. Removed all actions/checkout@v4 usage (not available on Gitea runner)
   → replaced with git clone http://gitea.bubuit.net:3000/oib/aitbc.git
3. Removed all sudo usage (Debian root environment)
4. Fixed wrong ports: wallet 8002→8003, RPC 8545→8006
5. External workspaces: /opt/aitbc/*-workspace → /var/lib/aitbc-workspaces/
6. Extracted 274 echo'd Python lines → scripts/ci/test_api_endpoints.py
7. Removed dead CLI test code (tests were skipped entirely)
8. Moved aitbc.code-workspace out of workflows directory
9. Added --depth 1 to all git clones for speed
10. Added cleanup steps to all workflows

New files:
- scripts/ci/clone-repo.sh: reusable clone helper
- scripts/ci/test_api_endpoints.py: extracted API test script
2026-03-29 12:34:15 +02:00

73 lines
2.4 KiB
YAML
Raw Blame History

name: Security Scanning
on:
push:
branches: [main, develop]
paths:
- 'apps/**'
- 'packages/**'
- 'cli/**'
- '.gitea/workflows/security-scanning.yml'
pull_request:
branches: [main, develop]
schedule:
- cron: '0 3 * * 1'
workflow_dispatch:
concurrency:
group: security-scanning-${{ github.ref }}
cancel-in-progress: true
jobs:
security-scan:
runs-on: debian
timeout-minutes: 15
steps:
- name: Clone repository
run: |
WORKSPACE="/var/lib/aitbc-workspaces/security-scan"
rm -rf "$WORKSPACE"
mkdir -p "$WORKSPACE"
cd "$WORKSPACE"
git clone --depth 1 http://gitea.bubuit.net:3000/oib/aitbc.git repo
- name: Setup tools
run: |
cd /var/lib/aitbc-workspaces/security-scan/repo
python3 -m venv venv
source venv/bin/activate
pip install -q bandit safety pip-audit
echo "✅ Security tools installed"
- name: Python dependency audit
run: |
cd /var/lib/aitbc-workspaces/security-scan/repo
source venv/bin/activate
echo "=== Dependency Audit ==="
pip-audit -r requirements.txt --desc 2>/dev/null || echo "⚠️ Some vulnerabilities found"
echo "✅ Dependency audit completed"
- name: Bandit security scan
run: |
cd /var/lib/aitbc-workspaces/security-scan/repo
source venv/bin/activate
echo "=== Bandit Security Scan ==="
bandit -r apps/ packages/py/ cli/ \
-s B101,B311 \
--severity-level medium \
-f txt -q 2>/dev/null || echo "⚠️ Bandit findings"
echo "✅ Bandit scan completed"
- name: Check for secrets
run: |
cd /var/lib/aitbc-workspaces/security-scan/repo
echo "=== Secret Detection ==="
# Simple pattern check for leaked secrets
grep -rn "PRIVATE_KEY\s*=\s*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy" && echo "⚠️ Possible secrets found" || echo "✅ No secrets detected"
grep -rn "password\s*=\s*['\"][^'\"]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy\|placeholder" | head -5 && echo "⚠️ Possible hardcoded passwords" || echo "✅ No hardcoded passwords"
- name: Cleanup
if: always()
run: rm -rf /var/lib/aitbc-workspaces/security-scan
Reference in New Issue View Git Blame Copy Permalink