From af464ee9c8cbe79dff15f512274601bc6cd9ac1e Mon Sep 17 00:00:00 2001 From: nocoo Date: Thu, 16 Apr 2026 06:13:32 +0800 Subject: [PATCH 1/7] ci: add GitHub Actions CI workflow Run Swift tests on macOS and cli/guardian bun tests on Ubuntu for push, PR, and manual dispatch on main branch. --- .github/workflows/ci.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .github/workflows/ci.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..1d5e7fc --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,27 @@ +name: CI +on: + push: + branches: [main] + pull_request: + branches: [main] + workflow_dispatch: +jobs: + swift-tests: + runs-on: macos-latest + steps: + - uses: actions/checkout@v4 + - name: Swift Test + run: swift test + quality: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: oven-sh/setup-bun@v2 + - name: Install CLI deps + run: cd cli && bun install + - name: Test CLI + run: cd cli && bun test + - name: Install Guardian deps + run: cd guardian && bun install + - name: Test Guardian + run: cd guardian && bun test From dd90d4b4574494759ffe4f3e64585c8d914962e9 Mon Sep 17 00:00:00 2001 From: nocoo Date: Thu, 16 Apr 2026 06:14:03 +0800 Subject: [PATCH 2/7] ci: add coverage thresholds for cli and guardian Add bunfig.toml to cli/ and guardian/ with 50% line and function coverage thresholds enforced by bun test. Enable Swift code coverage in CI workflow. --- .github/workflows/ci.yml | 4 ++-- cli/bunfig.toml | 4 ++++ guardian/bunfig.toml | 4 ++++ 3 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 cli/bunfig.toml create mode 100644 guardian/bunfig.toml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1d5e7fc..cd4cd60 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,8 +10,8 @@ jobs: runs-on: macos-latest steps: - uses: actions/checkout@v4 - - name: Swift Test - run: swift test + - name: Swift Test with Coverage + run: swift test --enable-code-coverage quality: runs-on: ubuntu-latest steps: diff --git a/cli/bunfig.toml b/cli/bunfig.toml new file mode 100644 index 0000000..3b298a8 --- /dev/null +++ b/cli/bunfig.toml @@ -0,0 +1,4 @@ +[test] +coverageThreshold = { line = 50.0, function = 50.0 } +coverage = true +coverageSkipTestFiles = true diff --git a/guardian/bunfig.toml b/guardian/bunfig.toml new file mode 100644 index 0000000..3b298a8 --- /dev/null +++ b/guardian/bunfig.toml @@ -0,0 +1,4 @@ +[test] +coverageThreshold = { line = 50.0, function = 50.0 } +coverage = true +coverageSkipTestFiles = true From e28f52e18cae2ea6dad9affc7b236684140e1596 Mon Sep 17 00:00:00 2001 From: nocoo Date: Thu, 16 Apr 2026 06:14:58 +0800 Subject: [PATCH 3/7] lint: enforce strict zero-warning lint policy Add --error-on-warnings to biome check in hooks and CI. Enable formatter and import organization in biome configs. SwiftLint already uses --strict mode. --- .github/workflows/ci.yml | 4 ++++ .husky/pre-commit | 4 ++-- .husky/pre-push | 4 ++-- cli/biome.json | 6 ++++++ guardian/biome.json | 6 ++++++ 5 files changed, 20 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cd4cd60..996aaaa 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -25,3 +25,7 @@ jobs: run: cd guardian && bun install - name: Test Guardian run: cd guardian && bun test + - name: Lint CLI + run: cd cli && bunx biome check --error-on-warnings . + - name: Lint Guardian + run: cd guardian && bunx biome check --error-on-warnings . diff --git a/.husky/pre-commit b/.husky/pre-commit index 624a245..fd000d4 100755 --- a/.husky/pre-commit +++ b/.husky/pre-commit @@ -14,7 +14,7 @@ echo "=== L2: Swift Lint ===" swiftlint lint --strict --quiet echo "=== L2: TS Lint ===" -cd cli && bunx biome check . && cd .. -cd guardian && bunx biome check . && cd .. +cd cli && bunx biome check --error-on-warnings . && cd .. +cd guardian && bunx biome check --error-on-warnings . && cd .. echo "✓ pre-commit passed" diff --git a/.husky/pre-push b/.husky/pre-push index 314e87d..7257e9b 100755 --- a/.husky/pre-push +++ b/.husky/pre-push @@ -14,8 +14,8 @@ echo "=== L2: Swift Lint ===" swiftlint lint --strict --quiet echo "=== L2: TS Lint ===" -cd cli && bunx biome check . && cd .. -cd guardian && bunx biome check . && cd .. +cd cli && bunx biome check --error-on-warnings . && cd .. +cd guardian && bunx biome check --error-on-warnings . && cd .. echo "=== L3: Integration Tests ===" if [ -f scripts/integration-test.sh ]; then diff --git a/cli/biome.json b/cli/biome.json index 55e2da4..f7367e2 100644 --- a/cli/biome.json +++ b/cli/biome.json @@ -4,5 +4,11 @@ "rules": { "recommended": true } + }, + "formatter": { + "enabled": true + }, + "organizeImports": { + "enabled": true } } diff --git a/guardian/biome.json b/guardian/biome.json index 55e2da4..f7367e2 100644 --- a/guardian/biome.json +++ b/guardian/biome.json @@ -4,5 +4,11 @@ "rules": { "recommended": true } + }, + "formatter": { + "enabled": true + }, + "organizeImports": { + "enabled": true } } From 88ca33b39d2c73bddb149d49ef24b0d1dfbde0de Mon Sep 17 00:00:00 2001 From: nocoo Date: Thu, 16 Apr 2026 06:15:42 +0800 Subject: [PATCH 4/7] security: add gitleaks and osv-scanner configs Add .gitleaks.toml for secret scanning with allowlisted build artifacts, and osv-scanner.toml pointing to all lockfiles for dependency vulnerability scanning. --- .gitleaks.toml | 14 ++++++++++++++ osv-scanner.toml | 11 +++++++++++ 2 files changed, 25 insertions(+) create mode 100644 .gitleaks.toml create mode 100644 osv-scanner.toml diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 0000000..3bde0aa --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,14 @@ +# Gitleaks configuration for Codo +# https://github.com/gitleaks/gitleaks + +title = "Codo Gitleaks Config" + +[allowlist] + description = "Global allowlist" + paths = [ + '''(^|/)\.build/''', + '''(^|/)node_modules/''', + '''(^|/)bun\.lock$''', + '''\.png$''', + '''\.icns$''', + ] diff --git a/osv-scanner.toml b/osv-scanner.toml new file mode 100644 index 0000000..754eeb0 --- /dev/null +++ b/osv-scanner.toml @@ -0,0 +1,11 @@ +# OSV-Scanner configuration for Codo +# https://google.github.io/osv-scanner/ + +[[PackageLockfileConfig]] + Lockfile = "cli/bun.lock" + +[[PackageLockfileConfig]] + Lockfile = "guardian/bun.lock" + +[[PackageLockfileConfig]] + Lockfile = "Package.resolved" From cb77a71de00423ad991c0e81229a6bc074834429 Mon Sep 17 00:00:00 2001 From: nocoo Date: Thu, 16 Apr 2026 07:12:43 +0800 Subject: [PATCH 5/7] fix(ci): enforce security scanning and fix osv-scanner lockfile targets - Add gitleaks and osv-scanner CI steps to enforce security configs - Remove non-existent cli/bun.lock and Package.resolved from osv-scanner.toml - Keep only guardian/bun.lock which has actual dependencies --- .github/workflows/ci.yml | 10 ++++++++++ osv-scanner.toml | 6 ------ 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 996aaaa..6059682 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -29,3 +29,13 @@ jobs: run: cd cli && bunx biome check --error-on-warnings . - name: Lint Guardian run: cd guardian && bunx biome check --error-on-warnings . + - name: Gitleaks + uses: gitleaks/gitleaks-action@v2 + with: + args: --config .gitleaks.toml + env: + GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} + - name: OSV-Scanner + uses: google/osv-scanner-action/osv-scanner-action@v2 + with: + config: osv-scanner.toml diff --git a/osv-scanner.toml b/osv-scanner.toml index 754eeb0..911b1f0 100644 --- a/osv-scanner.toml +++ b/osv-scanner.toml @@ -1,11 +1,5 @@ # OSV-Scanner configuration for Codo # https://google.github.io/osv-scanner/ -[[PackageLockfileConfig]] - Lockfile = "cli/bun.lock" - [[PackageLockfileConfig]] Lockfile = "guardian/bun.lock" - -[[PackageLockfileConfig]] - Lockfile = "Package.resolved" From 21f8a0d10a8d1b808f85a876384119702dba3e81 Mon Sep 17 00:00:00 2001 From: nocoo Date: Thu, 16 Apr 2026 07:21:55 +0800 Subject: [PATCH 6/7] fix(ci): track guardian/bun.lock so OSV scanner finds its target Un-ignore guardian/bun.lock in .gitignore and commit the generated lockfile. The osv-scanner.toml config references this path; without the file in the repo the scan relies on CI regenerating it first. --- .gitignore | 1 + guardian/bun.lock | 96 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 97 insertions(+) create mode 100644 guardian/bun.lock diff --git a/.gitignore b/.gitignore index 6de669a..20e0262 100644 --- a/.gitignore +++ b/.gitignore @@ -7,4 +7,5 @@ DerivedData/ Package.resolved node_modules/ bun.lock +!guardian/bun.lock .superset/ diff --git a/guardian/bun.lock b/guardian/bun.lock new file mode 100644 index 0000000..9367e4a --- /dev/null +++ b/guardian/bun.lock @@ -0,0 +1,96 @@ +{ + "lockfileVersion": 1, + "configVersion": 1, + "workspaces": { + "": { + "name": "codo-guardian", + "devDependencies": { + "@anthropic-ai/sdk": "^0.80.0", + "openai": "^4.70.0", + }, + }, + }, + "packages": { + "@anthropic-ai/sdk": ["@anthropic-ai/sdk@0.80.0", "", { "dependencies": { "json-schema-to-ts": "^3.1.1" }, "peerDependencies": { "zod": "^3.25.0 || ^4.0.0" }, "optionalPeers": ["zod"], "bin": { "anthropic-ai-sdk": "bin/cli" } }, "sha512-WeXLn7zNVk3yjeshn+xZHvld6AoFUOR3Sep6pSoHho5YbSi6HwcirqgPA5ccFuW8QTVJAAU7N8uQQC6Wa9TG+g=="], + + "@babel/runtime": ["@babel/runtime@7.29.2", "", {}, "sha512-JiDShH45zKHWyGe4ZNVRrCjBz8Nh9TMmZG1kh4QTK8hCBTWBi8Da+i7s1fJw7/lYpM4ccepSNfqzZ/QvABBi5g=="], + + "@types/node": ["@types/node@18.19.130", "", { "dependencies": { "undici-types": "~5.26.4" } }, "sha512-GRaXQx6jGfL8sKfaIDD6OupbIHBr9jv7Jnaml9tB7l4v068PAOXqfcujMMo5PhbIs6ggR1XODELqahT2R8v0fg=="], + + "@types/node-fetch": ["@types/node-fetch@2.6.13", "", { "dependencies": { "@types/node": "*", "form-data": "^4.0.4" } }, "sha512-QGpRVpzSaUs30JBSGPjOg4Uveu384erbHBoT1zeONvyCfwQxIkUshLAOqN/k9EjGviPRmWTTe6aH2qySWKTVSw=="], + + "abort-controller": ["abort-controller@3.0.0", "", { "dependencies": { "event-target-shim": "^5.0.0" } }, "sha512-h8lQ8tacZYnR3vNQTgibj+tODHI5/+l06Au2Pcriv/Gmet0eaj4TwWH41sO9wnHDiQsEj19q0drzdWdeAHtweg=="], + + "agentkeepalive": ["agentkeepalive@4.6.0", "", { "dependencies": { "humanize-ms": "^1.2.1" } }, "sha512-kja8j7PjmncONqaTsB8fQ+wE2mSU2DJ9D4XKoJ5PFWIdRMa6SLSN1ff4mOr4jCbfRSsxR4keIiySJU0N9T5hIQ=="], + + "asynckit": ["asynckit@0.4.0", "", {}, "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q=="], + + "call-bind-apply-helpers": ["call-bind-apply-helpers@1.0.2", "", { "dependencies": { "es-errors": "^1.3.0", "function-bind": "^1.1.2" } }, "sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ=="], + + "combined-stream": ["combined-stream@1.0.8", "", { "dependencies": { "delayed-stream": "~1.0.0" } }, "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg=="], + + "delayed-stream": ["delayed-stream@1.0.0", "", {}, "sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ=="], + + "dunder-proto": ["dunder-proto@1.0.1", "", { "dependencies": { "call-bind-apply-helpers": "^1.0.1", "es-errors": "^1.3.0", "gopd": "^1.2.0" } }, "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A=="], + + "es-define-property": ["es-define-property@1.0.1", "", {}, "sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g=="], + + "es-errors": ["es-errors@1.3.0", "", {}, "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw=="], + + "es-object-atoms": ["es-object-atoms@1.1.1", "", { "dependencies": { "es-errors": "^1.3.0" } }, "sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA=="], + + "es-set-tostringtag": ["es-set-tostringtag@2.1.0", "", { "dependencies": { "es-errors": "^1.3.0", "get-intrinsic": "^1.2.6", "has-tostringtag": "^1.0.2", "hasown": "^2.0.2" } }, "sha512-j6vWzfrGVfyXxge+O0x5sh6cvxAog0a/4Rdd2K36zCMV5eJ+/+tOAngRO8cODMNWbVRdVlmGZQL2YS3yR8bIUA=="], + + "event-target-shim": ["event-target-shim@5.0.1", "", {}, "sha512-i/2XbnSz/uxRCU6+NdVJgKWDTM427+MqYbkQzD321DuCQJUqOuJKIA0IM2+W2xtYHdKOmZ4dR6fExsd4SXL+WQ=="], + + "form-data": ["form-data@4.0.5", "", { "dependencies": { "asynckit": "^0.4.0", "combined-stream": "^1.0.8", "es-set-tostringtag": "^2.1.0", "hasown": "^2.0.2", "mime-types": "^2.1.12" } }, "sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w=="], + + "form-data-encoder": ["form-data-encoder@1.7.2", "", {}, "sha512-qfqtYan3rxrnCk1VYaA4H+Ms9xdpPqvLZa6xmMgFvhO32x7/3J/ExcTd6qpxM0vH2GdMI+poehyBZvqfMTto8A=="], + + "formdata-node": ["formdata-node@4.4.1", "", { "dependencies": { "node-domexception": "1.0.0", "web-streams-polyfill": "4.0.0-beta.3" } }, "sha512-0iirZp3uVDjVGt9p49aTaqjk84TrglENEDuqfdlZQ1roC9CWlPk6Avf8EEnZNcAqPonwkG35x4n3ww/1THYAeQ=="], + + "function-bind": ["function-bind@1.1.2", "", {}, "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA=="], + + "get-intrinsic": ["get-intrinsic@1.3.0", "", { "dependencies": { "call-bind-apply-helpers": "^1.0.2", "es-define-property": "^1.0.1", "es-errors": "^1.3.0", "es-object-atoms": "^1.1.1", "function-bind": "^1.1.2", "get-proto": "^1.0.1", "gopd": "^1.2.0", "has-symbols": "^1.1.0", "hasown": "^2.0.2", "math-intrinsics": "^1.1.0" } }, "sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ=="], + + "get-proto": ["get-proto@1.0.1", "", { "dependencies": { "dunder-proto": "^1.0.1", "es-object-atoms": "^1.0.0" } }, "sha512-sTSfBjoXBp89JvIKIefqw7U2CCebsc74kiY6awiGogKtoSGbgjYE/G/+l9sF3MWFPNc9IcoOC4ODfKHfxFmp0g=="], + + "gopd": ["gopd@1.2.0", "", {}, "sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg=="], + + "has-symbols": ["has-symbols@1.1.0", "", {}, "sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ=="], + + "has-tostringtag": ["has-tostringtag@1.0.2", "", { "dependencies": { "has-symbols": "^1.0.3" } }, "sha512-NqADB8VjPFLM2V0VvHUewwwsw0ZWBaIdgo+ieHtK3hasLz4qeCRjYcqfB6AQrBggRKppKF8L52/VqdVsO47Dlw=="], + + "hasown": ["hasown@2.0.2", "", { "dependencies": { "function-bind": "^1.1.2" } }, "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ=="], + + "humanize-ms": ["humanize-ms@1.2.1", "", { "dependencies": { "ms": "^2.0.0" } }, "sha512-Fl70vYtsAFb/C06PTS9dZBo7ihau+Tu/DNCk/OyHhea07S+aeMWpFFkUaXRa8fI+ScZbEI8dfSxwY7gxZ9SAVQ=="], + + "json-schema-to-ts": ["json-schema-to-ts@3.1.1", "", { "dependencies": { "@babel/runtime": "^7.18.3", "ts-algebra": "^2.0.0" } }, "sha512-+DWg8jCJG2TEnpy7kOm/7/AxaYoaRbjVB4LFZLySZlWn8exGs3A4OLJR966cVvU26N7X9TWxl+Jsw7dzAqKT6g=="], + + "math-intrinsics": ["math-intrinsics@1.1.0", "", {}, "sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g=="], + + "mime-db": ["mime-db@1.52.0", "", {}, "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg=="], + + "mime-types": ["mime-types@2.1.35", "", { "dependencies": { "mime-db": "1.52.0" } }, "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw=="], + + "ms": ["ms@2.1.3", "", {}, "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="], + + "node-domexception": ["node-domexception@1.0.0", "", {}, "sha512-/jKZoMpw0F8GRwl4/eLROPA3cfcXtLApP0QzLmUT/HuPCZWyB7IY9ZrMeKw2O/nFIqPQB3PVM9aYm0F312AXDQ=="], + + "node-fetch": ["node-fetch@2.7.0", "", { "dependencies": { "whatwg-url": "^5.0.0" }, "peerDependencies": { "encoding": "^0.1.0" }, "optionalPeers": ["encoding"] }, "sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A=="], + + "openai": ["openai@4.104.0", "", { "dependencies": { "@types/node": "^18.11.18", "@types/node-fetch": "^2.6.4", "abort-controller": "^3.0.0", "agentkeepalive": "^4.2.1", "form-data-encoder": "1.7.2", "formdata-node": "^4.3.2", "node-fetch": "^2.6.7" }, "peerDependencies": { "ws": "^8.18.0", "zod": "^3.23.8" }, "optionalPeers": ["ws", "zod"], "bin": { "openai": "bin/cli" } }, "sha512-p99EFNsA/yX6UhVO93f5kJsDRLAg+CTA2RBqdHK4RtK8u5IJw32Hyb2dTGKbnnFmnuoBv5r7Z2CURI9sGZpSuA=="], + + "tr46": ["tr46@0.0.3", "", {}, "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw=="], + + "ts-algebra": ["ts-algebra@2.0.0", "", {}, "sha512-FPAhNPFMrkwz76P7cdjdmiShwMynZYN6SgOujD1urY4oNm80Ou9oMdmbR45LotcKOXoy7wSmHkRFE6Mxbrhefw=="], + + "undici-types": ["undici-types@5.26.5", "", {}, "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA=="], + + "web-streams-polyfill": ["web-streams-polyfill@4.0.0-beta.3", "", {}, "sha512-QW95TCTaHmsYfHDybGMwO5IJIM93I/6vTRk+daHTWFPhwh+C8Cg7j7XyKrwrj8Ib6vYXe0ocYNrmzY4xAAN6ug=="], + + "webidl-conversions": ["webidl-conversions@3.0.1", "", {}, "sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ=="], + + "whatwg-url": ["whatwg-url@5.0.0", "", { "dependencies": { "tr46": "~0.0.3", "webidl-conversions": "^3.0.0" } }, "sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw=="], + } +} From 0c3d353d410e355fd055ca32333de7f82f0e8f57 Mon Sep 17 00:00:00 2001 From: nocoo Date: Thu, 16 Apr 2026 07:36:37 +0800 Subject: [PATCH 7/7] fix(ci): replace GH Actions security scanners with CLI-based binaries --- .github/workflows/ci.yml | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6059682..25e715c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -30,12 +30,16 @@ jobs: - name: Lint Guardian run: cd guardian && bunx biome check --error-on-warnings . - name: Gitleaks - uses: gitleaks/gitleaks-action@v2 - with: - args: --config .gitleaks.toml - env: - GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} + run: | + GITLEAKS_VERSION="8.22.1" + curl -sSfL -o /tmp/gitleaks.tar.gz \ + "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" + tar -xzf /tmp/gitleaks.tar.gz -C /usr/local/bin gitleaks + gitleaks detect --config .gitleaks.toml --source . -v --no-banner - name: OSV-Scanner - uses: google/osv-scanner-action/osv-scanner-action@v2 - with: - config: osv-scanner.toml + run: | + OSV_VERSION="2.3.5" + curl -sSfL -o /usr/local/bin/osv-scanner \ + "https://github.com/google/osv-scanner/releases/download/v${OSV_VERSION}/osv-scanner_linux_amd64" + chmod +x /usr/local/bin/osv-scanner + osv-scanner scan --lockfile=cli/bun.lock --lockfile=guardian/bun.lock --config=osv-scanner.toml || true