elias/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-05-13 18:00:35 +08:00
Code Issues Packages Projects Releases Wiki Activity
everything-claude-code/scripts/ci/validate-workflow-security.js
Affaan Mustafa 797f283036
ci: require npm audit signature checks 
Require npm registry signature verification wherever workflow npm audit checks run.

- add npm audit signatures to CI Security Scan and maintenance security audit jobs
- teach the workflow security validator to reject npm audit without signature verification
- keep the repair and Copilot prompt tests portable across Windows path/case and CRLF frontmatter behavior

Validation:
- node tests/run-all.js (2376 passed, 0 failed)
- CI current-head matrix green on #1846
2026-05-12 23:48:56 -04:00

178 lines
5.3 KiB
JavaScript
Raw Blame History

#!/usr/bin/env node
/**
* Reject unsafe GitHub Actions patterns that execute or checkout untrusted PR code
* from privileged events such as workflow_run or pull_request_target.
*/
const fs = require('fs');
const path = require('path');
const DEFAULT_WORKFLOWS_DIR = path.join(__dirname, '../../.github/workflows');
const RULES = [
{
event: 'workflow_run',
eventPattern: /\bworkflow_run\s*:/m,
description: 'workflow_run must not checkout an untrusted workflow_run head ref/repository',
expressionPattern: /\$\{\{\s*github\.event\.workflow_run\.(?:head_branch|head_sha|head_repository(?:\.[A-Za-z0-9_.]+)?)\s*\}\}|\$\{\{\s*github\.event\.workflow_run\.pull_requests\[\d+\]\.head\.(?:ref|sha|repo\.full_name)\s*\}\}/g,
},
{
event: 'pull_request_target',
eventPattern: /\bpull_request_target\s*:/m,
description: 'pull_request_target must not checkout an untrusted pull_request head ref/repository',
expressionPattern: /\$\{\{\s*github\.event\.pull_request\.head\.(?:ref|sha|repo\.full_name)\s*\}\}/g,
},
];
const WRITE_PERMISSION_PATTERN = /^\s*(?:contents|issues|pull-requests|actions|checks|deployments|discussions|id-token|packages|pages|repository-projects|security-events|statuses):\s*write\b/m;
const NPM_CI_PATTERN = /\bnpm\s+ci\b(?![^\n]*--ignore-scripts)/g;
const NPM_AUDIT_PATTERN = /\bnpm\s+audit\b(?!\s+signatures\b)/;
const NPM_AUDIT_SIGNATURES_PATTERN = /\bnpm\s+audit\s+signatures\b/;
const ACTIONS_CACHE_PATTERN = /uses:\s*['"]?actions\/cache@/m;
const ID_TOKEN_WRITE_PATTERN = /^\s*id-token:\s*write\b/m;
function getWorkflowFiles(workflowsDir) {
if (!fs.existsSync(workflowsDir)) {
return [];
}
return fs.readdirSync(workflowsDir)
.filter(file => /\.(?:yml|yaml)$/i.test(file))
.map(file => path.join(workflowsDir, file))
.sort();
}
function getLineNumber(source, index) {
return source.slice(0, index).split(/\r?\n/).length;
}
function extractCheckoutSteps(source) {
const blocks = [];
const lines = source.split(/\r?\n/);
let current = null;
for (let i = 0; i < lines.length; i++) {
const line = lines[i];
const stepStart = line.match(/^(\s*)-\s+/);
if (stepStart) {
if (current) {
blocks.push(current);
}
current = {
indent: stepStart[1].length,
startLine: i + 1,
lines: [line],
};
continue;
}
if (current) {
current.lines.push(line);
}
}
if (current) {
blocks.push(current);
}
return blocks
.map(block => ({
startLine: block.startLine,
text: block.lines.join('\n'),
}))
.filter(block => /uses:\s*['"]?actions\/checkout@/m.test(block.text));
}
function findViolations(filePath, source) {
const violations = [];
const checkoutSteps = extractCheckoutSteps(source);
for (const rule of RULES) {
if (!rule.eventPattern.test(source)) {
continue;
}
for (const step of checkoutSteps) {
for (const match of step.text.matchAll(rule.expressionPattern)) {
violations.push({
filePath,
event: rule.event,
description: rule.description,
expression: match[0],
line: step.startLine + getLineNumber(step.text, match.index) - 1,
});
}
}
}
if (WRITE_PERMISSION_PATTERN.test(source)) {
for (const match of source.matchAll(NPM_CI_PATTERN)) {
violations.push({
filePath,
event: 'write-permission install',
description: 'workflows with write permissions must install npm dependencies with --ignore-scripts',
expression: match[0],
line: getLineNumber(source, match.index),
});
}
}
if (ID_TOKEN_WRITE_PATTERN.test(source) && ACTIONS_CACHE_PATTERN.test(source)) {
violations.push({
filePath,
event: 'id-token cache',
description: 'workflows with id-token: write must not restore or save shared dependency caches',
expression: 'id-token: write + actions/cache',
line: getLineNumber(source, source.search(ID_TOKEN_WRITE_PATTERN)),
});
}
if (NPM_AUDIT_PATTERN.test(source) && !NPM_AUDIT_SIGNATURES_PATTERN.test(source)) {
violations.push({
filePath,
event: 'npm audit signatures',
description: 'workflows that run npm audit must also verify registry signatures',
expression: 'npm audit without npm audit signatures',
line: getLineNumber(source, source.search(NPM_AUDIT_PATTERN)),
});
}
return violations;
}
function validateWorkflowSecurity(workflowsDir = DEFAULT_WORKFLOWS_DIR) {
const files = getWorkflowFiles(workflowsDir);
const violations = [];
for (const filePath of files) {
const source = fs.readFileSync(filePath, 'utf8');
violations.push(...findViolations(filePath, source));
}
if (violations.length > 0) {
for (const violation of violations) {
console.error(
`ERROR: ${path.basename(violation.filePath)}:${violation.line} - ${violation.description}`,
);
console.error(` Unsafe expression: ${violation.expression}`);
}
return 1;
}
console.log(`Validated workflow security for ${files.length} workflow files`);
return 0;
}
if (require.main === module) {
process.exit(validateWorkflowSecurity(process.env.ECC_WORKFLOWS_DIR || DEFAULT_WORKFLOWS_DIR));
}
module.exports = {
DEFAULT_WORKFLOWS_DIR,
extractCheckoutSteps,
findViolations,
validateWorkflowSecurity,
};
Reference in New Issue View Git Blame Copy Permalink