chore: drop * wildcard from CODEOWNERS to stop Dependabot review pings
#473
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPDX-License-Identifier: MPL-2.0 | |
| # Hypatia Neurosymbolic CI/CD Security Scan | |
| name: Hypatia Security Scan | |
| on: | |
| push: | |
| branches: [ main, master, develop ] | |
| pull_request: | |
| branches: [ main, master ] | |
| schedule: | |
| - cron: '0 0 * * 0' # Weekly on Sunday | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| security-events: read # Hypatia queries Dependabot alerts via the GraphQL API | |
| jobs: | |
| scan: | |
| name: Hypatia Neurosymbolic Analysis | |
| runs-on: ubuntu-latest | |
| env: | |
| # Hypatia's CLI calls `gh api` for Dependabot alert lookups; without this | |
| # env var it logs "Dependabot alerts unavailable: GITHUB_TOKEN not set". | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 # Full history for better pattern analysis | |
| - name: Setup Elixir for Hypatia scanner | |
| uses: erlef/setup-beam@e6d7c94229049569db56a7ad5a540c051a010af9 # v1.18.2 | |
| with: | |
| elixir-version: '1.19.4' | |
| otp-version: '28.3' | |
| - name: Clone Hypatia | |
| id: clone_hypatia | |
| continue-on-error: true | |
| run: | | |
| HYPATIA_DIR="${GITHUB_WORKSPACE}/../hypatia" | |
| if [ ! -d "$HYPATIA_DIR" ]; then | |
| git clone --depth 1 https://github.com/hyperpolymath/hypatia.git "$HYPATIA_DIR" || { | |
| echo "::warning::Hypatia clone failed — scan will be skipped" | |
| exit 0 | |
| } | |
| fi | |
| echo "HYPATIA_DIR=$HYPATIA_DIR" >> "$GITHUB_ENV" | |
| echo "hypatia_ready=true" >> "$GITHUB_OUTPUT" | |
| - name: Build Hypatia scanner (if needed) | |
| if: steps.clone_hypatia.outputs.hypatia_ready == 'true' | |
| id: build_hypatia | |
| continue-on-error: true | |
| run: | | |
| cd "$HYPATIA_DIR" | |
| if [ ! -f hypatia ] && [ ! -f hypatia-v2 ]; then | |
| echo "Building hypatia-v2 scanner..." | |
| mix deps.get --quiet || { echo "::warning::mix deps.get failed"; exit 0; } | |
| mix escript.build || { echo "::warning::mix escript.build failed"; exit 0; } | |
| fi | |
| echo "scanner_ready=true" >> "$GITHUB_OUTPUT" | |
| - name: Run Hypatia scan | |
| id: scan | |
| if: steps.build_hypatia.outputs.scanner_ready == 'true' | |
| run: | | |
| echo "Scanning repository: ${{ github.repository }}" | |
| # Run scanner — failures here must not red the check; scanner-infra | |
| # issues are tracked upstream and surface as a warning instead. | |
| HYPATIA_FORMAT=json "$HYPATIA_DIR/hypatia-cli.sh" scan . > hypatia-findings.json 2>scan-stderr.log || { | |
| echo "::warning::hypatia-cli.sh exited non-zero — see scan-stderr.log" | |
| echo "[]" > hypatia-findings.json | |
| } | |
| # If the scanner wrote something that isn't a JSON array, normalise to []. | |
| if ! jq -e 'type == "array"' hypatia-findings.json >/dev/null 2>&1; then | |
| echo "::warning::hypatia-findings.json is not a JSON array — treating as empty" | |
| echo "[]" > hypatia-findings.json | |
| fi | |
| FINDING_COUNT=$(jq 'length' hypatia-findings.json 2>/dev/null || echo 0) | |
| CRITICAL=$(jq '[.[] | select(.severity == "critical")] | length' hypatia-findings.json 2>/dev/null || echo 0) | |
| HIGH=$(jq '[.[] | select(.severity == "high")] | length' hypatia-findings.json 2>/dev/null || echo 0) | |
| MEDIUM=$(jq '[.[] | select(.severity == "medium")] | length' hypatia-findings.json 2>/dev/null || echo 0) | |
| { | |
| echo "findings_count=$FINDING_COUNT" | |
| echo "critical=$CRITICAL" | |
| echo "high=$HIGH" | |
| echo "medium=$MEDIUM" | |
| } >> "$GITHUB_OUTPUT" | |
| { | |
| echo "## Hypatia Scan Results" | |
| echo "- Total findings: $FINDING_COUNT" | |
| echo "- Critical: $CRITICAL" | |
| echo "- High: $HIGH" | |
| echo "- Medium: $MEDIUM" | |
| } >> "$GITHUB_STEP_SUMMARY" | |
| - name: Upload findings artifact | |
| if: steps.build_hypatia.outputs.scanner_ready == 'true' | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 | |
| with: | |
| name: hypatia-findings | |
| path: hypatia-findings.json | |
| retention-days: 90 | |
| - name: Submit findings to gitbot-fleet (Phase 2) | |
| if: steps.scan.outputs.findings_count > 0 | |
| continue-on-error: true | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITHUB_REPOSITORY: ${{ github.repository }} | |
| GITHUB_SHA: ${{ github.sha }} | |
| run: | | |
| echo "📤 Submitting ${{ steps.scan.outputs.findings_count }} findings to gitbot-fleet..." | |
| # Clone gitbot-fleet to temp directory. Private repo — if unauthenticated, | |
| # skip with a warning rather than failing the whole workflow. | |
| FLEET_DIR="/tmp/gitbot-fleet-$$" | |
| if ! git clone https://github.com/hyperpolymath/gitbot-fleet.git "$FLEET_DIR" 2>/dev/null; then | |
| echo "::warning::gitbot-fleet clone failed (likely private/no auth) — skipping submission" | |
| exit 0 | |
| fi | |
| # Run submission script | |
| bash "$FLEET_DIR/scripts/submit-finding.sh" "$(pwd)/hypatia-findings.json" || { | |
| echo "::warning::submit-finding.sh failed — see step log" | |
| } | |
| # Cleanup | |
| rm -rf "$FLEET_DIR" | |
| echo "✅ Finding submission complete" | |
| - name: Check for critical issues | |
| if: steps.scan.outputs.critical > 0 | |
| run: | | |
| echo "⚠️ Critical security issues found!" | |
| echo "Review hypatia-findings.json for details" | |
| # Don't fail the build yet - just warn | |
| # exit 1 | |
| - name: Generate scan report | |
| run: | | |
| cat << EOF > hypatia-report.md | |
| # Hypatia Security Scan Report | |
| **Repository:** ${{ github.repository }} | |
| **Scan Date:** $(date -u +"%Y-%m-%d %H:%M:%S UTC") | |
| **Commit:** ${{ github.sha }} | |
| ## Summary | |
| | Severity | Count | | |
| |----------|-------| | |
| | Critical | ${{ steps.scan.outputs.critical }} | | |
| | High | ${{ steps.scan.outputs.high }} | | |
| | Medium | ${{ steps.scan.outputs.medium }} | | |
| | **Total**| ${{ steps.scan.outputs.findings_count }} | | |
| ## Next Steps | |
| 1. Review findings in the artifact: hypatia-findings.json | |
| 2. Auto-fixable issues will be addressed by robot-repo-automaton (Phase 3) | |
| 3. Manual review required for complex issues | |
| ## Learning | |
| These findings feed Hypatia's learning engine to improve future rules. | |
| --- | |
| *Powered by [Hypatia](https://github.com/hyperpolymath/hypatia) - Neurosymbolic CI/CD Intelligence* | |
| EOF | |
| cat hypatia-report.md >> $GITHUB_STEP_SUMMARY | |
| - name: Comment on PR with findings | |
| if: github.event_name == 'pull_request' && steps.scan.outputs.findings_count > 0 | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v7 | |
| with: | |
| script: | | |
| const fs = require('fs'); | |
| const findings = JSON.parse(fs.readFileSync('hypatia-findings.json', 'utf8')); | |
| const critical = findings.filter(f => f.severity === 'critical').length; | |
| const high = findings.filter(f => f.severity === 'high').length; | |
| let comment = `## 🔍 Hypatia Security Scan\n\n`; | |
| comment += `**Findings:** ${findings.length} issues detected\n\n`; | |
| comment += `| Severity | Count |\n|----------|-------|\n`; | |
| comment += `| 🔴 Critical | ${critical} |\n`; | |
| comment += `| 🟠 High | ${high} |\n`; | |
| comment += `| 🟡 Medium | ${findings.length - critical - high} |\n\n`; | |
| if (critical > 0) { | |
| comment += `⚠️ **Action Required:** Critical security issues found!\n\n`; | |
| } | |
| comment += `<details><summary>View findings</summary>\n\n`; | |
| comment += `\`\`\`json\n${JSON.stringify(findings.slice(0, 10), null, 2)}\n\`\`\`\n`; | |
| comment += `</details>\n\n`; | |
| comment += `*Powered by Hypatia Neurosymbolic CI/CD Intelligence*`; | |
| github.rest.issues.createComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| body: comment | |
| }); |