Update action.yaml #75
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Validate Contributions | |
| on: | |
| workflow_dispatch: {} | |
| push: | |
| branches: [main] | |
| pull_request: | |
| # Removed path filters so it runs on all PRs in the nod repo | |
| permissions: | |
| contents: read | |
| security-events: write | |
| jobs: | |
| quality-gate: | |
| name: Transparency Standard Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| # 1. Generate SARIF (Soft Fail) | |
| - name: Run nod (Generate SARIF) | |
| uses: ./ # Points to the local action in this repo | |
| continue-on-error: true | |
| with: | |
| target: 'examples/spec_compliant.md' # Validates the known good example | |
| rules: 'defaults/' # Uses the built-in rule packs | |
| strict: 'true' | |
| min_severity: 'HIGH' | |
| output_format: 'sarif' | |
| output_file: 'nod-results.sarif' | |
| # 2. Generate JSON (Soft Fail) | |
| - name: Generate JSON Attestation | |
| uses: ./ | |
| continue-on-error: true | |
| with: | |
| target: 'examples/spec_compliant.md' | |
| rules: 'defaults/' | |
| strict: 'true' | |
| min_severity: 'HIGH' | |
| output_format: 'json' | |
| output_file: 'nod-attestation.json' | |
| # 3. NEW: Print the JSON to the logs for immediate visibility | |
| - name: Print JSON Context for Agents | |
| run: | | |
| echo "::group::Full JSON Attestation" | |
| cat nod-attestation.json || echo "JSON file not found" | |
| echo "::endgroup::" | |
| # 4. Upload SARIF to Security Tab | |
| - name: Upload SARIF Results | |
| uses: github/codeql-action/upload-sarif@v4 | |
| continue-on-error: true # Ensure upload doesn't block the rest if it fails | |
| with: | |
| sarif_file: nod-results.sarif | |
| # 5. Upload JSON to Artifacts (Explicitly Always) | |
| - name: Upload Attestation Artifact | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: nod-attestation | |
| path: nod-attestation.json | |
| retention-days: 5 | |
| # 6. FINAL GATEKEEPER (Hard Fail) | |
| - name: Gatekeeper Check | |
| uses: ./ | |
| with: | |
| target: 'examples/spec_compliant.md' | |
| rules: 'defaults/' | |
| strict: 'true' | |
| min_severity: 'HIGH' |