molecule-ai/molecule-core
38
0
Fork 2
Code Issues 23 Pull Requests 8 Actions 65 Packages Projects Releases Wiki Activity
fix/a2a-push-mode-queue-envelope
molecule-core/.github/workflows/secret-pattern-drift.yml
Molecule AI Core-DevOps 03689e3d9a
All checks were successful
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 4s
Details
sop-tier-check / tier-check (pull_request) Successful in 5s
Details
audit-force-merge / audit (pull_request) Successful in 6s
Details
ci: pin GitHub Actions by SHA instead of mutable tags 
- actions/checkout@v6 → @de0fac2e4500dabe0009e67214ff5f5447ce83dd (v6.0.2)
  in secret-pattern-drift.yml
- pypa/gh-action-pypi-publish@release/v1 →
  @cef221092ed1bacb1cc03d23a2d87d1d172e277b in publish-runtime.yml

Mutable action tags (e.g. @v6, @release/v1) can silently resolve to
different code over time, creating supply-chain risk. SHA-pinning
ensures the exact commit runs every time. Workspace Dockerfile was
already compliant (python:3.11-slim@sha256:...).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-10 07:55:39 +00:00

59 lines
2.1 KiB
YAML
Raw Permalink Blame History

name: SECRET_PATTERNS drift lint
# Detects when the canonical SECRET_PATTERNS array in
# .github/workflows/secret-scan.yml diverges from known consumer
# mirrors (workspace-runtime's bundled pre-commit hook today; more
# can be added as the consumer set grows).
#
# Why this exists: every side that scans for credentials has its own
# copy of the pattern list. They drift — most recently the runtime
# hook lagged the canonical by one pattern (sk-cp- / MiniMax F1088),
# so a developer's local pre-commit would let a sk-cp- token through
# while the org-wide CI scan would refuse it. The cost of that drift
# is dev confusion + delayed feedback; the fix is automated detection.
#
# Triggers:
# - schedule: daily 05:00 UTC. Catches drift introduced by edits
# to a consumer copy that didn't update canonical here.
# - push to main/staging where the canonical or this lint changed:
# catches the inverse — canonical updated but consumers not yet
# bumped. The lint will fail the push; that's intentional, the
# person editing canonical is the right person to also update
# the consumer.
# - workflow_dispatch: ad-hoc operator runs.
on:
schedule:
# 05:00 UTC = 22:00 PT / 01:00 ET. Quiet hours so a failure
# email lands when humans are starting their day, not
# interrupting it.
- cron: "0 5 * * *"
push:
branches: [main, staging]
paths:
- ".github/workflows/secret-scan.yml"
- ".github/workflows/secret-pattern-drift.yml"
- ".github/scripts/lint_secret_pattern_drift.py"
- ".githooks/pre-commit"
workflow_dispatch:
# GITHUB_TOKEN scoped to read-only. The lint only does git checkout
# + HTTPS GETs to public consumer files; no writes to anything.
permissions:
contents: read
jobs:
lint:
name: Detect SECRET_PATTERNS drift
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: "3.11"
- name: Run drift lint
run: python3 .github/scripts/lint_secret_pattern_drift.py
Reference in New Issue View Git Blame Copy Permalink