feat: Add GitHub Actions CI/CD workflow #189

zohayb23 · 2025-10-28T18:39:55Z

Adds GitHub Actions CI/CD workflow with automated build, test, security scanning, and multi-platform Docker image publishing.

Workflow runs automatically on push/PR to main or develop.

kusari-inspector · 2025-10-28T18:40:53Z

Kusari Analysis Results:

Caution

Flagged Issues Detected
These changes contain flagged issues that may introduce security risks.

While dependency analysis shows no concerning changes, code analysis reveals 11 high-severity security vulnerabilities in GitHub Actions workflows that pose critical risks. The primary concerns are workflow_run triggers across 4 workflows that create attack vectors for malicious code execution, and unpinned GitHub Actions that expose the repository to supply chain attacks. These vulnerabilities could compromise the entire repository and must be remediated before the PR can be safely merged. Specific mitigations have been provided for replacing unsafe triggers and pinning all GitHub Actions to commit hashes.

Note

View full detailed analysis result for more information on the output and the checks that were run.

Required Code Mitigations

Replace workflow_run trigger with safer alternatives to prevent potential security exploits

Location: .github/workflows/build-binaries.yml:3
Potential Code Fix:

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main, develop]
  workflow_dispatch:

Replace workflow_run trigger with safer alternatives to prevent potential security exploits

Location: .github/workflows/docker-push.yml:3
Potential Code Fix:

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main, develop]
  workflow_dispatch:

Replace workflow_run trigger with safer alternatives to prevent potential security exploits

Location: .github/workflows/integration-test.yml:3
Potential Code Fix:

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  workflow_dispatch:

Replace workflow_run trigger with safer alternatives to prevent potential security exploits

Location: .github/workflows/security-scan.yml:3
Potential Code Fix:

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main, develop]
  workflow_dispatch:

Pin GitHub Action to specific commit hash to prevent supply chain attacks

Location: .github/workflows/docker-push.yml:73
Potential Code Fix:

uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226

Pin GitHub Action to specific commit hash to prevent supply chain attacks

Location: .github/workflows/docker-push.yml:76
Potential Code Fix:

uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d

Pin GitHub Action to specific commit hash to prevent supply chain attacks

Location: .github/workflows/docker-push.yml:93
Potential Code Fix:

uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d

Pin GitHub Action to specific commit hash to prevent supply chain attacks

Location: .github/workflows/docker-push.yml:111
Potential Code Fix:

uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81

Pin GitHub Action to specific commit hash to prevent supply chain attacks

Location: .github/workflows/docker-push.yml:121
Potential Code Fix:

uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56

Pin GitHub Action to specific commit hash to prevent supply chain attacks

Location: .github/workflows/security-scan.yml:66
Potential Code Fix:

uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b9ceecfd3

Pin GitHub Action to specific commit hash to prevent supply chain attacks

Location: .github/workflows/security-scan.yml:81
Potential Code Fix:

uses: securego/gosec@26e57d6b0c4c563f9c6d1ab84e61ec6e1c3c0465

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: d0da0b6, performed at: 2025-11-10T23:22:06Z

Found this helpful? Give it a 👍 or 👎 reaction!

.github/workflows/ci-cd.yml

jmeridth · 2025-10-30T04:32:06Z

Integration test, security scan, and lint could all be their own workflows. Build and test another. And then build binaries and push images. You can set dependencies between workflows if needed. This one file is a little too big for my liking.

Looks good otherwise.

jmeridth · 2025-10-30T04:36:06Z

We already have lint and build workflows. That's what I thought. We could use workflow_run to fire the CD/security stuff when those 2 pass. 🤔

- Add ci-cd.yml workflow with automated build, test, and deployment - Implement security scanning with Trivy and Gosec - Add multi-platform binary builds (Linux, macOS, Windows - amd64/arm64) - Add Docker multi-arch builds with GHCR and Docker Hub support - Include integration testing and artifact uploads - Update README with CI/CD information

Security Fixes (Kusari Inspector findings): - Move permissions from workflow level to individual jobs (least privilege) - Fix template injection vulnerabilities using environment variables - Add persist-credentials: false to integration-test checkout - Add proper permissions to all jobs Optimizations (ChatGPT suggestions): - Add id: build to Docker step for attestation digest reference - Pin action versions: trivy@0.28.0, gosec@v2.21.4 (prevent breaking changes) - Add concurrency control to cancel old runs on new push - Add explicit permissions: {} at workflow level for clarity All 16 high severity Kusari issues resolved.

…dback Based on Jason's feedback: - Split large ci-cd.yml into focused workflows - Use workflow_run to trigger CD/security workflows after build/lint pass - Reuse existing build.yaml and lint.yaml workflows - Verify both build and lint pass before triggering CD workflows New workflows: - security-scan.yml: Security scanning (Trivy + Gosec) - build-binaries.yml: Multi-platform binary builds - docker-push.yml: Docker build and push to GHCR/DockerHub - integration-test.yml: Integration testing after Docker push Dependencies: - security-scan, build-binaries, docker-push: Trigger after build workflow - integration-test: Triggers after docker-push workflow - All workflows verify both build AND lint passed before running Also updates gemara dependency to v0.13.0

kusari-inspector · 2025-11-05T05:35:24Z

Kusari PR Analysis rerun based on - 9b70570 performed at: 2025-11-05T05:35:23Z - link to updated analysis

- Fix Docker Hub credentials check to use proper step output - Conditionally include Docker Hub image in metadata only when credentials exist - Fix indentation consistency in build-binaries.yml and docker-push.yml - Prevents empty image entries in metadata action when Docker Hub not configured

kusari-inspector · 2025-11-05T06:05:02Z

Kusari PR Analysis rerun based on - 26c5d61 performed at: 2025-11-05T06:05:01Z - link to updated analysis

.github/workflows/build-binaries.yml

.github/workflows/docker-push.yml

.github/workflows/security-scan.yml

.github/workflows/docker-push.yml

.github/workflows/security-scan.yml

kusari-inspector · 2025-11-05T06:14:20Z

Kusari PR Analysis rerun based on - d9731f9 performed at: 2025-11-05T06:14:19Z - link to updated analysis

.github/workflows/build-binaries.yml

.github/workflows/docker-push.yml

.github/workflows/integration-test.yml

.github/workflows/security-scan.yml

kusari-inspector · 2025-11-05T07:32:47Z

Kusari PR Analysis rerun based on - a20de9d performed at: 2025-11-05T07:32:46Z - link to updated analysis

.github/workflows/build-binaries.yml

.github/workflows/docker-push.yml

.github/workflows/integration-test.yml

kusari-inspector · 2025-11-05T07:37:16Z

Kusari PR Analysis rerun based on - 89723bf performed at: 2025-11-05T07:37:15Z - link to updated analysis

kusari-inspector · 2025-11-05T07:50:16Z

Kusari PR Analysis rerun based on - 1680a3e performed at: 2025-11-05T07:50:15Z - link to updated analysis

kusari-inspector · 2025-11-06T05:05:51Z

Kusari PR Analysis rerun based on - 049280e performed at: 2025-11-06T05:05:50Z - link to updated analysis

kusari-inspector · 2025-11-06T05:25:28Z

Kusari PR Analysis rerun based on - 15c6b8b performed at: 2025-11-06T05:25:27Z - link to updated analysis

kusari-inspector · 2025-11-06T06:02:15Z

Kusari PR Analysis rerun based on - 34c989c performed at: 2025-11-06T06:02:14Z - link to updated analysis

- Update privateer-sdk from v1.10.0 to v1.13.0 to include ToSARIF fixes - Fix template injection vulnerabilities using context.payload instead of template strings - Add repository and branch validation for workflow_run triggers - All security validations ensure workflows only run from same repo and allowed branches

kusari-inspector · 2025-11-06T06:20:43Z

Kusari PR Analysis rerun based on - bfb7e8c performed at: 2025-11-06T06:20:42Z - link to updated analysis

kusari-inspector · 2025-11-10T23:21:15Z

Kusari PR Analysis rerun based on - 9378d4b performed at: 2025-11-10T23:21:14Z - link to updated analysis

kusari-inspector · 2025-11-10T23:22:58Z

Kusari PR Analysis rerun based on - d0da0b6 performed at: 2025-11-10T23:22:57Z - link to updated analysis

github-actions bot added the feature label Oct 28, 2025

kusari-inspector bot reviewed Oct 28, 2025

View reviewed changes

.github/workflows/ci-cd.yml Outdated Show resolved Hide resolved

kusari-inspector bot reviewed Oct 28, 2025

View reviewed changes

.github/workflows/ci-cd.yml Outdated Show resolved Hide resolved

kusari-inspector bot reviewed Oct 28, 2025

View reviewed changes

.github/workflows/ci-cd.yml Outdated Show resolved Hide resolved

kusari-inspector bot reviewed Oct 28, 2025

View reviewed changes

.github/workflows/ci-cd.yml Outdated Show resolved Hide resolved

zohayb23 force-pushed the feature/add-comprehensive-cicd-workflow branch from f62feac to 479166b Compare October 28, 2025 18:54

zohayb23 marked this pull request as ready for review October 28, 2025 18:56

zohayb23 requested a review from a team as a code owner October 28, 2025 18:56

eddie-knight marked this pull request as draft November 2, 2025 15:44

zohayb23 self-assigned this Nov 3, 2025

zohayb23 added 3 commits November 4, 2025 23:31

zohayb23 force-pushed the feature/add-comprehensive-cicd-workflow branch from 479166b to 9b70570 Compare November 5, 2025 05:34