grenade/cull-gmail
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add security improvements to CI

Browse Source 
Add commit signature verification, split security
jobs for forked/trusted PRs, and add forked PR
isolation on update_prlog.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Jeremiah Russell <jerry@jrussell.ie>
This commit is contained in:
Jeremiah Russell
2026-02-11 13:42:16 +00:00
parent 95c154f720
commit 5e308ffba9
1 changed files with 36 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
.circleci/config.yml
View File

@@ -49,6 +49,25 @@ workflows:
- << pipeline.parameters.validation_flag >> - << pipeline.parameters.validation_flag >>
- not: << pipeline.parameters.release_flag >> - not: << pipeline.parameters.release_flag >>
jobs: jobs:
# Signature verification for trusted PRs (with write access for comments)
- toolkit/verify_commit_signatures:
name: verify_commit_signatures_trusted
context: bot-check
post_comment: true
update_pcu: false
filters:
branches:
ignore:
- main
- /pull\/[0-9]+/
# Signature verification for forked PRs (read-only, no comments)
- toolkit/verify_commit_signatures:
name: verify_commit_signatures_forked
post_comment: false
update_pcu: false
filters:
branches:
only: /pull\/[0-9]+/
- toolkit/label: - toolkit/label:
min_rust_version: << pipeline.parameters.min_rust_version >> min_rust_version: << pipeline.parameters.min_rust_version >>
context: pcu-app context: pcu-app
@@ -73,18 +92,34 @@ workflows:
- toolkit/idiomatic_rust: - toolkit/idiomatic_rust:
min_rust_version: << pipeline.parameters.min_rust_version >> min_rust_version: << pipeline.parameters.min_rust_version >>
- toolkit/security: - toolkit/security:
name: security audit only
sonarcloud: false
ignore_advisories: RUSTSEC-2025-0066
filters:
branches:
only: /pull\/[0-9]+/
- toolkit/security:
name: security with sonarcloud
context: SonarCloud context: SonarCloud
ignore_advisories: RUSTSEC-2025-0066 ignore_advisories: RUSTSEC-2025-0066
filters:
branches:
ignore:
- /pull\/[0-9]+/
- main
- toolkit/update_prlog: - toolkit/update_prlog:
filters: filters:
branches: branches:
ignore: ignore:
- /pull\/[0-9]+/
- main - main
requires: requires:
- verify_commit_signatures_trusted
- toolkit/required_builds - toolkit/required_builds
- toolkit/test_doc_build - toolkit/test_doc_build
- toolkit/idiomatic_rust - toolkit/idiomatic_rust
- toolkit/security - security audit only
- security with sonarcloud
- toolkit/common_tests - toolkit/common_tests
context: context:
- release - release