name: CI on: push: branches: [ "main" ] pull_request: branches: [ "main" ] permissions: contents: read jobs: test-and-secure: runs-on: ubuntu-latest env: # Safe fallback for CI only (matches your app behavior) ALLOW_DEV_SALT: "true" steps: - name: Checkout repository uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v5 with: python-version: "3.13" - name: Cache pip dependencies uses: actions/cache@v4 with: path: ~/.cache/pip key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt') }} restore-keys: | ${{ runner.os }}-pip- - name: Install dependencies run: | python -m pip install --upgrade pip pip install -r requirements.txt pip install pytest ruff bandit pip-audit - name: Lint (Ruff) run: | ruff check . - name: Format Check (Ruff) run: | ruff format --check . - name: Security Scan (Bandit) run: | bandit -r osint_core/ -ll - name: Dependency Audit (pip-audit) run: | pip-audit - name: Run Tests (Pytest) run: | pytest -v --tb=short drift-guard: runs-on: ubuntu-latest needs: test-and-secure steps: - name: Checkout repository uses: actions/checkout@v4 - name: Verify critical files exist run: | test -f osint_core/intent.py test -f osint_core/policy.py test -f osint_core/validators.py - name: Prevent forbidden tools from entering repo run: | if grep -R -E "nmap|masscan|sqlmap|metasploit" .; then echo "❌ Forbidden tooling detected" exit 1 fi - name: Enforce passive-first invariant run: | if grep -R "requests.get(" osint_core/ | grep -v "authorized"; then echo "⚠️ Potential unauthorized outbound request" exit 1 fi - name: Validate YAML integrity run: | python -c "import yaml, sys; yaml.safe_load(open('data/sources.yaml'))" - name: Check for raw indicator leakage run: | if grep -R -E "example\.com|@gmail\.com|192\.168\." osint_core/; then echo "⚠️ Possible raw indicator leakage" exit 1 fi