chore: update security baseline 2026-04-04 #153
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| backend-test: | |
| name: Backend Tests | |
| runs-on: blacksmith-4vcpu-ubuntu-2404-arm | |
| strategy: | |
| matrix: | |
| python-version: ["3.12", "3.13"] | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| cache: "pip" | |
| - run: pip install -e ".[dev]" | |
| - run: pytest tests/ -v | |
| backend-quality: | |
| name: Backend Quality | |
| runs-on: blacksmith-4vcpu-ubuntu-2404-arm | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 | |
| with: | |
| python-version: "3.12" | |
| cache: "pip" | |
| - run: pip install -e ".[dev]" "ruff==0.15.5" bandit pip-audit | |
| - name: Lint | |
| run: ruff check src/ tests/ | |
| - name: Type check | |
| run: mypy src/ | |
| - name: Security lint (bandit) | |
| run: bandit -r src/ -ll -ii --exclude tests/ | |
| - name: Audit Python dependencies | |
| # CVE-2026-4539: pygments 2.19.2 (transitive dep, no fix available yet) | |
| run: pip-audit --ignore-vuln CVE-2026-4539 | |
| - name: Check tenant isolation (S3) | |
| run: python3 scripts/security-lint/check_tenant_isolation.py | |
| - name: Check input bounds | |
| run: python3 scripts/security-lint/check_input_bounds.py | |
| - name: Check timing-safe comparisons | |
| run: python3 scripts/security-lint/check_timing_safe.py | |
| frontend-ci: | |
| name: Frontend | |
| runs-on: blacksmith-4vcpu-ubuntu-2404-arm | |
| defaults: | |
| run: | |
| working-directory: dashboard | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| - uses: pnpm/action-setup@c5ba7f7862a0f64c1b1a05fbac13e0b8e86ba08c # v4 | |
| with: | |
| version: 10 | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 | |
| with: | |
| node-version: 24 | |
| cache: pnpm | |
| cache-dependency-path: dashboard/pnpm-lock.yaml | |
| - run: pnpm install --frozen-lockfile | |
| - name: Type check | |
| run: pnpm tsc --noEmit | |
| - name: Build | |
| run: pnpm build | |
| - name: Audit frontend dependencies | |
| run: pnpm audit --audit-level moderate | |
| continue-on-error: true |