fix(security): address critical and high severity findings from adversarial review #250
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| permissions: | |
| contents: read | |
| jobs: | |
| check: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master | |
| with: | |
| toolchain: stable | |
| components: clippy, rustfmt | |
| - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 | |
| with: | |
| workspaces: codebase | |
| - name: Install libcurl | |
| run: sudo apt-get update && sudo apt-get install -y libcurl4-openssl-dev | |
| - name: Install LLVM | |
| run: | | |
| sudo apt-get install -y llvm-18-dev libpolly-18-dev libclang-18-dev clang-18 | |
| echo "LLVM_SYS_180_PREFIX=/usr/lib/llvm-18" >> $GITHUB_ENV | |
| echo "LIBPOLLY_LIB_DIR=/usr/lib/llvm-18/lib" >> $GITHUB_ENV | |
| echo "LIBRARY_PATH=/usr/lib/llvm-18/lib:$LIBRARY_PATH" >> $GITHUB_ENV | |
| echo "LD_LIBRARY_PATH=/usr/lib/llvm-18/lib:$LD_LIBRARY_PATH" >> $GITHUB_ENV | |
| - name: Build | |
| working-directory: codebase | |
| run: cargo build --workspace | |
| # LLVM backend build is disabled pending resolution of Polly library linking | |
| # See: https://github.com/Ontic-Systems/Gradient/issues/3 | |
| # - name: Build with LLVM backend | |
| # working-directory: codebase | |
| # run: cargo build -p gradient-compiler --features llvm | |
| - name: Test | |
| working-directory: codebase | |
| # Skip self_hosting_smoke tests - self-hosted parser.gr is experimental | |
| run: cargo test --workspace --exclude gradient-lsp --exclude gradient-test-framework -- --skip self_hosting | |
| - name: Test framework (sequential to avoid temp dir races) | |
| working-directory: codebase | |
| run: cargo test -p gradient-test-framework -- --test-threads=1 | |
| - name: Test LSP (unit only) | |
| working-directory: codebase | |
| run: cargo test -p gradient-lsp --bin gradient-lsp | |
| - name: Clippy | |
| working-directory: codebase | |
| run: cargo clippy --workspace -- -D warnings | |
| security: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master | |
| with: | |
| toolchain: stable | |
| - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 | |
| with: | |
| workspaces: codebase | |
| - name: Install cargo-audit | |
| working-directory: codebase | |
| run: cargo install cargo-audit --locked --version 0.22.1 | |
| - name: Audit dependencies | |
| working-directory: codebase | |
| run: cargo audit --file Cargo.lock | |
| e2e: | |
| runs-on: ubuntu-latest | |
| needs: check | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master | |
| with: | |
| toolchain: stable | |
| - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 | |
| with: | |
| workspaces: codebase | |
| - name: Build compiler | |
| working-directory: codebase | |
| run: cargo build -p gradient-compiler | |
| - name: Install libcurl | |
| run: sudo apt-get update && sudo apt-get install -y libcurl4-openssl-dev | |
| - name: End-to-end compile tests | |
| working-directory: codebase/compiler | |
| run: | | |
| for f in tests/*.gr; do | |
| echo "Testing $f..." | |
| cargo run --quiet --bin gradient-compiler -- "$f" /tmp/test.o | |
| cc /tmp/test.o runtime/gradient_runtime.c -o /tmp/test_binary -lcurl | |
| /tmp/test_binary | |
| echo "PASS: $f" | |
| done | |
| wasm: | |
| runs-on: ubuntu-latest | |
| needs: check | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master | |
| with: | |
| toolchain: stable | |
| - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 | |
| with: | |
| workspaces: codebase | |
| - name: Build compiler with WASM feature | |
| working-directory: codebase | |
| run: cargo build -p gradient-compiler --features wasm | |
| - name: Clippy with WASM feature | |
| working-directory: codebase | |
| run: cargo clippy -p gradient-compiler --features wasm -- -D warnings | |
| - name: Run WASM unit tests | |
| working-directory: codebase | |
| run: cargo test -p gradient-compiler --features wasm --test wasm_tests | |
| - name: Run WASM E2E tests | |
| working-directory: codebase | |
| run: cargo test -p gradient-compiler --features wasm --test wasm_e2e_tests | |
| - name: Install wasmtime | |
| run: | | |
| curl https://wasmtime.dev/install.sh -sSf | bash | |
| echo "$HOME/.wasmtime/bin" >> $GITHUB_PATH | |
| - name: Test WASM compilation via CLI | |
| working-directory: codebase/compiler | |
| run: | | |
| echo 'fn main() -> Int:' > /tmp/test.gr | |
| echo ' ret 42' >> /tmp/test.gr | |
| cargo run --quiet --bin gradient-compiler --features wasm -- /tmp/test.gr /tmp/test.wasm --experimental | |
| ls -la /tmp/test.wasm | |
| echo "WASM file generated successfully" | |
| - name: Validate WASM with wasmtime | |
| working-directory: codebase/compiler | |
| run: | | |
| # Add wasmtime to PATH (not persisted from previous step) | |
| export PATH="$HOME/.wasmtime/bin:$PATH" | |
| wasmtime --version | |
| # Try to validate the WASM file | |
| wasmtime validate /tmp/test.wasm || echo "Note: wasmtime validate not available in this version" | |
| # Try to run and get exit code | |
| wasmtime --invoke main /tmp/test.wasm || echo "Note: Function return value may cause non-zero exit" |