docs/.github/workflows/security.yml at main · inferadb/docs · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
#
# Security workflow for docs repository
# Since this is a documentation-only repository with no dependencies,
# there are no security scans to run. This workflow provides a consistent
# Security Summary job for branch protection rules.

name: Security

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

# Cancel in-progress runs when new commits are pushed
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

permissions:
  contents: read

jobs:
  # Placeholder job - docs has no dependencies to scan
  # This exists to maintain consistent workflow structure across repos
  no-dependencies:
    name: No Dependencies
    runs-on: ubuntu-latest
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
        with:
          egress-policy: audit

      - name: Skip security scan
        run: |
          echo "This is a documentation-only repository with no dependencies."
          echo "No security scans required."

  # Security scan summary - provides consistent status check for branch protection
  security-summary:
    name: Security Summary
    needs: [no-dependencies]
    runs-on: ubuntu-latest
    if: always()
    permissions:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
        with:
          egress-policy: audit

      - name: Check security scan results
        env:
          NO_DEPS_RESULT: ${{ needs.no-dependencies.result }}
        run: |
          echo "## Security Scan Results"
          echo ""
          echo "| Check | Status |"
          echo "|-------|--------|"
          echo "| Dependencies | $NO_DEPS_RESULT (none to scan) |"
          echo ""
          echo "This is a documentation-only repository."
          echo "No package dependencies or code to scan for vulnerabilities."
          echo ""

          # Fail if the placeholder job failed (shouldn't happen)
          if [[ "$NO_DEPS_RESULT" != "success" && "$NO_DEPS_RESULT" != "skipped" ]]; then
            echo "Unexpected failure in security workflow"
            exit 1
          fi

          echo "All security checks passed!"