ci: add GitHub Actions CI workflow #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| jobs: | |
| lint: | |
| name: Shell Lint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install ShellCheck | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y shellcheck | |
| - name: Run ShellCheck | |
| run: | | |
| shellcheck --version | |
| shellcheck scripts/*.sh | |
| syntax: | |
| name: Bash Syntax | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Validate bash syntax | |
| run: | | |
| for f in scripts/*.sh; do | |
| echo "Checking $f..." | |
| bash -n "$f" | |
| done | |
| security: | |
| name: Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Check for hardcoded secrets | |
| run: | | |
| echo "Scanning for potential secrets..." | |
| # Check for hardcoded API keys/tokens | |
| if grep -rn "sk-[a-zA-Z0-9]\{20,\}" scripts/ 2>/dev/null; then | |
| echo "ERROR: Potential API key found" | |
| exit 1 | |
| fi | |
| # Check for hardcoded passwords | |
| if grep -rn "password.*=.*['\"][^'\"]\+['\"]" scripts/ 2>/dev/null; then | |
| echo "ERROR: Potential hardcoded password found" | |
| exit 1 | |
| fi | |
| # Check for private keys | |
| if grep -rn "BEGIN.*PRIVATE KEY" scripts/ 2>/dev/null; then | |
| echo "ERROR: Private key found" | |
| exit 1 | |
| fi | |
| echo "✅ No obvious secrets found" | |
| - name: Check crypto.sh security patterns | |
| run: | | |
| echo "Verifying crypto.sh security patterns..." | |
| # Verify private key is never read in scripts | |
| if grep -rn "cat.*private.pem" scripts/ 2>/dev/null; then | |
| echo "WARNING: Scripts reading private key - verify this is intentional" | |
| fi | |
| # Verify private key is never transmitted | |
| if grep -rn "curl.*private\|wget.*private" scripts/ 2>/dev/null; then | |
| echo "ERROR: Private key transmission detected" | |
| exit 1 | |
| fi | |
| echo "✅ Crypto patterns verified" | |
| docs: | |
| name: Docs Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Verify documentation exists | |
| run: | | |
| echo "Checking documentation..." | |
| required_docs=( | |
| "SKILL.md" | |
| "docs/README.md" | |
| ) | |
| for doc in "${required_docs[@]}"; do | |
| if [[ ! -f "$doc" ]]; then | |
| echo "ERROR: Required documentation missing: $doc" | |
| exit 1 | |
| fi | |
| echo "✅ Found: $doc" | |
| done | |
| - name: Check for broken references | |
| run: | | |
| echo "Checking for broken markdown references..." | |
| # Check for common broken patterns | |
| if grep -rn "\[.*\](.*\.md)" SKILL.md docs/ 2>/dev/null | grep -v "^Binary"; then | |
| echo "Found markdown links - verify they are valid" | |
| fi | |
| echo "✅ Documentation check complete" |