Skip to content

Secure CI/CD for Public Launch#88

Merged
tafk7 merged 4 commits intodevelopfrom
fix/runner-security
Nov 13, 2025
Merged

Secure CI/CD for Public Launch#88
tafk7 merged 4 commits intodevelopfrom
fix/runner-security

Conversation

@tafk7
Copy link
Collaborator

@tafk7 tafk7 commented Nov 13, 2025

Implements security controls for self-hosted GitHub Actions runners before open-sourcing.

Security Enhancements

Workflow Protection:

  • Switch to pull_request_target (workflow runs from base branch, not PR)
  • Label-based approval gate (safe-to-test required)
  • Auto-remove label after run (forces re-review on new commits)
  • Automated dependency scanner blocks new PyPI packages

Access Control:

  • CODEOWNERS enforces mandatory reviews for:
    • .github/workflows/, .github/actions/ (CI/CD)
    • docker/, Dockerfile, *.sh (containers/scripts)
    • brainsmith/_internal/io/dependencies.py (dependency definitions)

Documentation

  • Streamlined CONTRIBUTING.md (encourages kernel contributions)
  • PR review checklist for external contributions
  • Setup guide for manual Azure NSG configuration

Other Changes

  • Fixed Python version references (3.10 → 3.11)

@tafk7 tafk7 requested a review from a team as a code owner November 13, 2025 02:51
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 13, 2025
View reviewed changes
@tafk7 tafk7 added the safe-to-test Maintainer approved for CI/CD testing label Nov 13, 2025
@tafk7 tafk7 changed the base branch from main to develop November 13, 2025 03:14
@tafk7 tafk7 merged commit dbed40c into develop Nov 13, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

safe-to-test Maintainer approved for CI/CD testing

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tafk7