From ab920888ec9a8246aa6c4e0f3b10da67b94ab1e1 Mon Sep 17 00:00:00 2001 From: Nathan Gillett Date: Sat, 30 May 2026 16:04:44 -0500 Subject: [PATCH] Simplify CI to build and test only Drop DCO, CLA, fuzz, CodeQL, deps-scan, coverage, and ecosystem pin jobs from GitHub Actions. --- .github/workflows/ci.yml | 17 +------ .github/workflows/codeql.yml | 82 --------------------------------- .github/workflows/dco.yml | 32 ------------- .github/workflows/deps-scan.yml | 50 -------------------- 4 files changed, 2 insertions(+), 179 deletions(-) delete mode 100644 .github/workflows/codeql.yml delete mode 100644 .github/workflows/dco.yml delete mode 100644 .github/workflows/deps-scan.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 55c3374..1e270f3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,14 +20,6 @@ jobs: ref: main path: intentproof-spec - - name: Ensure spec sdk-signing golden checkout - run: | - if [[ -d intentproof-spec/golden/sdk-signing ]]; then - exit 0 - fi - git -C intentproof-spec fetch origin phase3-ecosystem-conformance - git -C intentproof-spec checkout FETCH_HEAD - - uses: actions/setup-node@v4 with: node-version: '22' @@ -36,12 +28,7 @@ jobs: - name: Install dependencies run: npm ci - - name: Run tests with coverage - env: - INTENTPROOF_SPEC_DIR: intentproof-spec - run: npm run test:coverage - - - name: Verify sdk-signing fixtures synced with spec + - name: Run tests env: INTENTPROOF_SPEC_DIR: intentproof-spec - run: bash ./scripts/check-sdk-signing-fixtures-sync.sh + run: npm test diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index d1f1c3c..0000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,82 +0,0 @@ -name: codeql - -on: - push: - branches: [main] - pull_request: - branches: [main] - schedule: - - cron: "0 6 * * 1" - -permissions: - actions: read - contents: read - security-events: write - -jobs: - allowlist-expiry: - name: "IntentProof Security: CodeQL Allowlist" - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - name: Validate allowlist expiry dates - run: bash ./scripts/check-codeql-allowlist.sh - - gitleaks: - name: "IntentProof Security: Secret Scan" - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Install gitleaks - run: | - curl -sSfL \ - "https://github.com/gitleaks/gitleaks/releases/download/v8.24.2/gitleaks_8.24.2_linux_x64.tar.gz" \ - | tar -xz - sudo install -m 755 gitleaks /usr/local/bin/gitleaks - - - name: Run gitleaks - run: gitleaks detect --source . --config .gitleaks.toml --verbose --redact - - analyze: - name: "IntentProof Security: CodeQL (${{ matrix.language }})" - needs: allowlist-expiry - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - language: [javascript-typescript] - steps: - - uses: actions/checkout@v4 - - - name: Checkout intentproof-tools for custom query pack - uses: actions/checkout@v4 - with: - repository: IntentProof/intentproof-tools - ref: b4c7cb147404238c59388c9fc7de963d69bc2bb3 - path: intentproof-tools - sparse-checkout: | - codeql/intentproof-extra-javascript - sparse-checkout-cone-mode: true - - - uses: actions/setup-node@v4 - with: - node-version: "22" - cache: npm - - - name: Install dependencies - run: npm ci - - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: ${{ matrix.language }} - queries: security-and-quality,./intentproof-tools/codeql/intentproof-extra-javascript - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 - with: - category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/dco.yml b/.github/workflows/dco.yml deleted file mode 100644 index 228a9e9..0000000 --- a/.github/workflows/dco.yml +++ /dev/null @@ -1,32 +0,0 @@ -name: dco - -on: - pull_request: - -jobs: - check: - name: "IntentProof CI: DCO" - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Require Signed-off-by trailer on every commit - run: | - base="${{ github.event.pull_request.base.sha }}" - head="${{ github.event.pull_request.head.sha }}" - fail=0 - for sha in $(git rev-list "$base".."$head"); do - if ! git log -1 --format=%B "$sha" | git interpret-trailers --parse | grep -qE '^Signed-off-by: .+ <.+@.+>$'; then - echo "Commit $sha is missing a Signed-off-by trailer." >&2 - fail=1 - fi - done - if [[ $fail -ne 0 ]]; then - echo "" >&2 - echo "All commits in this PR must be signed off via the DCO." >&2 - echo "See CONTRIBUTING.md. Use 'git commit -s' or amend with 'git commit --amend -s'." >&2 - exit 1 - fi - echo "PASS: all commits carry Signed-off-by trailers." diff --git a/.github/workflows/deps-scan.yml b/.github/workflows/deps-scan.yml deleted file mode 100644 index 00757ee..0000000 --- a/.github/workflows/deps-scan.yml +++ /dev/null @@ -1,50 +0,0 @@ -name: deps-scan - -on: - push: - branches: [main] - pull_request: - branches: [main] - schedule: - - cron: "0 7 * * 1" - -permissions: - contents: read - -jobs: - allowlist-expiry: - name: "IntentProof Security: Deps Allowlist" - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - name: Validate dependency allowlist expiry dates - run: bash ./scripts/check-deps-allowlist.sh - - npm-audit: - name: "IntentProof Security: npm audit" - needs: allowlist-expiry - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - uses: actions/setup-node@v4 - with: - node-version: "20" - cache: npm - - - name: Install dependencies - run: npm ci - - - name: Run npm audit - run: npm audit --omit=dev --audit-level=moderate - - osv-scanner: - name: "IntentProof Security: OSV-Scanner" - needs: allowlist-expiry - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - name: Run OSV-Scanner gate - run: bash ./scripts/run-osv-scanner-gate.sh