diff --git a/.github/workflows/security-analysis.yml b/.github/workflows/security-analysis.yml index 6bc7ba4..94f382e 100644 --- a/.github/workflows/security-analysis.yml +++ b/.github/workflows/security-analysis.yml @@ -58,3 +58,32 @@ jobs: # rag-processor uses hatchling as build backend, so editable installs # require the build step. The reusable defaults no-build: true; override. no-build: false + + # Bare "Security Gate Validation" context required by the org ruleset. + # The reusable security workflow surfaces as + # "Security Analysis / Security Gate Validation" (caller / reusable job), + # which cannot match the bare ruleset context. This in-line aggregator + # re-emits the bare context on pull_request and inside the merge queue. + security-gate: + name: Security Gate Validation + runs-on: ubuntu-latest + needs: [security] + if: always() + timeout-minutes: 5 + permissions: + contents: read + steps: + - name: Harden runner + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: block + allowed-endpoints: '' + - name: Aggregate security result + run: | + result="${{ needs.security.result }}" + if [ "$result" = "success" ] || [ "$result" = "skipped" ]; then + echo "Security Gate Validation: passed (result: $result)" + else + echo "::error::Security Gate Validation failed: $result" + exit 1 + fi