Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions .github/workflows/security-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -58,3 +58,32 @@ jobs:
# rag-processor uses hatchling as build backend, so editable installs
# require the build step. The reusable defaults no-build: true; override.
no-build: false

# Bare "Security Gate Validation" context required by the org ruleset.
# The reusable security workflow surfaces as
# "Security Analysis / Security Gate Validation" (caller / reusable job),
# which cannot match the bare ruleset context. This in-line aggregator
# re-emits the bare context on pull_request and inside the merge queue.
security-gate:
name: Security Gate Validation
runs-on: ubuntu-latest
needs: [security]
if: always()
timeout-minutes: 5
permissions:
contents: read
steps:
- name: Harden runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: block
allowed-endpoints: ''
- name: Aggregate security result
run: |
result="${{ needs.security.result }}"
if [ "$result" = "success" ] || [ "$result" = "skipped" ]; then
echo "Security Gate Validation: passed (result: $result)"
else
echo "::error::Security Gate Validation failed: $result"
exit 1
fi
Loading