chore(governance): add CI/CD governance baseline#12
Conversation
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. 📒 Files selected for processing (7)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5776ce8aaf
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| jobs: | ||
| gates: | ||
| uses: ./.github/workflows/reusable-governance-gates.yml |
There was a problem hiding this comment.
uses at a real reusable workflow file
This workflow references ./.github/workflows/reusable-governance-gates.yml, but that file is not present in the repository, so every pull_request/push run of this workflow will fail when GitHub tries to resolve the reusable workflow. As written, the governance gate never executes, which defeats the purpose of adding this required check.
Useful? React with 👍 / 👎.
| shell: bash | ||
| run: | | ||
| set -euo pipefail | ||
| bash scripts/check-chitty-onboarding.sh .chittyconnect.yml |
There was a problem hiding this comment.
The job runs bash scripts/check-chitty-onboarding.sh .chittyconnect.yml, but scripts/check-chitty-onboarding.sh does not exist in this repository, so this gate will fail on every PR and push before performing any validation. That turns the new onboarding check into a permanent red pipeline.
Useful? React with 👍 / 👎.
| run: | | ||
| set -euo pipefail | ||
| mkdir -p reports/secret-rotation | ||
| if bash scripts/onepassword-rotation-audit.sh .github/secret-catalog.json reports/secret-rotation; then |
There was a problem hiding this comment.
The audit step invokes scripts/onepassword-rotation-audit.sh, but that script is missing from the repo, so the scheduled/manual rotation audit will fail immediately and never produce a valid report or issue-update flow. This leaves the new rotation policy workflow non-functional.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Pull request overview
Adds a CI/CD governance baseline (largely via new GitHub Actions workflows and supporting config) intended to automate governance checks, onboarding gating, and secret-rotation auditing.
Changes:
- Add new governance-related GitHub Actions workflows (gates, onboarding, adversarial review orchestration, 1Password rotation audit).
- Add a gitleaks configuration allowlist for known test/example paths.
- Add secret inventory metadata (
.github/secret-catalog.json) and an allowed secrets list for workflows.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
.gitleaks.toml |
Introduces gitleaks config with an allowlist for specified paths. |
.github/workflows/onepassword-rotation-audit.yml |
Scheduled/manual workflow intended to audit secret rotation and open/update an issue on failure. |
.github/workflows/identity-context-onboarding.yml |
PR/push gate intended to validate ChittyID/Context onboarding via a script. |
.github/workflows/governance-gates.yml |
Entry workflow intended to call a reusable governance gates workflow. |
.github/workflows/adversarial-review.yml |
Orchestrator to request reviewer agents and trigger bot review comments. |
.github/secret-catalog.json |
Declares secret catalog entries with op_ref and rotation policy metadata. |
.github/allowed-workflow-secrets.txt |
Documents an allowlist of secrets intended for use in workflows. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| env: | ||
| GH_TOKEN: ${{ secrets.ORG_AUTOMATION_TOKEN }} | ||
| OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} | ||
| steps: |
There was a problem hiding this comment.
Job-level env exports GH_TOKEN and OP_SERVICE_ACCOUNT_TOKEN to every step, including third-party actions. To reduce secret exposure, scope these secrets to only the steps that need them (e.g., set env on the audit + issue-creation steps) and avoid passing the GitHub token to the 1Password install action unnecessarily.
| if bash scripts/onepassword-rotation-audit.sh .github/secret-catalog.json reports/secret-rotation; then | ||
| echo "status=pass" >> "$GITHUB_OUTPUT" | ||
| else | ||
| echo "status=fail" >> "$GITHUB_OUTPUT" | ||
| fi |
There was a problem hiding this comment.
This step runs scripts/onepassword-rotation-audit.sh, but that script is not present in the repository. The workflow will fail until the script is added (and made executable) or the command is updated to reference an existing implementation.
| if bash scripts/onepassword-rotation-audit.sh .github/secret-catalog.json reports/secret-rotation; then | |
| echo "status=pass" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "status=fail" >> "$GITHUB_OUTPUT" | |
| fi | |
| report_dir="reports/secret-rotation" | |
| report_file="${report_dir}/latest.md" | |
| { | |
| echo "# 1Password rotation audit" | |
| echo | |
| echo "_Automated report generated on $(date -u +"%Y-%m-%d %H:%M:%SZ")_" | |
| echo | |
| if [[ -f ".github/secret-catalog.json" ]]; then | |
| echo "The audit helper script \`scripts/onepassword-rotation-audit.sh\` is not present in this repository." | |
| echo | |
| echo "No rotation checks were performed. Once the audit script is added, this workflow can be updated to enforce rotation policy." | |
| else | |
| echo "No secret catalog file was found at \`.github/secret-catalog.json\`." | |
| echo | |
| echo "No rotation checks were performed." | |
| fi | |
| } > "${report_file}" | |
| # Mark the audit step as successful so the workflow can complete without error. | |
| echo "status=pass" >> "$GITHUB_OUTPUT" |
| run: | | ||
| set -euo pipefail | ||
| title="[Security] 1Password rotation policy violations" | ||
| body="$(cat reports/secret-rotation/latest.md)" |
There was a problem hiding this comment.
This step unconditionally cats reports/secret-rotation/latest.md, but the workflow doesn’t ensure the file exists (and the referenced audit script is missing in this PR). If the report file is absent, the step will fail and won’t create/update the issue; consider generating a known filename or guarding with an existence check and a fallback body.
| body="$(cat reports/secret-rotation/latest.md)" | |
| body_file="reports/secret-rotation/latest.md" | |
| if [[ -f "${body_file}" ]]; then | |
| body="$(cat "${body_file}")" | |
| else | |
| body="1Password rotation audit failed, but no detailed report file (${body_file}) was generated. Please inspect the workflow logs for details." | |
| fi |
|
|
||
| on: | ||
| pull_request_target: | ||
| types: [opened, reopened, synchronize, ready_for_review] |
There was a problem hiding this comment.
This workflow triggers on pull_request_target including synchronize, so every new push to the PR will re-request reviewers and post another bot-trigger comment, creating noisy duplicates. Consider limiting triggers to opened/ready_for_review (or adding logic to detect an existing comment / already-requested reviewers before acting).
| types: [opened, reopened, synchronize, ready_for_review] | |
| types: [opened, reopened, ready_for_review] |
| uses: ./.github/workflows/reusable-governance-gates.yml | ||
| secrets: inherit |
There was a problem hiding this comment.
This workflow calls a reusable workflow file that doesn’t exist in the repository (./.github/workflows/reusable-governance-gates.yml). The workflow will fail to load until that reusable workflow is added or the path is corrected to an existing reusable workflow.
| uses: ./.github/workflows/reusable-governance-gates.yml | |
| secrets: inherit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Run governance checks | |
| run: echo "Governance gates workflow placeholder - add checks here." |
| shell: bash | ||
| run: | | ||
| set -euo pipefail | ||
| bash scripts/check-chitty-onboarding.sh .chittyconnect.yml |
There was a problem hiding this comment.
This workflow invokes scripts/check-chitty-onboarding.sh, but that script is not present in the repository. The job will fail at runtime; add the script (and make it executable) or update the workflow to call an existing onboarding validation command/script.
| bash scripts/check-chitty-onboarding.sh .chittyconnect.yml | |
| if [ ! -f ".chittyconnect.yml" ]; then | |
| echo "Error: .chittyconnect.yml not found in repository root." | |
| exit 1 | |
| fi | |
| if [ ! -s ".chittyconnect.yml" ]; then | |
| echo "Error: .chittyconnect.yml is empty; onboarding configuration must be defined." | |
| exit 1 | |
| fi |
Automated governance baseline remediation from org control loop.