From 6932e85659df11adf87c62ff4f1aefb99ae5747d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Th=C3=A9riault?= Date: Mon, 22 Jun 2026 11:52:45 -0400 Subject: [PATCH 1/6] security scanning --- .github/workflows/codeql.yaml | 39 ++++++++++++++++++++++++++ .github/workflows/release.yaml | 50 ++++++++++++++++++++++++++++++++-- 2 files changed, 87 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/codeql.yaml diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml new file mode 100644 index 0000000..07f46ff --- /dev/null +++ b/.github/workflows/codeql.yaml @@ -0,0 +1,39 @@ +name: CodeQL + +on: + push: + branches: + - main + pull_request: + schedule: + - cron: "0 0 * * 1" + +jobs: + analyze: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + language: + - rust + - actions + + permissions: + contents: read + security-events: write + + steps: + - uses: actions/checkout@v6 + - uses: actions-rust-lang/setup-rust-toolchain@v1 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: ${{ matrix.language }} + + - run: cargo build + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 9cec376..0bea8c0 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,6 +1,17 @@ name: Release on: workflow_dispatch: + inputs: + publish: + description: Whether to publish to AWS and GHCR + required: true + default: true + type: boolean + scan: + description: Whether to run RL scanning + required: true + default: true + type: boolean jobs: build: @@ -48,6 +59,7 @@ jobs: prod: needs: build + if: github.event.inputs.publish runs-on: ubuntu-latest strategy: matrix: @@ -103,7 +115,7 @@ jobs: docker: needs: build - if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' + if: github.event.inputs.publish strategy: matrix: arch: [x86_64, aarch64] @@ -138,8 +150,8 @@ jobs: needs: - build - docker + if: github.event.inputs.publish runs-on: ubuntu-latest - if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' permissions: contents: read @@ -167,3 +179,37 @@ jobs: --tag ghcr.io/${{ github.repository }}:$PATCH \ ghcr.io/${{ github.repository }}:x86_64$SUFFIX \ ghcr.io/${{ github.repository }}:aarch64$SUFFIX + + scan: + needs: build + if: github.event.inputs.scan + runs-on: ubuntu-latest + + permissions: + contents: read + + steps: + - uses: actions/checkout@v6 + - uses: actions/download-artifact@v8 + with: + name: diet-lambda-x86_64 + path: x86_64 + - uses: actions/download-artifact@v8 + with: + name: diet-lambda-aarch64 + path: aarch64 + + - run: ls -AR + - run: zip -r diet-lambda.zip . + + - name: RL Scan + run: | + docker run --rm -v $(pwd):/workspace \ + -e RLPORTAL_ACCESS_TOKEN=${{ secrets.RLPORTAL_ACCESS_TOKEN}} \ + reversinglabs/rl-scanner-cloud rl-scan \ + --rl-portal-server solarwinds \ + --rl-portal-org SolarWinds \ + --rl-portal-group SaaS-Agents-SWO \ + --purl diet-lambda/diet-lambda@${{ needs.build.outputs.version }} \ + --file-path /workspace/diet-lambda.zip \ + --submit-only --replace From 3602fffa875132e9986abd692d1d4e81c065dfa5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Th=C3=A9riault?= Date: Mon, 22 Jun 2026 12:02:09 -0400 Subject: [PATCH 2/6] minor overhaul of scan workflow --- .github/workflows/release.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 0bea8c0..dd191ac 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -3,12 +3,12 @@ on: workflow_dispatch: inputs: publish: - description: Whether to publish to AWS and GHCR + description: Publish to AWS and GHCR required: true default: true type: boolean scan: - description: Whether to run RL scanning + description: Run RL scanning required: true default: true type: boolean @@ -200,7 +200,7 @@ jobs: path: aarch64 - run: ls -AR - - run: zip -r diet-lambda.zip . + - run: zip -r diet-lambda.zip src x86_64 aarch64 Cargo.toml Cargo.lock .cargo LICENSE - name: RL Scan run: | From 8ec15d72bc1e622d94c80fe2945a952146838a52 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Th=C3=A9riault?= Date: Mon, 22 Jun 2026 12:09:48 -0400 Subject: [PATCH 3/6] fix stupid github inputs --- .github/workflows/release.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index dd191ac..ddd34cd 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -59,7 +59,7 @@ jobs: prod: needs: build - if: github.event.inputs.publish + if: inputs.publish runs-on: ubuntu-latest strategy: matrix: @@ -115,7 +115,7 @@ jobs: docker: needs: build - if: github.event.inputs.publish + if: inputs.publish strategy: matrix: arch: [x86_64, aarch64] @@ -150,7 +150,7 @@ jobs: needs: - build - docker - if: github.event.inputs.publish + if: inputs.publish runs-on: ubuntu-latest permissions: @@ -182,7 +182,7 @@ jobs: scan: needs: build - if: github.event.inputs.scan + if: inputs.scan runs-on: ubuntu-latest permissions: From fbc308090e54473bf6a74b0d4797441016fb4b43 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Th=C3=A9riault?= Date: Mon, 22 Jun 2026 12:14:57 -0400 Subject: [PATCH 4/6] only run rust build if needed in codeql --- .github/workflows/codeql.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index 07f46ff..8179c89 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -24,14 +24,16 @@ jobs: steps: - uses: actions/checkout@v6 - - uses: actions-rust-lang/setup-rust-toolchain@v1 - name: Initialize CodeQL uses: github/codeql-action/init@v4 with: languages: ${{ matrix.language }} + - uses: actions-rust-lang/setup-rust-toolchain@v1 + if: matrix.language == 'rust' - run: cargo build + if: matrix.language == 'rust' - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4 From 2a1a9364fd0c5bf5588c7907b6cbfe6e602e4f61 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Th=C3=A9riault?= <113933910+raphael-theriault-swi@users.noreply.github.com> Date: Mon, 22 Jun 2026 12:19:29 -0400 Subject: [PATCH 5/6] quote docker command inputs that could contain spaces Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .github/workflows/release.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ddd34cd..5225bb8 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -204,9 +204,9 @@ jobs: - name: RL Scan run: | - docker run --rm -v $(pwd):/workspace \ - -e RLPORTAL_ACCESS_TOKEN=${{ secrets.RLPORTAL_ACCESS_TOKEN}} \ - reversinglabs/rl-scanner-cloud rl-scan \ + docker run --rm -v "${{ github.workspace }}:/workspace" \ + -e RLPORTAL_ACCESS_TOKEN="${{ secrets.RLPORTAL_ACCESS_TOKEN }}" \ + reversinglabs/rl-scanner-cloud rl-scan \ --rl-portal-server solarwinds \ --rl-portal-org SolarWinds \ --rl-portal-group SaaS-Agents-SWO \ From b5a64f4dd65099f6a76d5bd03152df8de39b2d5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Th=C3=A9riault?= Date: Mon, 22 Jun 2026 12:20:36 -0400 Subject: [PATCH 6/6] fix stupid copilot spacing --- .github/workflows/release.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 5225bb8..26c2139 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -205,8 +205,8 @@ jobs: - name: RL Scan run: | docker run --rm -v "${{ github.workspace }}:/workspace" \ - -e RLPORTAL_ACCESS_TOKEN="${{ secrets.RLPORTAL_ACCESS_TOKEN }}" \ - reversinglabs/rl-scanner-cloud rl-scan \ + -e RLPORTAL_ACCESS_TOKEN="${{ secrets.RLPORTAL_ACCESS_TOKEN }}" \ + reversinglabs/rl-scanner-cloud rl-scan \ --rl-portal-server solarwinds \ --rl-portal-org SolarWinds \ --rl-portal-group SaaS-Agents-SWO \