diff --git a/.github/scripts/security.cjs b/.github/scripts/security.cjs index f403f3b..3c71c3b 100644 --- a/.github/scripts/security.cjs +++ b/.github/scripts/security.cjs @@ -23,8 +23,8 @@ class SecurityReport { this.locales = { zh: { - filename: 'README_CN.md', - switcher: '[English](README.md) | 中文', + filename: 'security-report-cn.md', + switcher: '[English](security-report.md) | 中文', title: '🛡️ 安全审计与透明度报告', grade: '安全评级', important: '> [!IMPORTANT]\n> 本报告由 **GitHub Actions** 自动生成。为确保数据主权的绝对透明度,所有核心模块的安全扫描结果均实时公开。', @@ -75,8 +75,8 @@ class SecurityReport { trivySafe: '✅ **安全**:未发现容器配置缺陷。' }, en: { - filename: 'README.md', - switcher: 'English | [中文](README_CN.md)', + filename: 'security-report.md', + switcher: 'English | [中文](security-report-cn.md)', title: '🛡️ Security Audit & Transparency Report', grade: 'Security Grade', important: '> [!IMPORTANT]\n> This report is automatically generated by **GitHub Actions**. To ensure absolute transparency of data sovereignty, all core module security scan results are made public in real-time.', diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index c0b47bc..7efea47 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -13,7 +13,7 @@ jobs: scan: runs-on: ubuntu-latest permissions: - contents: write + contents: read security-events: write actions: read env: @@ -103,17 +103,15 @@ jobs: trivy config . --format json --output trivy_result.json --severity CRITICAL,HIGH || true - name: Generate Security Report - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | # Gitleaks typically produces results.sarif if configured or by default in some versions # We'll ensure it exists for our reporter node .github/scripts/security.cjs # Also append to step summary for immediate visibility in GHA UI - cat README.md >> $GITHUB_STEP_SUMMARY + cat security-report.md >> $GITHUB_STEP_SUMMARY echo -e "\n---\n" >> $GITHUB_STEP_SUMMARY - cat README_CN.md >> $GITHUB_STEP_SUMMARY + cat security-report-cn.md >> $GITHUB_STEP_SUMMARY - name: Upload Gitleaks Results to GitHub Security uses: github/codeql-action/upload-sarif@v3 @@ -122,30 +120,17 @@ jobs: sarif_file: results.sarif category: gitleaks - - name: Push to Audit Branch - if: github.event_name != 'pull_request' - run: | - mkdir audit_temp - cp README.md audit_temp/ - cp README_CN.md audit_temp/ - [ -f "snyk_result.txt" ] && cp snyk_result.txt audit_temp/ - [ -f "snyk_result.json" ] && cp snyk_result.json audit_temp/ - - # Collect all SARIF files with descriptive names - [ -f "results.sarif" ] && cp results.sarif audit_temp/Gitleaks_results.sarif - if [ -d "sarif-results" ]; then - for f in sarif-results/*.sarif; do - [ -f "$f" ] && cp "$f" "audit_temp/CodeQL_$(basename "$f")" - done - fi - - cd audit_temp - git init - git config --local user.email "action@github.com" - git config --local user.name "GitHub Action" - git checkout --orphan security-audit - - git add . - git commit -m "chore: archive security report and raw data [skip ci]" - git remote add origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }} - git push -f origin security-audit \ No newline at end of file + - name: Upload Security Report Artifacts + if: always() + uses: actions/upload-artifact@v4 + with: + name: security-report + if-no-files-found: ignore + path: | + security-report.md + security-report-cn.md + snyk_result.txt + snyk_result.json + trivy_result.json + results.sarif + sarif-results/*.sarif