feat(philosophy): expand to 12-principle QWED constitution + CI boundary gate #460
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Snyk Security Scan | |
| # Runs on PRs and pushes to main branch | |
| # Enterprise license via Snyk Open Source Program | |
| name: Snyk Security | |
| on: | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| # Run weekly security scan every Monday at 9 AM UTC | |
| - cron: '0 9 * * 1' | |
| permissions: | |
| contents: read | |
| security-events: write | |
| jobs: | |
| snyk-dependencies: | |
| name: Snyk Dependency Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| - name: Install Snyk CLI | |
| run: npm install -g snyk | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -e ".[full]" | |
| - name: Run Snyk to check for vulnerabilities | |
| continue-on-error: true | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| run: snyk test --org=${{ secrets.SNYK_ORG_ID }} --severity-threshold=high --sarif-file-output=snyk.sarif | |
| - name: Upload Snyk results to GitHub Security | |
| uses: github/codeql-action/upload-sarif@v4 | |
| if: always() && hashFiles('snyk.sarif') != '' | |
| with: | |
| sarif_file: snyk.sarif | |
| snyk-code: | |
| name: Snyk Code Analysis (SAST) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Snyk CLI | |
| run: npm install -g snyk | |
| - name: Run Snyk Code test | |
| continue-on-error: true | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| run: snyk code test --org=${{ secrets.SNYK_ORG_ID }} --sarif-file-output=snyk-code.sarif | |
| - name: Upload Snyk Code results | |
| uses: github/codeql-action/upload-sarif@v4 | |
| if: always() && hashFiles('snyk-code.sarif') != '' | |
| with: | |
| sarif_file: snyk-code.sarif |