[codex] Add external guardrails catalog and runtime controls #267
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci | |
| on: | |
| pull_request: | |
| push: | |
| branches: [main] | |
| concurrency: | |
| group: ci-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| jobs: | |
| changes: | |
| name: detect touched entries | |
| runs-on: ubuntu-latest | |
| outputs: | |
| cli: ${{ steps.filter.outputs.cli }} | |
| dashboard_ui: ${{ steps.filter.outputs['dashboard-ui'] }} | |
| ledger: ${{ steps.filter.outputs.ledger }} | |
| control_plane: ${{ steps.filter.outputs['control-plane'] }} | |
| gitleaks: ${{ steps.filter.outputs.gitleaks }} | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - id: filter | |
| uses: dorny/paths-filter@v3 | |
| with: | |
| filters: | | |
| cli: | |
| - "cli/**" | |
| - ".github/workflows/ci.yml" | |
| dashboard-ui: | |
| - "control-plane/dashboard-ui/**" | |
| - ".github/workflows/ci.yml" | |
| ledger: | |
| - "ledger/**" | |
| - ".github/workflows/ci.yml" | |
| control-plane: | |
| - "control-plane/**" | |
| - "ledger/**" | |
| - ".github/workflows/ci.yml" | |
| gitleaks: | |
| - "**" | |
| cli: | |
| name: cli (bun typecheck + tests) | |
| runs-on: ubuntu-latest | |
| needs: changes | |
| if: needs.changes.outputs.cli == 'true' | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: oven-sh/setup-bun@v2 | |
| with: { bun-version: "1.3" } | |
| - name: Cache bun | |
| uses: actions/cache@v5 | |
| with: | |
| path: ~/.bun/install/cache | |
| key: bun-cli-${{ runner.os }}-${{ hashFiles('cli/bun.lockb') }} | |
| restore-keys: bun-cli-${{ runner.os }}- | |
| - working-directory: cli | |
| run: bun install --frozen-lockfile | |
| - working-directory: cli | |
| run: bun run typecheck | |
| - working-directory: cli | |
| run: bun test | |
| dashboard-ui: | |
| name: dashboard-ui (typecheck + build) | |
| runs-on: ubuntu-latest | |
| needs: changes | |
| if: needs.changes.outputs.dashboard_ui == 'true' | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: oven-sh/setup-bun@v2 | |
| with: { bun-version: "1.3" } | |
| - name: Cache bun | |
| uses: actions/cache@v5 | |
| with: | |
| path: ~/.bun/install/cache | |
| key: bun-dashboard-${{ runner.os }}-${{ hashFiles('control-plane/dashboard-ui/bun.lockb') }} | |
| restore-keys: bun-dashboard-${{ runner.os }}- | |
| - working-directory: control-plane/dashboard-ui | |
| run: bun install --frozen-lockfile | |
| - working-directory: control-plane/dashboard-ui | |
| run: bun run typecheck | |
| - working-directory: control-plane/dashboard-ui | |
| run: bun run build | |
| ledger: | |
| name: ledger (cargo test) | |
| runs-on: ubuntu-latest | |
| needs: changes | |
| if: needs.changes.outputs.ledger == 'true' | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: Swatinem/rust-cache@v2 | |
| with: { workspaces: ledger } | |
| - working-directory: ledger | |
| run: cargo test --all-features | |
| control-plane: | |
| name: control-plane (go vet + go test -race) | |
| runs-on: ubuntu-latest | |
| needs: changes | |
| if: needs.changes.outputs.control_plane == 'true' | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: control-plane/go.mod | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: Swatinem/rust-cache@v2 | |
| with: { workspaces: ledger } | |
| - uses: oven-sh/setup-bun@v2 | |
| with: { bun-version: "1.3" } | |
| - name: Build ledger staticlib | |
| working-directory: ledger | |
| run: cargo build --release --lib | |
| - name: Build dashboard | |
| working-directory: control-plane/dashboard-ui | |
| run: | | |
| bun install --frozen-lockfile | |
| bun run build | |
| - name: go vet + test | |
| working-directory: control-plane | |
| env: | |
| CGO_ENABLED: "1" | |
| WORKSPACE: ${{ github.workspace }} | |
| run: | | |
| # Prefer static linking of the ledger so the test binaries don't | |
| # need libopenagentlock_ledger.so on LD_LIBRARY_PATH at runtime. | |
| export CGO_CFLAGS="-I${WORKSPACE}/ledger/include" | |
| export CGO_LDFLAGS="-L${WORKSPACE}/ledger/target/release -l:libopenagentlock_ledger.a -ldl -lpthread -lm" | |
| # Belt + suspenders: also set LD_LIBRARY_PATH for any runtime | |
| # consumer that did pick up the dylib. | |
| export LD_LIBRARY_PATH="${WORKSPACE}/ledger/target/release${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" | |
| go vet ./... | |
| go test -race ./... | |
| gitleaks: | |
| name: gitleaks (secret scan) | |
| runs-on: ubuntu-latest | |
| needs: changes | |
| if: needs.changes.outputs.gitleaks == 'true' | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: { fetch-depth: 0 } | |
| - name: Install gitleaks | |
| env: | |
| GITLEAKS_VERSION: "8.21.2" | |
| run: | | |
| set -euo pipefail | |
| curl -sSfL \ | |
| "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \ | |
| -o /tmp/gitleaks.tar.gz | |
| tar -xzf /tmp/gitleaks.tar.gz -C /tmp gitleaks | |
| sudo mv /tmp/gitleaks /usr/local/bin/gitleaks | |
| gitleaks version | |
| - run: gitleaks detect --no-banner --redact --verbose |