mirror of
https://github.com/prompt-security/clawsec.git
synced 2026-06-13 05:28:02 +03:00
davida-ps
4dbac421ab
* feat(advisories): add provisional ghsa feed * fix(workflows): include advisory signatures in checksums * fix(workflows): mirror ghsa feed at release root * feat(advisories): consolidate ghsa into agent feed * ci(advisories): consolidate ghsa during nvd poll * fix(advisories): retain unreplaced ghsa feed entries * chore(skills): bump advisory feed consumers * fix(release): resolve ts import closure dry run * fix(release): preserve urls while stripping comments * fix(release): ignore skill test-only changes * fix(advisories): follow ghsa pagination links * test(advisories): add nvd ghsa pipeline dry run
55 lines
2.1 KiB
JavaScript
55 lines
2.1 KiB
JavaScript
import assert from "node:assert/strict";
|
|
import { readFile } from "node:fs/promises";
|
|
|
|
const workflowPath = new URL("../.github/workflows/deploy-pages.yml", import.meta.url);
|
|
const workflow = await readFile(workflowPath, "utf8");
|
|
|
|
function stepIndex(name) {
|
|
const marker = `- name: ${name}`;
|
|
const index = workflow.indexOf(marker);
|
|
assert.notEqual(index, -1, `missing workflow step: ${name}`);
|
|
return index;
|
|
}
|
|
|
|
const signFeedIndex = stepIndex("Sign advisory feed and verify");
|
|
const signGhsaIndex = stepIndex("Sign provisional GHSA feed and verify");
|
|
const generateChecksumsIndex = stepIndex("Generate advisory checksums manifest");
|
|
const signChecksumsIndex = stepIndex("Sign checksums and verify");
|
|
|
|
assert.ok(
|
|
signFeedIndex < generateChecksumsIndex,
|
|
"advisory checksums manifest must be generated after feed.json.sig is created",
|
|
);
|
|
assert.ok(
|
|
signGhsaIndex < generateChecksumsIndex,
|
|
"advisory checksums manifest must be generated after ghsa-without-cve.json.sig is created",
|
|
);
|
|
assert.ok(
|
|
generateChecksumsIndex < signChecksumsIndex,
|
|
"checksums signature must be generated after checksums.json is refreshed",
|
|
);
|
|
|
|
const generateStepBody = workflow.slice(generateChecksumsIndex, signChecksumsIndex);
|
|
assert.match(
|
|
generateStepBody,
|
|
/public\/advisories\/\*\.json\.sig/,
|
|
"advisory checksums manifest must include detached advisory signatures",
|
|
);
|
|
|
|
const mirrorBlockIndex = workflow.indexOf(
|
|
"# Mirror advisories feed + signatures at the path referenced by suite docs/heartbeat",
|
|
);
|
|
assert.notEqual(mirrorBlockIndex, -1, "missing advisory release mirror block");
|
|
|
|
const mirrorBlock = workflow.slice(mirrorBlockIndex, workflow.indexOf("if [ -f \"public/checksums.json\"", mirrorBlockIndex));
|
|
assert.match(
|
|
mirrorBlock,
|
|
/cp "public\/advisories\/ghsa-without-cve\.json" "\$MIRROR_LATEST_DIR\/ghsa-without-cve\.json"/,
|
|
"GHSA provisional feed must be mirrored at the release-root compatibility path",
|
|
);
|
|
assert.match(
|
|
mirrorBlock,
|
|
/cp "public\/advisories\/ghsa-without-cve\.json\.sig" "\$MIRROR_LATEST_DIR\/ghsa-without-cve\.json\.sig"/,
|
|
"GHSA provisional feed signature must be mirrored at the release-root compatibility path",
|
|
);
|