Skip to content

[codex] Add nightly security sweep#195

Open
jeremi wants to merge 1 commit into
mainfrom
codex/nightly-security-ci
Open

[codex] Add nightly security sweep#195
jeremi wants to merge 1 commit into
mainfrom
codex/nightly-security-ci

Conversation

@jeremi

@jeremi jeremi commented Jul 4, 2026

Copy link
Copy Markdown
Member

Summary

Adds a root Nightly Security GitHub Actions workflow that keeps the normal PR/push gate fast while running heavier security assurance and fuzz smoke checks on a nightly schedule.

The scheduled run restores the last successful checked SHA from the workflow cache and skips when no relevant security or fuzz surface changed. Manual dispatch always runs the sweep.

What runs

  • Relay exposure manifest and Dockerfile secret-copy checks.
  • Notary Dockerfile secret-copy and OpenAPI baseline checks.
  • Notary request-body fuzz smoke.
  • Platform auth/OID4VCI/SD-JWT fuzz smoke.
  • Fuzz crash artifact upload on failure.

Notes

The workflow intentionally does not add these checks to every PR or push. It also leaves the existing Notary full manifest assurance check out of scope because that product-local check currently has a monorepo path issue for enforcement-test references; the deterministic Notary checks that are green locally are included.

Checks

  • ruby -e 'require "yaml"; YAML.load_file(ARGV.fetch(0)); puts "yaml ok"' .github/workflows/nightly-security.yml
  • actionlint .github/workflows/nightly-security.yml
  • git diff --check
  • python3 -m unittest crates/registry-relay/tests/security_assurance_check_test.py crates/registry-relay/tests/advisory_baseline_check_test.py products/notary/tests/security_assurance_check_test.py products/notary/tests/advisory_baseline_check_test.py
  • (cd crates/registry-relay && python3 scripts/check_security_assurance.py manifest && python3 scripts/check_security_assurance.py dockerfile-secrets)
  • (cd products/notary && python3 scripts/check_security_assurance.py dockerfile-secrets && python3 scripts/check_security_assurance.py openapi-baseline)
  • (cd products/notary && cargo +nightly fuzz list --fuzz-dir fuzz)
  • (cd products/notary && cargo +nightly fuzz list --fuzz-dir ../platform/fuzz)

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 04b3df8a73

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

crates/registry-platform-oid4vci/*|crates/registry-platform-sdjwt/*)
return 0
;;
products/notary/*|products/platform/*|release/docker/*)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Scan release Dockerfiles before marking them covered

When the only relevant change is under release/docker/, this classifier schedules the nightly sweep, but the assurance job only runs dockerfile-secrets in crates/registry-relay and products/notary. Those checkers scan only their local Dockerfiles (crates/registry-relay/scripts/check_security_assurance.py:357-358 and products/notary/scripts/check_security_assurance.py:353-354), while the release workflow builds release/docker/Dockerfile.registry-* (.github/workflows/release.yml:363-365), so secret-copy regressions in the release images are never checked by the new sweep. Add those release Dockerfiles to a scan or stop treating this path as covered.

Useful? React with 👍 / 👎.

crates/registry-platform-authcommon/*|crates/registry-platform-crypto/*)
return 0
;;
crates/registry-platform-oid4vci/*|crates/registry-platform-sdjwt/*)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Include replay changes in the security sweep

When a commit only touches crates/registry-platform-replay/..., this classifier falls through and the nightly sweep is skipped, even though registry-platform-oid4vci depends on that crate for replay handling (crates/registry-platform-oid4vci/Cargo.toml:16) and both fuzz lockfiles pull it in (products/platform/fuzz/Cargo.lock:1018, products/notary/fuzz/Cargo.lock:1548). In that context replay-protection changes bypass the nightly OID4VCI/Notary fuzz smoke entirely, so add crates/registry-platform-replay/* to the relevant path set.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant