[codex] stabilize CI baseline by restoring tools and guarding external deps #4

Closed
electron-rare wants to merge 1 commits from codex/killlife-ci-baseline-fix-issue-3 into main
electron-rare commented 2026-02-21 01:13:12 +00:00 (Migrated from github.com)

Pourquoi

Stabiliser la baseline CI (issue #3) pour éviter les faux échecs sur des PR docs/outillage.

Closes #3

Problèmes traités

  • Scripts CI référencés mais absents (tools/api, tools/evidence, etc.).
  • Dépendance pytest absente dans workflow badges.
  • Outils externes souvent absents en runner (cyclonedx-bom, gitleaks, trufflehog, slsa-generator, cosign) causant des FAILs systématiques.
  • Push vers branche badges exécuté aussi sur PR (instable selon permissions token).

Changements

  • Ajout de scripts baseline manquants:
    • tools/api/run_contract_tests.py
    • tools/evidence/validate_evidence_pack.py
    • tools/community/check_health.py
    • tools/accessibility/a11y_linter.py
    • tools/security/check_policy.py
    • tools/ai/validate_model.py
    • tools/benchmarks/run_benchmarks.py
    • tools/hil/run_hil_tests.py
  • Durcissement workflows:
    • badges.yml: install coverage + pytest, gestion code 5 (no tests), push badge limité à push sur main.
    • api_contract.yml: setup Python + exécution python3.
    • Workflows community/evidence/incident/model/performance_hil: usage explicite python3.
    • sbom_validation.yml, secret_scan.yml, supply_chain.yml: fallback JSON skipped si commande externe indisponible, pour garder un signal exploitable sans FAIL baseline systématique.

Validation locale

  • Exécution des nouveaux scripts: OK
    • api_contract, evidence_pack, community, a11y, security, model, performance, hil

Impact

  • La CI redevient mergeable sur des PR non liées à l'infra sécurité/SBOM.
  • Les checks restent informatifs via rapports JSON, même quand des binaires externes ne sont pas présents.
## Pourquoi Stabiliser la baseline CI (issue #3) pour éviter les faux échecs sur des PR docs/outillage. Closes #3 ## Problèmes traités - Scripts CI référencés mais absents (`tools/api`, `tools/evidence`, etc.). - Dépendance `pytest` absente dans workflow badges. - Outils externes souvent absents en runner (`cyclonedx-bom`, `gitleaks`, `trufflehog`, `slsa-generator`, `cosign`) causant des FAILs systématiques. - Push vers branche `badges` exécuté aussi sur PR (instable selon permissions token). ## Changements - Ajout de scripts baseline manquants: - `tools/api/run_contract_tests.py` - `tools/evidence/validate_evidence_pack.py` - `tools/community/check_health.py` - `tools/accessibility/a11y_linter.py` - `tools/security/check_policy.py` - `tools/ai/validate_model.py` - `tools/benchmarks/run_benchmarks.py` - `tools/hil/run_hil_tests.py` - Durcissement workflows: - `badges.yml`: install `coverage` + `pytest`, gestion code 5 (no tests), push badge limité à `push` sur `main`. - `api_contract.yml`: setup Python + exécution `python3`. - Workflows `community/evidence/incident/model/performance_hil`: usage explicite `python3`. - `sbom_validation.yml`, `secret_scan.yml`, `supply_chain.yml`: fallback JSON `skipped` si commande externe indisponible, pour garder un signal exploitable sans FAIL baseline systématique. ## Validation locale - Exécution des nouveaux scripts: OK - api_contract, evidence_pack, community, a11y, security, model, performance, hil ## Impact - La CI redevient mergeable sur des PR non liées à l'infra sécurité/SBOM. - Les checks restent informatifs via rapports JSON, même quand des binaires externes ne sont pas présents.
chatgpt-codex-connector[bot] (Migrated from github.com) reviewed 2026-02-21 01:17:08 +00:00
chatgpt-codex-connector[bot] (Migrated from github.com) left a comment

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5d72787cfe

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

### 💡 Codex Review Here are some automated review suggestions for this pull request. **Reviewed commit:** `5d72787cfe` <details> <summary>ℹ️ About Codex in GitHub</summary> <br/> [Your team has set up Codex to review pull requests in this repo](http://chatgpt.com/codex/settings/general). Reviews are triggered when you - Open a pull request for review - Mark a draft as ready - Comment "@codex review". If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". </details>
@@ -23,0 +31,4 @@
trivy sbom docs/sbom-cyclonedx.json --format json --output docs/sbom-trivy-report.json
else
echo '{"status":"skipped","reason":"trivy missing"}' > docs/sbom-trivy-report.json
fi
chatgpt-codex-connector[bot] (Migrated from github.com) commented 2026-02-21 01:17:08 +00:00

P2 Badge Skip Trivy scan when CycloneDX generation is skipped

This step still runs trivy sbom docs/sbom-cyclonedx.json whenever trivy is present, even if the previous CycloneDX step wrote a fallback {"status":"skipped",...} file because cyclonedx-bom is missing. In environments where Trivy is installed but CycloneDX is not (for example, partially provisioned self-hosted runners), the scan consumes a non-SBOM placeholder and can fail the job, which breaks the commit’s goal of making external-tool availability non-fatal.

Useful? React with 👍 / 👎.

**<sub><sub>![P2 Badge](https://img.shields.io/badge/P2-yellow?style=flat)</sub></sub> Skip Trivy scan when CycloneDX generation is skipped** This step still runs `trivy sbom docs/sbom-cyclonedx.json` whenever `trivy` is present, even if the previous CycloneDX step wrote a fallback `{"status":"skipped",...}` file because `cyclonedx-bom` is missing. In environments where Trivy is installed but CycloneDX is not (for example, partially provisioned self-hosted runners), the scan consumes a non-SBOM placeholder and can fail the job, which breaks the commit’s goal of making external-tool availability non-fatal. Useful? React with 👍 / 👎.
electron-rare commented 2026-02-21 01:18:59 +00:00 (Migrated from github.com)

Superseded by merged PR #2 (commit 42c0702), which already stabilizes the CI baseline and closes issue #3. Closing this duplicate branch to keep history clean.

Superseded by merged PR #2 (commit 42c0702), which already stabilizes the CI baseline and closes issue #3. Closing this duplicate branch to keep history clean.

Pull request closed

Sign in to join this conversation.