Skip to content

fix(ci): boundary artifact from B64 secret + hooksPath (unbreak audit, enable R2) #64

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ProtocolWarden merged 1 commit into from
Jun 4, 2026
Merged

fix(ci): boundary artifact from B64 secret + hooksPath (unbreak audit, enable R2) #64

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 11 additions & 26 deletions .github/workflows/custodian-audit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,35 +29,20 @@ jobs:
fi

- name: Materialize boundary artifact file
# Decode the boundary disclosure artifact from the base64 CONTENT secret
# REPOGRAPH_BOUNDARY_ARTIFACT_B64 (the older *_FILE path secret cannot resolve
# on a CI runner). Graceful: skip if absent (B2 flags it if required).
env:
REPOGRAPH_BOUNDARY_ARTIFACT_SOURCE: ${{ secrets.REPOGRAPH_BOUNDARY_ARTIFACT_FILE }}
REPOGRAPH_BOUNDARY_ARTIFACT_B64: ${{ secrets.REPOGRAPH_BOUNDARY_ARTIFACT_B64 }}
run: |
if [ -z "${REPOGRAPH_BOUNDARY_ARTIFACT_SOURCE:-}" ]; then
echo "Missing REPOGRAPH_BOUNDARY_ARTIFACT_FILE secret" >&2
exit 1
if [ -z "${REPOGRAPH_BOUNDARY_ARTIFACT_B64:-}" ]; then
echo "REPOGRAPH_BOUNDARY_ARTIFACT_B64 not set — skipping (B2 flags if required)."
exit 0
fi
tmp_file="$(mktemp "${RUNNER_TEMP:-/tmp}/repograph-boundary-XXXXXX.json")"
python - "$REPOGRAPH_BOUNDARY_ARTIFACT_SOURCE" "$tmp_file" <<'PY'
import json
import shutil
import sys
import urllib.request
from pathlib import Path

source = sys.argv[1]
dest = Path(sys.argv[2])
src_path = Path(source)
if src_path.is_file():
shutil.copyfile(src_path, dest)
elif source.startswith(("http://", "https://")):
with urllib.request.urlopen(source) as response, dest.open("wb") as fh:
shutil.copyfileobj(response, fh)
else:
raise SystemExit(f"Unsupported boundary artifact source: {source}")
data = json.loads(dest.read_text(encoding="utf-8"))
print(f"boundary_provenance={data.get('source_graph_id')}@{data.get('source_ref_or_commit')}")
PY
echo "REPOGRAPH_BOUNDARY_ARTIFACT_FILE=$tmp_file" >> "$GITHUB_ENV"
dest="$(mktemp "${RUNNER_TEMP:-/tmp}/repograph-boundary-XXXXXX.json")"
printf '%s' "$REPOGRAPH_BOUNDARY_ARTIFACT_B64" | base64 -d > "$dest"
echo "REPOGRAPH_BOUNDARY_ARTIFACT_FILE=$dest" >> "$GITHUB_ENV"
- name: Run Custodian audit
run: |
git config core.hooksPath .hooks
custodian-multi --repos . --fail-on-findings --no-color
Loading