ReleaseGuard/action.yml at main · Helixar-AI/ReleaseGuard · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
name: Artifact Policy Engine
description: Scan, harden, sign, and verify release artifacts before they ship.
author: Helixar AI

branding:
  icon: shield
  color: blue

inputs:
  path:
    description: Path to artifact directory or archive to scan
    required: false
    default: ./dist
  config:
    description: Path to .releaseguard.yml config file
    required: false
    default: .releaseguard.yml
  # NOTE: fail-on is NOT a CLI flag. Severity gating is configured via
  # policy.fail-on in .releaseguard.yml. This input is kept for documentation
  # purposes only and does not affect CLI behaviour.
  fail-on:
    description: >
      Severity levels that fail the build (critical, high, medium, low).
      Configure this in .releaseguard.yml under policy.fail-on — the CLI
      reads it from config, not from a command-line flag.
    required: false
    default: critical,high
  sbom:
    description: Generate a Software Bill of Materials
    required: false
    default: "false"
  fix:
    description: Apply safe hardening transforms before scanning
    required: false
    default: "false"
  obfuscation:
    description: Obfuscation level (none, light — medium/aggressive require Cloud)
    required: false
    default: none
  sign:
    description: Sign the artifact after scanning (keyless, local, none)
    required: false
    default: none
  format:
    description: Report format (cli, json, sarif, html)
    required: false
    default: sarif
  create-issues:
    description: >
      Automatically create a GitHub issue when critical vulnerabilities are
      found. Requires the workflow token to have issues:write permission.
    required: false
    default: "false"
  token:
    description: ReleaseGuard Cloud API token (optional — enables Cloud features)
    required: false
    default: ""
  artifact-name:
    description: >
      Name for the uploaded evidence bundle artifact. Override when calling
      ReleaseGuard multiple times in the same workflow run to avoid 409 conflicts.
    required: false
    default: releaseguard-evidence

outputs:
  result:
    description: Policy result (pass, warn, fail)
    value: ${{ steps.check.outputs.result }}
  report-path:
    description: Path to generated report file
    value: ${{ steps.check.outputs.report-path }}
  evidence-dir:
    description: Path to evidence bundle directory
    value: .releaseguard

runs:
  using: composite
  steps:
    - name: Install releaseguard
      shell: bash
      run: |
        # $HOME/.local/bin is not pre-created on GitHub-hosted runners.
        mkdir -p "$HOME/.local/bin"
        curl -sSfL https://raw.githubusercontent.com/Helixar-AI/ReleaseGuard/main/scripts/install.sh | sh
        echo "$HOME/.local/bin" >> "$GITHUB_PATH"

    - name: Apply hardening transforms
      if: inputs.fix == 'true'
      shell: bash
      run: releaseguard fix "${{ inputs.path }}" --config "${{ inputs.config }}"

    - name: Apply obfuscation
      if: inputs.obfuscation != 'none'
      shell: bash
      run: releaseguard obfuscate "${{ inputs.path }}" --level "${{ inputs.obfuscation }}"

    - name: Run releaseguard check
      id: check
      shell: bash
      env:
        GITHUB_TOKEN: ${{ inputs.create-issues == 'true' && github.token || '' }}
      run: |
        REPORT=".releaseguard/report.${{ inputs.format }}"
        # Capture exit code so we always write outputs even on policy failure.
        releaseguard check "${{ inputs.path }}" \
          --config "${{ inputs.config }}" \
          --format "${{ inputs.format }}" \
          --out "$REPORT" || CHECK_EXIT=$?
        echo "report-path=${REPORT}" >> "$GITHUB_OUTPUT"
        echo "evidence-dir=.releaseguard" >> "$GITHUB_OUTPUT"
        if [ "${CHECK_EXIT:-0}" -ne 0 ]; then
          echo "result=fail" >> "$GITHUB_OUTPUT"
          exit "${CHECK_EXIT}"
        fi
        echo "result=pass" >> "$GITHUB_OUTPUT"

    - name: Generate SBOM
      if: always() && inputs.sbom == 'true'
      shell: bash
      run: releaseguard sbom "${{ inputs.path }}" --config "${{ inputs.config }}"

    - name: Sign artifact
      if: inputs.sign != 'none'
      shell: bash
      run: releaseguard sign "${{ inputs.path }}" --mode "${{ inputs.sign }}"

    - name: Upload evidence bundle
      if: always()
      uses: actions/upload-artifact@v4
      with:
        name: ${{ inputs.artifact-name }}
        path: .releaseguard/
        if-no-files-found: warn
        include-hidden-files: true