Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 12 additions & 3 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,10 @@ jobs:
uses: golangci/golangci-lint-action@v7
with:
version: v2.1.6
# Build golangci-lint from source with the repo's Go toolchain: the
# prebuilt binaries are compiled with an older Go than the project's
# go directive (1.26.4), which golangci-lint refuses to run against.
install-mode: goinstall
working-directory: backend
args: --timeout=5m

Expand Down Expand Up @@ -132,10 +136,15 @@ jobs:
- uses: actions/checkout@v4
with:
fetch-depth: 0
# Run the gitleaks binary directly rather than gitleaks/gitleaks-action,
# which now requires a paid license for organization-owned repos.
- name: Install gitleaks
run: |
VERSION=8.21.2
curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${VERSION}/gitleaks_${VERSION}_linux_x64.tar.gz" \
| tar -xz -C /usr/local/bin gitleaks
- name: gitleaks
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gitleaks detect --source . --config .gitleaks.toml --redact --no-banner --exit-code 1

validate-dashboards:
runs-on: ubuntu-latest
Expand Down
20 changes: 13 additions & 7 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
@@ -1,9 +1,12 @@
name: Release

# Image publishing runs on version tags (and can be triggered manually), not on
# every push to main — building/pushing/scanning container images per commit is
# unnecessary and made ordinary commits show a red pipeline.
on:
push:
branches: [main]
tags: ['v*']
workflow_dispatch:

permissions:
contents: read
Expand All @@ -30,6 +33,9 @@ jobs:
- name: Extract metadata
id: meta
run: |
# ghcr requires the repository path to be lowercase; the owner may
# be mixed-case (e.g. "Corevice").
echo "image_base=ghcr.io/${GITHUB_REPOSITORY,,}" >> "$GITHUB_OUTPUT"
if [[ "${{ github.ref_type }}" == "tag" ]]; then
echo "image_tag=${{ github.ref_name }}" >> "$GITHUB_OUTPUT"
echo "is_tag=true" >> "$GITHUB_OUTPUT"
Expand All @@ -45,15 +51,15 @@ jobs:
file: ./Dockerfile
push: true
tags: |
ghcr.io/${{ github.repository }}/web:sha-${{ github.sha }}
${{ steps.meta.outputs.is_tag == 'true' && format('ghcr.io/{0}/web:{1}', github.repository, github.ref_name) || '' }}
${{ steps.meta.outputs.image_base }}/web:sha-${{ github.sha }}
${{ steps.meta.outputs.is_tag == 'true' && format('{0}/web:{1}', steps.meta.outputs.image_base, github.ref_name) || '' }}
cache-from: type=gha
cache-to: type=gha,mode=max

- name: Scan frontend image for vulnerabilities
uses: aquasecurity/trivy-action@master
with:
image-ref: ghcr.io/open-git/web:sha-${{ github.sha }}
image-ref: ${{ steps.meta.outputs.image_base }}/web:sha-${{ github.sha }}
format: sarif
output: trivy-frontend.sarif
severity: HIGH,CRITICAL
Expand All @@ -78,15 +84,15 @@ jobs:
file: ./backend/Dockerfile
push: true
tags: |
ghcr.io/${{ github.repository }}/api:sha-${{ github.sha }}
${{ steps.meta.outputs.is_tag == 'true' && format('ghcr.io/{0}/api:{1}', github.repository, github.ref_name) || '' }}
${{ steps.meta.outputs.image_base }}/api:sha-${{ github.sha }}
${{ steps.meta.outputs.is_tag == 'true' && format('{0}/api:{1}', steps.meta.outputs.image_base, github.ref_name) || '' }}
cache-from: type=gha
cache-to: type=gha,mode=max

- name: Scan backend image for vulnerabilities
uses: aquasecurity/trivy-action@master
with:
image-ref: ghcr.io/open-git/api:sha-${{ github.sha }}
image-ref: ${{ steps.meta.outputs.image_base }}/api:sha-${{ github.sha }}
format: sarif
output: trivy-backend.sarif
severity: HIGH,CRITICAL
Expand Down
7 changes: 5 additions & 2 deletions .gitleaks.toml
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,14 @@ useDefault = true
[allowlist]
description = "Allow fake/sample secrets used only in test fixtures"
# base64("test-publicKey") — a placeholder MCP verification key in unit tests,
# not a real credential.
# and the fixed fake JWT signing key used by the router integration test.
# Neither is a real credential.
regexes = [
'''dGVzdC1wdWJsaWNLZXk=''',
'''integration-test-secret-key-1234567890''',
]
# Scope: the MCP secret handler test that defines the placeholder above.
# Scope: test files that define the placeholders above.
paths = [
'''backend/internal/handler/secret_handler_test\.go''',
'''backend/cmd/server/integration_test\.go''',
]
6 changes: 2 additions & 4 deletions docs/components/DocHeader.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,12 @@ export function DocHeader() {
<span>open-git</span>
<a
href="https://github.com/Corevice/open-git"
aria-label="GitHub"
aria-label="Source repository"
target="_blank"
rel="noreferrer"
>
<svg viewBox="0 0 24 24" width="20" height="20" fill="currentColor" aria-hidden="true">
<path
d="M12 0c-6.626 0-12 5.373-12 12 0 5.302 3.438 9.8 8.207 11.387.599.111.793-.261.793-.577v-2.234c-3.338.726-4.033-1.416-4.033-1.416-.546-1.387-1.333-1.756-1.333-1.756-1.089-.745.083-.729.083-.729 1.205.084 1.839 1.237 1.839 1.237 1.07 1.834 2.807 1.304 3.492.997.107-.775.418-1.305.762-1.604-2.665-.305-5.467-1.334-5.467-5.931 0-1.311.469-2.381 1.236-3.221-.124-.303-.535-1.524.117-3.176 0 0 1.008-.322 3.301 1.23.957-.266 1.983-.399 3.003-.404 1.02.005 2.047.138 3.006.404 2.291-1.552 3.297-1.23 3.297-1.23.653 1.653.242 2.874.118 3.176.77.84 1.235 1.911 1.235 3.221 0 4.609-2.807 5.624-5.479 5.921.43.372.823 1.102.823 2.222v3.293c0 .319.192.694.801.576 4.765-1.589 8.199-6.086 8.199-11.386 0-6.627-5.373-12-12-12z"
/>
<path d="M12 0c-6.626 0-12 5.373-12 12 0 5.302 3.438 9.8 8.207 11.387.599.111.793-.261.793-.577v-2.234c-3.338.726-4.033-1.416-4.033-1.416-.546-1.387-1.333-1.756-1.333-1.756-1.089-.745.083-.729.083-.729 1.205.084 1.839 1.237 1.839 1.237 1.07 1.834 2.807 1.304 3.492.997.107-.775.418-1.305.762-1.604-2.665-.305-5.467-1.334-5.467-5.931 0-1.311.469-2.381 1.236-3.221-.124-.303-.535-1.524.117-3.176 0 0 1.008-.322 3.301 1.23.957-.266 1.983-.399 3.003-.404 1.02.005 2.047.138 3.006.404 2.291-1.552 3.297-1.23 3.297-1.23.653 1.653.242 2.874.118 3.176.77.84 1.235 1.911 1.235 3.221 0 4.609-2.807 5.624-5.479 5.921.43.372.823 1.102.823 2.222v3.293c0 .319.192.694.801.576 4.765-1.589 8.199-6.086 8.199-11.386 0-6.627-5.373-12-12-12z" />
</svg>
</a>
<VersionSelector />
Expand Down
10 changes: 10 additions & 0 deletions docs/postcss.config.mjs
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
// The docs site (Nextra) does not use the root project's Tailwind pipeline.
// Without this local config, Next.js walks up the directory tree and loads the
// repository-root postcss.config.mjs, which requires @tailwindcss/postcss — a
// dependency that is not installed in docs/. An empty plugin set keeps the docs
// build self-contained.
const config = {
plugins: {},
};

export default config;
Loading