CalvinBackup/shannon
1
0
Fork 0
mirror of https://github.com/KeygraphHQ/shannon.git synced 2026-06-01 13:11:40 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat: integrate npx CLI, CI/CD, and ephemeral worker architecture

Browse Source 
Bring in changes from shannon-npx: npx-distributable CLI package (cli/),
semantic-release CI/CD workflows, ephemeral per-scan worker containers,
TOML config support, setup wizard, and workspace management.

Preserves all shannon-only changes: security hardening (localhost-bound
ports, MCP env allowlist, path traversal guard), updated benchmarks
(XBEN 19/31/35/44), README assets, and prompt injection disclaimer.

Applies security hardening to cli/infra/compose.yml as well.
This commit is contained in:
ezl-keygraph
2026-03-14 18:40:04 +05:30
parent ae4bd45a30
commit 9b1abd9ec0
52 changed files with 3219 additions and 1651 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/release.yml
+165
View File
@@ -0,0 +1,165 @@
name: Release
on:
workflow_dispatch:
permissions:
contents: read
concurrency:
group: release-main
cancel-in-progress: false
jobs:
preflight:
name: Preflight
runs-on: ubuntu-latest
permissions:
contents: write
outputs:
should_release: ${{ steps.probe.outputs.should_release }}
version: ${{ steps.probe.outputs.version }}
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: 24
- name: Install dependencies
run: npm clean-install
- name: Verify dependency signatures
run: npm audit signatures
- name: Probe semantic-release
id: probe
shell: bash
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euo pipefail
npx semantic-release@25 --dry-run --no-ci 2>&1 | tee semantic-release.log
if grep -q "The next release version is" semantic-release.log; then
echo "should_release=true" >> "$GITHUB_OUTPUT"
VERSION=$(grep -oE "The next release version is [0-9]+\.[0-9]+\.[0-9]+" semantic-release.log | grep -oE "[0-9]+\.[0-9]+\.[0-9]+")
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
else
echo "should_release=false" >> "$GITHUB_OUTPUT"
fi
publish:
name: Publish Docker and npm
needs: preflight
if: needs.preflight.outputs.should_release == 'true'
runs-on: ubuntu-latest
environment: release-publish
permissions:
contents: read
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Set up QEMU
uses: docker/setup-qemu-action@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
- name: Log in to Docker Hub
uses: docker/login-action@v4
with:
username: ${{ vars.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build and push Docker image
id: build
uses: docker/build-push-action@v7
with:
context: .
push: true
platforms: linux/amd64,linux/arm64
provenance: mode=max
sbom: true
tags: |
keygraph/shannon:${{ needs.preflight.outputs.version }}
keygraph/shannon:latest
- name: Install cosign
uses: sigstore/cosign-installer@v4.1.0
- name: Sign Docker image
run: cosign sign --yes keygraph/shannon@${{ steps.build.outputs.digest }}
- name: Verify Docker image signature
run: |
sleep 10
cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity https://github.com/${{ github.repository }}/.github/workflows/release.yml@${{ github.ref }} \
keygraph/shannon@${{ steps.build.outputs.digest }}
- name: Configure npm registry
uses: actions/setup-node@v6
with:
node-version: 24
registry-url: https://registry.npmjs.org
- name: Install dependencies
run: npm clean-install
- name: Verify dependency signatures
run: npm audit signatures
- name: Set CLI package version
run: npm version "${{ needs.preflight.outputs.version }}" --workspace cli --no-git-tag-version --allow-same-version
- name: Sync lockfile with bumped versions
run: npm i --package-lock-only
- name: Build CLI
run: npm run build:cli
- name: Publish npm package
working-directory: cli
run: |
if npm view "@keygraph/shannon@${{ needs.preflight.outputs.version }}" version 2>/dev/null; then
echo "Version already published, skipping"
else
npm publish --access public
fi
release:
name: Create GitHub release
needs: [preflight, publish]
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: 24
- name: Install dependencies
run: npm clean-install
- name: Create GitHub release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: npx semantic-release@25
.github/workflows/rollback.yml
+124
View File
@@ -0,0 +1,124 @@
name: Rollback
on:
workflow_dispatch:
inputs:
version:
description: "Version to move npm latest and Docker latest to (example: 1.4.2)"
required: true
type: string
permissions:
contents: read
concurrency:
group: rollback-latest-${{ github.event.inputs.version }}
cancel-in-progress: false
jobs:
rollback:
name: Roll back npm and Docker latest
runs-on: ubuntu-latest
environment: release-rollback
steps:
- name: Checkout tags
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Fetch all tags
run: git fetch --force --tags
- name: Validate target version
id: target
shell: bash
run: |
set -euo pipefail
VERSION="${{ inputs.version }}"
VERSION="${VERSION#v}"
case "$VERSION" in
''|*[!0-9.]*)
echo "Invalid version: $VERSION"
exit 1
;;
esac
if ! [[ "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "Version must be in semver format X.Y.Z"
exit 1
fi
if ! git rev-parse "refs/tags/v$VERSION" >/dev/null 2>&1; then
echo "Git tag v$VERSION does not exist"
exit 1
fi
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: 24
registry-url: https://registry.npmjs.org
- name: Verify npm package version exists
run: npm view "@keygraph/shannon@${{ steps.target.outputs.version }}" version
- name: Show current npm dist-tags
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_ROLLBACK_TOKEN }}
run: npm dist-tag ls @keygraph/shannon
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
- name: Log in to Docker Hub
uses: docker/login-action@v4
with:
username: ${{ vars.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Verify Docker image tag exists
run: docker buildx imagetools inspect "keygraph/shannon:${{ steps.target.outputs.version }}"
- name: Install cosign
uses: sigstore/cosign-installer@v4.1.0
- name: Verify Docker image signature before rollback
run: |
cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/release.yml@refs/heads/main" \
"keygraph/shannon:${{ steps.target.outputs.version }}"
- name: Move Docker latest
run: |
docker buildx imagetools create \
--tag "keygraph/shannon:latest" \
"keygraph/shannon:${{ steps.target.outputs.version }}"
- name: Move npm latest
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_ROLLBACK_TOKEN }}
run: npm dist-tag add "@keygraph/shannon@${{ steps.target.outputs.version }}" latest
- name: Show final npm dist-tags
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_ROLLBACK_TOKEN }}
run: npm dist-tag ls @keygraph/shannon
- name: Verify Docker latest now points to target
run: docker buildx imagetools inspect "keygraph/shannon:latest"
- name: Write summary
run: |
{
echo "## Rollback latest"
echo ""
echo "- Target version: \`${{ steps.target.outputs.version }}\`"
echo "- npm package: \`@keygraph/shannon\`"
echo "- Docker image: \`keygraph/shannon\`"
} >> "$GITHUB_STEP_SUMMARY"