Skip to content
Security Checks

Second-pass audit fixes: option-5 typo, skill MCP rename, walkthrough #24

Sign in to view logs

Second-pass audit fixes: option-5 typo, skill MCP rename, walkthrough

Second-pass audit fixes: option-5 typo, skill MCP rename, walkthrough #24

Workflow file for this run

.github/workflows/security.yml at 8e2d0c2
name: Security Checks
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '0 9 * * 1' # Weekly Monday 9am UTC
permissions:
contents: read
jobs:
shellcheck-strict:
name: ShellCheck (error severity)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Run ShellCheck at error severity
uses: ludeeus/action-shellcheck@94e0aab03ca135d11a35e5bfc14e6746dc56e7e9 # v2.0.0
with:
scandir: '.'
severity: error
ignore_paths: terminal-academy node_modules
secret-scan:
name: Secret scanning
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Scan for hardcoded secrets
run: |
# Fail if real-looking API keys are found in tracked files
if git ls-files | xargs grep -lniE \
"(sk-ant-api|ghp_[0-9A-Za-z]{36}|xoxb-[0-9A-Za-z-]+|AKIA[0-9A-Z]{16})" \
2>/dev/null | grep -v ".git"; then
echo "::error::Potential hardcoded secrets detected — see matches above"
exit 1
fi
echo "No hardcoded secrets detected"
download-url-check:
name: Verify pinned download URLs are reachable
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Check SKILL_URL in step-9
run: |
COMMIT=$(grep 'SKILL_COMMIT=' step-9/step-9-install.sh | head -1 | cut -d'"' -f2)
URL="https://raw.githubusercontent.com/lorecraft-io/cli-maxxing/${COMMIT}/step-9/safetycheck-skill/SKILL.md"
HTTP_STATUS=$(curl -o /dev/null -s -w "%{http_code}" "$URL")
if [ "$HTTP_STATUS" != "200" ]; then
echo "::error::Pinned SKILL_URL returned HTTP $HTTP_STATUS — commit SHA may be invalid"
exit 1
fi
echo "SKILL_URL OK (HTTP 200) for commit $COMMIT"