ai-code-gate/.github/workflows/ai-code-gate.yml at main · InkByteStudio/ai-code-gate · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
name: AI Code Gate

on:
  pull_request:
    types: [opened, synchronize, reopened]

permissions:
  contents: read
  pull-requests: write
  issues: write

jobs:
  detect:
    name: Detect AI-Generated PR
    runs-on: ubuntu-latest
    outputs:
      is_ai_pr: ${{ steps.detect.outputs.is_ai_pr }}
      agent_identity: ${{ steps.detect.outputs.agent_identity }}
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: ./.github/actions/detect-ai-pr
        id: detect
      - run: echo "AI PR detected=${{ steps.detect.outputs.is_ai_pr }}, agent=${{ steps.detect.outputs.agent_identity }}"

  policy-check:
    name: Policy Check
    needs: detect
    if: needs.detect.outputs.is_ai_pr == 'true'
    runs-on: ubuntu-latest
    outputs:
      policy_passed: ${{ steps.policy.outputs.policy_passed }}
      violations_json: ${{ steps.policy.outputs.violations_json }}
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: "20"
      - run: npm ci
      - uses: ./.github/actions/policy-check
        id: policy
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  security-scan:
    name: Security Scan
    needs: detect
    if: needs.detect.outputs.is_ai_pr == 'true'
    runs-on: ubuntu-latest
    outputs:
      scan_passed: ${{ steps.scan.outputs.scan_passed }}
      findings_count: ${{ steps.scan.outputs.findings_count }}
    steps:
      - uses: actions/checkout@v4
      - uses: ./.github/actions/security-scan
        id: scan

  sandbox-test:
    name: Sandboxed Test Execution
    needs: detect
    if: needs.detect.outputs.is_ai_pr == 'true'
    runs-on: ubuntu-latest
    outputs:
      tests_passed: ${{ steps.sandbox.outputs.tests_passed }}
    steps:
      - uses: actions/checkout@v4
      - uses: ./.github/actions/sandbox-test
        id: sandbox

  risk-assessment:
    name: Risk Assessment
    needs: [detect, policy-check, security-scan, sandbox-test]
    if: always() && needs.detect.outputs.is_ai_pr == 'true'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: "20"
      - run: npm ci
      - uses: ./.github/actions/risk-assessment
        id: assess
        with:
          policy_passed: ${{ needs.policy-check.outputs.policy_passed || 'false' }}
          scan_passed: ${{ needs.security-scan.outputs.scan_passed || 'false' }}
          findings_count: ${{ needs.security-scan.outputs.findings_count || '0' }}
          tests_passed: ${{ needs.sandbox-test.outputs.tests_passed || 'false' }}
          violations_json: ${{ needs.policy-check.outputs.violations_json || '[]' }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Upload audit log
        uses: actions/upload-artifact@v4
        with:
          name: ai-code-gate-audit
          path: audit-event.json
          retention-days: 90