chore(ci): supply-chain security workflow + harden ci.yml

.github/workflows/ci.yml

@@ -6,24 +6,28 @@ on:
   pull_request:
     branches: [main]
 
-permissions:
-  contents: read
+# Default-deny at workflow level; jobs grant only what they need.
+permissions: {}
 
 jobs:
   markdown-lint:
     name: markdown lint
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: DavidAnson/markdownlint-cli2-action@v16
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      - uses: DavidAnson/markdownlint-cli2-action@b4c9feab76d8025d1e83c653fa3990936df0e6c8 # v16.0.0
         with:
           globs: '**/*.md'
 
   go:
     name: go vet + test
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
       - id: detect
         name: detect go module
         run: |
@@ -33,7 +37,7 @@ jobs:
             echo "has_go=false" >> "$GITHUB_OUTPUT"
             echo "::notice::No go.mod present; skipping go vet and go test."
           fi
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         if: steps.detect.outputs.has_go == 'true'
         with:
           go-version-file: go.mod

.github/workflows/security.yml

@@ -0,0 +1,158 @@
+name: security
+
+# Supply-chain and license-policy gate for quantcli repos.
+# Source of truth lives in quantcli/common; export-clis carry a copy of this file.
+# When updating, propagate the change to every *-export-cli repo (see CONTRIBUTING.md).
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+# Default-deny at workflow level; each job re-grants only what it needs.
+permissions: {}
+
+jobs:
+  govulncheck:
+    name: govulncheck (Go vuln DB)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+
+      - name: Detect Go module
+        id: detect
+        run: |
+          if [ -f go.mod ]; then
+            echo "has_go=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "has_go=false" >> "$GITHUB_OUTPUT"
+            echo "::notice::No go.mod present; skipping govulncheck."
+          fi
+
+      - name: Set up Go
+        if: steps.detect.outputs.has_go == 'true'
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Install govulncheck
+        if: steps.detect.outputs.has_go == 'true'
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+
+      - name: Run govulncheck
+        if: steps.detect.outputs.has_go == 'true'
+        run: govulncheck ./...
+
+  osv-scanner:
+    name: osv-scanner (transitive vulns)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+
+      - name: Detect Go module
+        id: detect
+        run: |
+          # osv-scanner exits non-zero with "No package sources found" if there is
+          # nothing to scan. The quantcli org is Go-only today, so gate on go.mod.
+          # If a non-Go manifest (package.json, requirements.txt, Cargo.toml, …) is
+          # ever introduced, broaden this check.
+          if [ -f go.mod ]; then
+            echo "has_manifests=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "has_manifests=false" >> "$GITHUB_OUTPUT"
+            echo "::notice::No go.mod found; skipping osv-scanner."
+          fi
+
+      - name: Set up Go
+        if: steps.detect.outputs.has_manifests == 'true'
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version: stable
+          cache: false
+
+      - name: Install osv-scanner
+        if: steps.detect.outputs.has_manifests == 'true'
+        run: go install github.com/google/osv-scanner/v2/cmd/osv-scanner@latest
+
+      - name: Run osv-scanner
+        if: steps.detect.outputs.has_manifests == 'true'
+        run: osv-scanner scan source --recursive .
+
+  license-policy:
+    name: license policy (allowlist)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    env:
+      # Policy: every direct + transitive Go dep must resolve to one of these SPDX ids.
+      # See SECURITY.md "Supply-chain policy" for the rationale.
+      ALLOWED_LICENSES: "Apache-2.0,MIT,BSD-2-Clause,BSD-3-Clause,MPL-2.0,ISC,Unlicense"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+
+      - name: Detect Go module
+        id: detect
+        run: |
+          if [ -f go.mod ]; then
+            echo "has_go=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "has_go=false" >> "$GITHUB_OUTPUT"
+            echo "::notice::No go.mod present; skipping license-policy check."
+          fi
+
+      - name: Set up Go
+        if: steps.detect.outputs.has_go == 'true'
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Install go-licenses
+        if: steps.detect.outputs.has_go == 'true'
+        run: go install github.com/google/go-licenses@latest
+
+      - name: Check licenses against allowlist
+        if: steps.detect.outputs.has_go == 'true'
+        shell: bash
+        run: |
+          set -euo pipefail
+          report=$(mktemp)
+          # go-licenses csv emits: module,license-url,license-id (one per line).
+          # Warnings (e.g. license-url not found) go to stderr and are non-fatal here.
+          go-licenses csv ./... > "$report"
+
+          IFS=',' read -ra ALLOWED <<< "$ALLOWED_LICENSES"
+          is_allowed() {
+            local needle="$1"
+            for a in "${ALLOWED[@]}"; do
+              if [ "$needle" = "$a" ]; then return 0; fi
+            done
+            return 1
+          }
+
+          bad=0
+          while IFS=',' read -r module url license; do
+            [ -z "$module" ] && continue
+            if ! is_allowed "$license"; then
+              echo "::error::Disallowed license: module=$module license=$license"
+              bad=1
+            fi
+          done < "$report"
+
+          if [ "$bad" -ne 0 ]; then
+            echo "::error::License policy violated. Allowlist: ${ALLOWED_LICENSES}"
+            echo "::error::See SECURITY.md for the policy and how to request an exception."
+            exit 1
+          fi
+
+          echo "All dependency licenses are within policy."

CONTRIBUTING.md

@@ -78,6 +78,20 @@ The contract is only as honest as the test that proves three CLIs behave the sam
 
 The `compat/` harness is being scaffolded — until it lands, document the test you *would* write in the PR body so the expectation stays visible.
 
+## Supply-chain and security
+
+Every PR — here and in each `*-export-cli` — is gated on the `security` workflow defined in [`.github/workflows/security.yml`](.github/workflows/security.yml). It runs three checks:
+
+- **`govulncheck`** — Go vulnerability database scan against the module's full dependency closure (skipped when there is no `go.mod`).
+- **`osv-scanner`** — OSV transitive vulnerability scan over the working tree.
+- **License policy** — every direct + transitive Go dependency must resolve to one of the permissive SPDX ids listed in [`SECURITY.md`](SECURITY.md#supply-chain-policy). GPL-family, SSPL, BSL, and other non-permissive licenses are blocking.
+
+If a PR fails the license-policy check, do not unblock it by adding a `replace` directive or vendoring a fork to relabel the license. Either drop the dependency, switch to a permissively licensed equivalent, or open an issue requesting a policy exception with the rationale.
+
+To propose a security policy change (allowlist, severity bar, or workflow tooling), open an issue here first — these decisions ripple to every export-cli.
+
+For reporting a vulnerability in a shipped CLI or in `common`, see [SECURITY.md](SECURITY.md). Do **not** open a public issue with exploit details.
+
 ## License and sign-off
 
 This repo is MIT-licensed (see [LICENSE](LICENSE)). By contributing you agree your changes are under the same license. We don't require a CLA. Sign-off (`Signed-off-by:` in commit messages) is encouraged but not required.