Mirrors/wrkflw
1
0
Fork 0
mirror of https://github.com/bahdotsh/wrkflw.git synced 2026-02-24 03:49:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
feature/secure-emulation-sandboxing
wrkflw/crates/executor
History
bahdotsh 460357d9fe feat: Add comprehensive sandboxing for secure emulation mode 
Security Features:
- Implement secure emulation runtime with command sandboxing
- Add command validation, filtering, and dangerous pattern detection
- Block harmful commands like 'rm -rf /', 'sudo', 'dd', etc.
- Add resource limits (CPU, memory, execution time, process count)
- Implement filesystem isolation and access controls
- Add environment variable sanitization
- Support shell operators (&&, ||, |, ;) with proper parsing

New Runtime Mode:
- Add 'secure-emulation' runtime option to CLI
- Update UI to support new runtime mode with green security indicator
- Mark legacy 'emulation' mode as unsafe in help text
- Default to secure mode for local development safety

Documentation:
- Create comprehensive security documentation (README_SECURITY.md)
- Update main README with security mode information
- Add example workflows demonstrating safe vs dangerous commands
- Include migration guide and best practices

Testing:
- Add comprehensive test suite for sandbox functionality
- Include security demo workflows for testing
- Test dangerous command blocking and safe command execution
- Verify resource limits and timeout functionality

Code Quality:
- Fix all clippy warnings with proper struct initialization
- Add proper error handling and user-friendly security messages
- Implement comprehensive logging for security events
- Follow Rust best practices throughout

This addresses security concerns by preventing accidental harmful
commands while maintaining full compatibility with legitimate CI/CD
workflows. Users can now safely run untrusted workflows locally
without risk to their host system.
2025-08-13 14:30:51 +05:30
..
src
feat: Add comprehensive sandboxing for secure emulation mode
2025-08-13 14:30:51 +05:30
Cargo.toml
chore: bump version to 0.6.0
2025-08-09 17:46:09 +05:30
README.md
docs(readme): add per-crate READMEs and enhance wrkflw crate README
2025-08-12 15:09:38 +05:30

README.md

wrkflw-executor

The execution engine that runs GitHub Actions workflows locally (Docker, Podman, or emulation).

  • Features:
    • Job graph execution with needs ordering and parallelism
    • Docker/Podman container steps and emulation mode
    • Basic environment/context wiring compatible with Actions
  • Used by: wrkflw CLI and TUI

API sketch

use wrkflw_executor::{execute_workflow, ExecutionConfig, RuntimeType};

let cfg = ExecutionConfig {
    runtime: RuntimeType::Docker,
    verbose: true,
    preserve_containers_on_failure: false,
};

// Path to a workflow YAML
let workflow_path = std::path::Path::new(".github/workflows/ci.yml");

let result = execute_workflow(workflow_path, cfg).await?;
println!("workflow status: {:?}", result.summary_status);

Prefer using the wrkflw binary for a complete UX across validation, execution, and logs.

Reference in New Issue View Git Blame Copy Permalink