GitHub Actions Guidance

Summary

Kestrel does not ship GitHub Actions workflows. Use the templates in docs/ci-cd/README.md and docs/ci-cd/implementation-examples.md.

Issues Identified & Fixed

1. Deprecated Action Versions ❌➜✅

Problem: Multiple deprecated action versions causing failures

- github/codeql-action@v2 (deprecated Jan 2025)
- actions/github-script@v6 (outdated)  
- actions/upload-pages-artifact@v2 (uses deprecated internal actions)
- actions/deploy-pages@v2 (outdated)

Fix: Updated to latest stable versions

- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@v3

- uses: actions/github-script@v6  
+ uses: actions/github-script@v7

- uses: actions/upload-pages-artifact@v2
+ uses: actions/upload-pages-artifact@v3

- uses: actions/deploy-pages@v2
+ uses: actions/deploy-pages@v4

2. Artifact Upload Failures ❌➜✅

Problem: actions/upload-pages-artifact@v2 internally used deprecated actions/upload-artifact@v3

Error: This request has been automatically failed because it uses a deprecated version of `actions/upload-artifact: v3`

Fix: Updated to v3 which uses compatible artifact actions internally

3. Missing Compliance Framework Parameters ❌➜✅

Problem: Some scan commands missing --frameworks flag

./kestrel scan --path "$SCAN_PATH" --sarif --output reports/kestrel.sarif

Fix: Added frameworks to all scan commands for consistency

./kestrel scan --path "$SCAN_PATH" --frameworks fips_140_3,pci_dss_4 --sarif --output reports/kestrel.sarif

4. Artifact Chain Dependency Issues ❌➜✅

Problem: "Security Policy Enforcement" job couldn't find kestrel-compliance-reports artifact because "Generate Compliance Reports" job failed due to deprecated action

Effect: Cascading failures across dependent jobs

Fix: Fixed root cause (deprecated actions) which resolves the artifact chain

5. Download vs Build Logic Simplified ❌➜✅

Problem: Complex fallback logic between downloading releases vs building from source

if [ -f "go.mod" ] && grep -q "kestrel" go.mod; then
  echo "Building Kestrel from source..."
  go build -o kestrel ./cmd/kestrel
else
  echo "Downloading Kestrel release..."
  curl -L https://github.com/.../releases/latest/download/kestrel-linux-amd64 -o kestrel
  chmod +x kestrel
fi

Fix: Simplified to always build from source in CI

echo "Building Kestrel from source..."
go build -o kestrel ./cmd/kestrel

Remaining Issue: Code Scanning Not Enabled ⚠️

Issue: Repository doesn't have GitHub Advanced Security/Code Scanning enabled

Code scanning is not enabled for this repository. Please enable code scanning in the repository settings.

Status: This requires repository owner to enable GitHub Advanced Security in repository settings

Impact: SARIF upload fails but doesn't break the workflow (marked as warning)

Workaround: The workflow generates and uploads SARIF as artifacts, which can be manually reviewed

Verification Steps Taken

✅ Local Testing: All commands tested locally and work correctly

./kestrel scan --path . --frameworks fips_140_3,pci_dss_4 --sarif --output test.sarif
./kestrel scan --path . --frameworks fips_140_3,pci_dss_4 --html --output test.html
./kestrel scan --path . --frameworks fips_140_3,pci_dss_4 --json --output test.json

✅ Build Testing: Verified project builds successfully
```
go build -o kestrel ./cmd/kestrel
```

✅ Dependency Check: Confirmed Semgrep integration works

./kestrel check
# Output: ✓ Semgrep: installed (version 1.132.1)

✅ Rules Validation: Confirmed compliance rules are valid
```
ls rules/
# fips_140_3.yaml  pci_dss_4.yaml
```

Files Changed

Use the workflow templates in docs/ci-cd/README.md or docs/ci-cd/implementation-examples.md.

Expected Outcome

After these fixes:

✅ Build and test steps should complete successfully
✅ Artifact uploads should work correctly
✅ Job dependencies should flow properly
✅ Reports should generate in all formats (JSON, SARIF, HTML)
⚠️ SARIF upload may show warning (due to code scanning not enabled) but won't fail workflow
✅ Compliance reports should be available as workflow artifacts

Next Steps

Monitor new workflow runs after adding the template
Enable GitHub Advanced Security if SARIF integration to Security tab is desired
Review generated compliance reports in workflow artifacts
Consider adding release automation for the Kestrel binary

The core functionality should now work correctly with proper error handling and modern action versions.

Summary​

Issues Identified & Fixed​

1. Deprecated Action Versions ❌➜✅​

2. Artifact Upload Failures ❌➜✅​

3. Missing Compliance Framework Parameters ❌➜✅​

4. Artifact Chain Dependency Issues ❌➜✅​

5. Download vs Build Logic Simplified ❌➜✅​

Remaining Issue: Code Scanning Not Enabled ⚠️​

Verification Steps Taken​

Files Changed​

Expected Outcome​

Next Steps​