ThirdKeyAI
diff --git a/‎.github/.github/workflows/docker-build.yml‎
Lines changed: 130 additions & 0 deletions b/‎.github/.github/workflows/docker-build.yml‎
Lines changed: 130 additions & 0 deletions
diff --git a/‎.github/.github/workflows/docs.yml‎
Lines changed: 121 additions & 0 deletions b/‎.github/.github/workflows/docs.yml‎
Lines changed: 121 additions & 0 deletions
@@ -0,0 +1,130 @@
+name: Build and Publish Symbi Docker Image
+
+on:
+  push:
+    branches: [ main ]
+    tags: [ 'v*' ]
+    paths:
+      - 'Cargo.toml'
+      - 'Cargo.lock'
+      - 'crates/**'
+      - 'src/**'
+      - 'Dockerfile'
+      - '.dockerignore'
+      - '.github/workflows/docker-build.yml'
+  pull_request:
+    branches: [ main ]
+    paths:
+      - 'Cargo.toml'
+      - 'Cargo.lock'
+      - 'crates/**'
+      - 'src/**'
+      - 'Dockerfile'
+      - '.dockerignore'
+      - '.github/workflows/docker-build.yml'
+  workflow_dispatch:
+    inputs:
+      force_rebuild:
+        description: 'Force complete rebuild'
+        required: false
+        default: 'false'
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: thirdkeyai/symbi
+
+jobs:
+  build-symbi:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Log in to Container Registry
+      if: github.event_name != 'pull_request'
+      uses: docker/login-action@v3
+      with:
+        registry: ${{ env.REGISTRY }}
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Extract metadata for Symbi
+      id: meta
+      uses: docker/metadata-action@v5
+      with:
+        images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+        tags: |
+          type=ref,event=branch
+          type=ref,event=pr
+          type=semver,pattern={{version}}
+          type=semver,pattern={{major}}.{{minor}}
+          type=semver,pattern={{major}}
+          type=sha
+
+    - name: Build and push Symbi image
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        file: ./Dockerfile
+        platforms: linux/amd64,linux/arm64
+        push: ${{ github.event_name != 'pull_request' }}
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+        cache-from: |
+          type=gha
+          type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache
+        cache-to: |
+          type=gha,mode=max
+          type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache,mode=max
+        build-args: |
+          BUILDKIT_INLINE_CACHE=1
+
+  security-scan:
+    runs-on: ubuntu-latest
+    needs: [build-symbi]
+    if: github.event_name != 'pull_request'
+    permissions:
+      contents: read
+      packages: read
+      security-events: write
+
+    steps:
+    - name: Log in to Container Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ${{ env.REGISTRY }}
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+
+    - name: Upload Trivy scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: 'trivy-results.sarif'
+
+  test-container:
+    runs-on: ubuntu-latest
+    needs: [build-symbi]
+    if: github.event_name != 'pull_request'
+    
+    steps:
+    - name: Test unified Symbi binary
+      run: |
+        docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} --version
+        docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} --help
+        docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} dsl --help
+        docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} runtime --help
+        docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} mcp --help
@@ -0,0 +1,121 @@
+name: Deploy OSS Documentation
+
+on:
+  push:
+    branches: [ main ]
+    paths:
+      - 'docs/**'
+      - '.github/workflows/docs.yml'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+concurrency:
+  group: "pages"
+  cancel-in-progress: false
+
+jobs:
+  security-check:
+    name: Security Check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Verify no enterprise content
+        run: |
+          echo "🔍 Verifying documentation contains no enterprise content..."
+          
+          # Check for enterprise folder
+          if [[ -d "enterprise" ]]; then
+            echo "❌ ERROR: Enterprise folder found in public repo!"
+            exit 1
+          fi
+          
+          # Check for sensitive patterns in docs
+          sensitive_patterns=("password" "secret" "private_key" "api_key")
+          for pattern in "${sensitive_patterns[@]}"; do
+            if grep -r -i "$pattern" docs/ --exclude-dir=_site 2>/dev/null | grep -v "example" | grep -v "placeholder"; then
+              echo "⚠️  WARNING: Potential sensitive content found for pattern: $pattern"
+              grep -r -i "$pattern" docs/ --exclude-dir=_site | grep -v "example" | grep -v "placeholder"
+            fi
+          done
+          
+          echo "✅ Documentation security check passed"
+
+  build:
+    name: Build Documentation
+    runs-on: ubuntu-latest
+    needs: security-check
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.1'
+          bundler-cache: true
+          working-directory: docs
+
+      - name: Setup Pages
+        id: pages
+        uses: actions/configure-pages@v4
+
+      - name: Install dependencies
+        run: |
+          cd docs
+          bundle install
+
+      - name: Build with Jekyll
+        run: |
+          cd docs
+          bundle exec jekyll build
+        env:
+          JEKYLL_ENV: production
+
+      - name: Upload artifact
+        uses: actions/upload-pages-artifact@v3
+        with:
+          path: docs/_site
+
+  deploy:
+    name: Deploy to GitHub Pages
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    runs-on: ubuntu-latest
+    needs: build
+    outputs:
+      page_url: ${{ steps.deployment.outputs.page_url }}
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4
+
+  validate-deployment:
+    name: Validate Deployment
+    runs-on: ubuntu-latest
+    needs: deploy
+    if: success()
+    steps:
+      - name: Check deployment
+        run: |
+          echo "🌐 Validating deployed documentation..."
+          
+          # Wait for deployment to be available
+          sleep 30
+          
+          # Basic connectivity check
+          if curl -s -f "${{ needs.deploy.outputs.page_url }}" > /dev/null; then
+            echo "✅ Documentation site is accessible"
+          else
+            echo "❌ Documentation site is not accessible"
+            exit 1
+          fi
+          
+          echo "📖 Documentation deployed successfully"
+          echo "URL: ${{ needs.deploy.outputs.page_url }}"