taudit-parse-gha

GitHub Actions workflow parser for taudit authority graphs.

This crate parses GitHub Actions YAML into taudit's typed AuthorityGraph, so tools can reason about GITHUB_TOKEN, secrets, OIDC, reusable workflows, actions, containers, artifacts, trigger context, permissions, and trust-boundary crossings as graph data instead of raw YAML strings.

What It Models

• Jobs, steps, local actions, third-party actions, containers, services, and artifacts.
• permissions: scope, OIDC availability, GITHUB_TOKEN, and secret references.
• Pull request, pull_request_target, workflow_run, issue_comment, dispatch, and reusable workflow triggers.
• Fork-check guards, cache/helper handoffs, environment mutation, and manifest authority metadata used by taudit rules.
• Partial graph reasons when expressions, reusable workflows, composites, or multiple YAML documents hide static authority flow.

Rule evaluation lives in taudit-core; this crate only parses and annotates.

Install

[dependencies]
taudit-core = "3"
taudit-parse-gha = "3"

Basic Use

use taudit_core::graph::PipelineSource;
use taudit_core::ports::PipelineParser;
use taudit_parse_gha::GhaParser;

let source = PipelineSource {
    file: ".github/workflows/release.yml".into(),
    repo: None,
    git_ref: None,
    commit_sha: None,
};

let graph = GhaParser.parse(workflow_yaml, &source)?;

Use Cases

• Embed GitHub Actions authority analysis in a Rust service.
• Precompute authority graphs for SARIF, JSON, CloudEvents, or custom gates.
• Test new GitHub Actions supply-chain security rules against parsed graph fixtures.

Related Docs

• Product README: https://github.com/0ryant/taudit
• GitHub Actions golden paths: https://github.com/0ryant/taudit/blob/main/docs/golden-paths.md
• Authority graph spec: https://github.com/0ryant/taudit/blob/main/docs/authority-graph.md
• Rule catalogue: https://github.com/0ryant/taudit/blob/main/docs/rules/index.md