feat: add remaining PFC checks and lightweight PR builds BED-6802

.github/workflows/audit-release.yml

@@ -35,7 +35,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout source code for this repository
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # ratchet:actions/checkout@v4
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # ratchet:actions/checkout@v5
         with:
           fetch-depth: 0
           fetch-tags: true

.github/workflows/build-ui.yml

@@ -31,16 +31,18 @@ jobs:
 
     steps:
       - name: Checkout source code for this repository
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # ratchet:actions/checkout@v4
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # ratchet:actions/checkout@v5
 
       - name: Install Node
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # ratchet:actions/setup-node@v4
         with:
           node-version: 22
 
-      - name: Install Yarn
+      - name: Enable Corepack
         run: |
-          npm install --global yarn
+          corepack enable
+          corepack install
+          yarn --version
 
       - name: Install Dependencies
         run: |

.github/workflows/cd.yml

@@ -25,8 +25,13 @@ on:
       - v[0-9]+.[0-9]+.[0-9]+-rc[0-9]+
 
 jobs:
+  run-slow-go-tests:
+    name: Run Slow Go Tests
+    uses: ./.github/workflows/run-slow-go-tests.yml
+
   bloodhound-container-image:
     name: Build and Publish BloodHound Container Image
+    needs: run-slow-go-tests
     uses: ./.github/workflows/reusable.build-container-image.yml
     with:
       container_image_repository_name: docker.io/specterops/bloodhound

.github/workflows/ci.yml

@@ -14,7 +14,7 @@
 # limitations under the License.
 #
 # SPDX-License-Identifier: Apache-2.0
-name: Continuous Integration (CI)
+name: Build Application
 
 on:
   pull_request:
@@ -26,25 +26,41 @@ on:
       - synchronize
 
 jobs:
-  bloodhound-container-image:
-    name: Build BloodHound Container Image
-    uses: ./.github/workflows/reusable.build-container-image.yml
-    with:
-      container_image_repository_name: docker.io/specterops/bloodhound
-      build_target: bloodhound
-      image_sbom: false
-      image_provenance: false
-      build_context: .
-      build_outputs: type=image,push=false
-      dockerfile: dockerfiles/bloodhound.Dockerfile
-      image_cache_from: type=gha
-      image_cache_to: type=gha,mode=max
-      build_args: |
-        checkout_hash=${{ github.sha }}
-
-    secrets:
-      dockerhub_account: ${{ secrets.DOCKERHUB_USERNAME }}
-      dockerhub_token: ${{ secrets.DOCKERHUB_TOKEN }}
-      ghcr_account: ${{ github.actor }}
-      ghcr_token: ${{ secrets.GITHUB_TOKEN }}
-      gh_access_token: ${{ secrets.GITHUB_TOKEN }}
+  build-application:
+    name: Build BloodHound Application
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    timeout-minutes: 30
+    env:
+      SB_VERSION: v0.0.0-pr
+
+    steps:
+      - name: Checkout source code for this repository
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # ratchet:actions/checkout@v5
+
+      - name: Install Go
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # ratchet:actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: true
+          check-latest: true
+
+      - name: Install Node
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # ratchet:actions/setup-node@v4
+        with:
+          node-version: 22
+
+      - name: Enable Corepack
+        run: |
+          corepack enable
+          corepack install
+          yarn --version
+
+      - name: Run stbernard deps
+        run: |
+          go tool stbernard deps
+
+      - name: Run stbernard build
+        run: |
+          go tool stbernard build

.github/workflows/code-generation-check.yml

@@ -0,0 +1,92 @@
+# Copyright 2026 Specter Ops, Inc.
+#
+# Licensed under the Apache License, Version 2.0
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+name: Code Generation Check
+
+on:
+  pull_request:
+    branches:
+      - main
+      - "stage/**"
+    types:
+      - opened
+      - synchronize
+
+jobs:
+  code-generation-check:
+    name: Code Generation Check
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout source code for this repository
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # ratchet:actions/checkout@v5
+
+      - name: Install Go
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # ratchet:actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: true
+          check-latest: true
+
+      - name: Install Node
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # ratchet:actions/setup-node@v4
+        with:
+          node-version: 22
+
+      - name: Enable Corepack
+        run: |
+          corepack enable
+
+      - name: Run stbernard deps
+        run: |
+          go tool stbernard deps
+
+      - name: Run stbernard modsync
+        run: |
+          go tool stbernard modsync
+
+      - name: Run stbernard generate
+        run: |
+          go tool stbernard generate
+
+      - name: Run stbernard license
+        run: |
+          go tool stbernard license
+
+      - name: Check for uncommitted changes
+        id: show
+        run: |
+          go tool stbernard show -no-version
+
+      - name: Fail with helpful message
+        if: failure() && steps.show.outcome == 'failure'
+        run: |
+          echo "::error::Code generation check failed!"
+          echo ""
+          echo "=========================================="
+          echo "  CODE GENERATION CHECK FAILED"
+          echo "=========================================="
+          echo ""
+          echo "This PR has uncommitted generated code or dependency changes."
+          echo ""
+          echo "Please run the following command locally and commit the changes:"
+          echo ""
+          echo "    just prepare-for-codereview"
+          echo ""
+          echo "Then push the updated changes to this PR."
+          echo ""
+          echo "=========================================="
+          exit 1

.github/workflows/generate-allure-report.yml

@@ -33,7 +33,7 @@ jobs:
 
     steps:
       - name: Get Allure history
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # ratchet:actions/checkout@v4
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # ratchet:actions/checkout@v5
         continue-on-error: true
         with:
           ref: gh-pages

.github/workflows/reusable.build-container-image.yml

@@ -188,7 +188,7 @@ jobs:
       image_name: ${{ steps.container-image-metadata.outputs.image_name }}
     steps:
       - name: Checkout Source Code Repository
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # ratchet:actions/checkout@v4
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # ratchet:actions/checkout@v5
         with:
           submodules: recursive
 
@@ -197,7 +197,7 @@ jobs:
       # https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-access-to-components-in-a-private-repository
       - if: ${{ github.repository != 'SpecterOps/BloodHound' }}
         name: Checkout Reusable Workflows and Composite Actions
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # ratchet:actions/checkout@v4
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # ratchet:actions/checkout@v5
         with:
           clean: false
           repository: SpecterOps/BloodHound

.github/workflows/run-go-tests.yml

@@ -32,7 +32,7 @@ jobs:
 
     steps:
       - name: Checkout source code for this repository
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # ratchet:actions/checkout@v4
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # ratchet:actions/checkout@v5
 
       - name: Start PostgreSQL and Neo4j Containers
         run: |

.github/workflows/run-go-unit-tests.yml

@@ -44,7 +44,7 @@ jobs:
 
     steps:
       - name: Checkout source code for this repository
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # ratchet:actions/checkout@v4
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # ratchet:actions/checkout@v5
 
       - name: Install Go
         uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # ratchet:actions/setup-go@v5

.github/workflows/run-slow-go-tests.yml

@@ -16,26 +16,17 @@
 
 name: Run Slow Go Tests
 
+# On workflow call ensures that it runs before CD without duplication. This will likely be better fixed when we move to the newer pipeline layout of workflows in the near future
 on:
-  workflow_run:
-    workflows:
-      - "Run Go Unit Tests"
-      - "Run UI Tests"
-    types:
-      - completed
-    branches:
-      - main
-      - "stage/**"
+  workflow_call:
 
 jobs:
   run-tests:
-    # On Sucesss execute Go integration tests
-    if: ${{ github.event.workflow_run.conclusion == 'success' }}
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout source code for this repository
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # ratchet:actions/checkout@v4
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # ratchet:actions/checkout@v5
 
       - name: Start PostgreSQL and Neo4j Containers
         run: |

.github/workflows/run-ui-tests.yml

@@ -43,7 +43,7 @@ jobs:
 
     steps:
       - name: Checkout source code for this repository
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # ratchet:actions/checkout@v4
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # ratchet:actions/checkout@v5
 
       - name: Install Go
         uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # ratchet:actions/setup-go@v5

.github/workflows/static-code-analysis.yml

@@ -31,7 +31,7 @@ jobs:
 
     steps:
       - name: Checkout source code for this repository
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # ratchet:actions/checkout@v4
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # ratchet:actions/checkout@v5
 
       - name: Install Go
         uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # ratchet:actions/setup-go@v5
@@ -45,9 +45,11 @@ jobs:
         with:
           node-version: 22
 
-      - name: Install Yarn
+      - name: Enable Corepack
         run: |
-          npm install --global yarn
+          corepack enable
+          corepack install
+          yarn --version
 
       - name: Install Deps
         run: |

.gitignore

@@ -1,6 +1,8 @@
 ################
 # Project Level Git Ignore
 ################################
+# Codex
+.codex
 
 # Temporary backup files
 *.bak