Hermes Agent
007806a5d8
- dotnet format --verify-no-changes (C# code style linting) - dotnet list package --vulnerable --include-transitive (NuGet vulnerability check) - Trivy filesystem scan (CVE, secrets, dependency scanning)
60 lines
1.7 KiB
YAML
60 lines
1.7 KiB
YAML
name: PR Checks
|
|
|
|
on:
|
|
pull_request:
|
|
branches:
|
|
- main
|
|
|
|
jobs:
|
|
test-and-build:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup .NET
|
|
uses: actions/setup-dotnet@v4
|
|
with:
|
|
dotnet-version: '10.0.x'
|
|
|
|
- name: Restore dependencies
|
|
run: dotnet restore
|
|
|
|
# ── Linting ──
|
|
|
|
- name: Lint C# code style
|
|
run: dotnet format --verify-no-changes --verbosity diagnostic
|
|
|
|
# ── Security ──
|
|
|
|
- name: Check NuGet packages for vulnerabilities
|
|
run: |
|
|
dotnet list package --vulnerable --include-transitive 2>&1 | tee nuget-audit.txt
|
|
if grep -qi "has the following vulnerable packages" nuget-audit.txt; then
|
|
echo "::error::Vulnerable NuGet packages found!"
|
|
exit 1
|
|
fi
|
|
echo "No vulnerable packages detected."
|
|
|
|
- name: Install Trivy
|
|
run: |
|
|
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.60.0
|
|
|
|
- name: Trivy filesystem security scan
|
|
run: trivy fs --exit-code 1 --severity HIGH,CRITICAL .
|
|
|
|
# ── Build ──
|
|
|
|
- name: Build Shared
|
|
run: dotnet build src/GmRelay.Shared/GmRelay.Shared.csproj --no-restore
|
|
|
|
- name: Build Bot (compile check)
|
|
run: dotnet build src/GmRelay.Bot/GmRelay.Bot.csproj --no-restore
|
|
|
|
- name: Build Web (compile check)
|
|
run: dotnet build src/GmRelay.Web/GmRelay.Web.csproj --no-restore
|
|
|
|
# ── Tests ──
|
|
|
|
- name: Run tests
|
|
run: dotnet test tests/GmRelay.Bot.Tests/GmRelay.Bot.Tests.csproj --verbosity normal |