Toutsu
043ed9ce45
- PR checks: filesystem scan with Trivy (vuln, secret, misconfig) - Deploy pipeline: image scan for bot and web containers before deploy - Scans entire repository, not filtered file subsets - Bump version -> 1.14.0 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
52 lines
1.3 KiB
YAML
52 lines
1.3 KiB
YAML
name: PR Checks
|
|
|
|
on:
|
|
pull_request:
|
|
branches:
|
|
- main
|
|
|
|
jobs:
|
|
security-scan:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Install Trivy
|
|
run: |
|
|
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
|
|
|
|
- name: Run Trivy filesystem scan (full repo)
|
|
run: |
|
|
trivy fs \
|
|
--scanners vuln,secret,misconfig \
|
|
--severity HIGH,CRITICAL \
|
|
--exit-code 1 \
|
|
--format table \
|
|
.
|
|
|
|
test-and-build:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup .NET
|
|
uses: actions/setup-dotnet@v4
|
|
with:
|
|
dotnet-version: '10.0.x'
|
|
|
|
- name: Restore dependencies
|
|
run: dotnet restore
|
|
|
|
- name: Build Shared
|
|
run: dotnet build src/GmRelay.Shared/GmRelay.Shared.csproj --no-restore
|
|
|
|
- name: Build Bot (compile check)
|
|
run: dotnet build src/GmRelay.Bot/GmRelay.Bot.csproj --no-restore
|
|
|
|
- name: Build Web (compile check)
|
|
run: dotnet build src/GmRelay.Web/GmRelay.Web.csproj --no-restore
|
|
|
|
- name: Run tests
|
|
run: dotnet test tests/GmRelay.Bot.Tests/GmRelay.Bot.Tests.csproj --verbosity normal |