Toutsu
06d40fdbc8
- SecurityCodeScan.VS2019 5.6.7 injected into Directory.Build.props scans all C# source during every dotnet build - HIGH/CRITICAL findings fail the build because TreatWarningsAsErrors=true - No extra CI step needed: analyzer runs inside every build job automatically Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
52 lines
1.4 KiB
YAML
52 lines
1.4 KiB
YAML
name: PR Checks
|
|
|
|
on:
|
|
pull_request:
|
|
branches:
|
|
- main
|
|
|
|
jobs:
|
|
security-scan:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Install Trivy
|
|
run: |
|
|
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
|
|
|
|
- name: Run Trivy filesystem scan (full repo)
|
|
run: |
|
|
trivy fs \
|
|
--scanners vuln,secret,misconfig \
|
|
--severity HIGH,CRITICAL \
|
|
--exit-code 1 \
|
|
--format table \
|
|
.
|
|
|
|
test-and-build:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup .NET
|
|
uses: actions/setup-dotnet@v4
|
|
with:
|
|
dotnet-version: '10.0.x'
|
|
|
|
- name: Restore dependencies
|
|
run: dotnet restore
|
|
|
|
- name: Build Shared (includes SAST via SecurityCodeScan)
|
|
run: dotnet build src/GmRelay.Shared/GmRelay.Shared.csproj --no-restore
|
|
|
|
- name: Build Bot (compile check, includes SAST)
|
|
run: dotnet build src/GmRelay.Bot/GmRelay.Bot.csproj --no-restore
|
|
|
|
- name: Build Web (compile check, includes SAST)
|
|
run: dotnet build src/GmRelay.Web/GmRelay.Web.csproj --no-restore
|
|
|
|
- name: Run tests
|
|
run: dotnet test tests/GmRelay.Bot.Tests/GmRelay.Bot.Tests.csproj --verbosity normal |