Toutsu
02fc5bd106
PR Checks / test-and-build (pull_request) Failing after 30m17s
Slow ARM64 runners hit the default timeout while downloading the Trivy checks bundle and analyzing workflow YAML files. Extend the timeout so PR checks can complete reliably.
94 lines
3.4 KiB
YAML
94 lines
3.4 KiB
YAML
name: PR Checks
|
|
|
|
on:
|
|
pull_request:
|
|
branches:
|
|
- main
|
|
|
|
jobs:
|
|
test-and-build:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup .NET
|
|
uses: actions/setup-dotnet@v4
|
|
with:
|
|
dotnet-version: '10.0.x'
|
|
|
|
- name: Restore dependencies
|
|
run: dotnet restore
|
|
|
|
- name: Verify Trivy dependency scan inputs
|
|
run: |
|
|
lock_count="$(find . -name packages.lock.json -not -path "*/bin/*" -not -path "*/obj/*" | tee trivy-targets.txt | wc -l)"
|
|
echo "Trivy NuGet lock files: ${lock_count}"
|
|
if [ "${lock_count}" -eq 0 ]; then
|
|
echo "::error::No packages.lock.json files found. Trivy would scan 0 NuGet dependency files."
|
|
exit 1
|
|
fi
|
|
|
|
# ── Linting ──
|
|
|
|
- name: Lint C# code style
|
|
run: dotnet format --verify-no-changes --verbosity diagnostic
|
|
|
|
# ── Security ──
|
|
|
|
- name: Check NuGet packages for vulnerabilities
|
|
run: |
|
|
dotnet list package --vulnerable --include-transitive 2>&1 | tee nuget-audit.txt
|
|
if grep -qi "has the following vulnerable packages" nuget-audit.txt; then
|
|
echo "::error::Vulnerable NuGet packages found!"
|
|
exit 1
|
|
fi
|
|
echo "No vulnerable packages detected."
|
|
|
|
- name: Install Trivy
|
|
run: |
|
|
# Install Trivy from the official Docker image instead of the
|
|
# upstream install.sh. Rationale (see deploy.yml for the long
|
|
# version): the GitHub release tag we pinned (v0.71.0) was
|
|
# unpublished, and install.sh fails hard on missing tags.
|
|
# Docker Hub images are content-addressed and rarely removed,
|
|
# and the multi-arch manifest covers linux/amd64 + linux/arm64.
|
|
set -euo pipefail
|
|
TRIVY_VERSION="0.70.0"
|
|
docker pull --quiet "aquasec/trivy:${TRIVY_VERSION}"
|
|
docker create --name trivy-tmp "aquasec/trivy:${TRIVY_VERSION}"
|
|
docker cp trivy-tmp:/usr/local/bin/trivy /usr/local/bin/trivy
|
|
docker rm trivy-tmp >/dev/null
|
|
chmod +x /usr/local/bin/trivy
|
|
trivy --version
|
|
|
|
- name: Trivy filesystem security scan
|
|
run: |
|
|
set +e
|
|
trivy fs --timeout 30m --scanners vuln,misconfig,secret --exit-code 1 --severity HIGH,CRITICAL . 2>&1 | tee trivy-scan.log
|
|
trivy_exit="${PIPESTATUS[0]}"
|
|
if ! grep -Eq "Number of language-specific files[[:space:]]+num=[1-9][0-9]*" trivy-scan.log; then
|
|
echo "::error::Trivy did not detect any language-specific dependency files."
|
|
exit 1
|
|
fi
|
|
exit "${trivy_exit}"
|
|
|
|
# ── Build (includes SAST via SecurityCodeScan Roslyn analyzer) ──
|
|
|
|
- name: Build Shared
|
|
run: dotnet build src/GmRelay.Shared/GmRelay.Shared.csproj --no-restore
|
|
|
|
- name: Build Bot (compile check, includes SAST)
|
|
run: dotnet build src/GmRelay.Bot/GmRelay.Bot.csproj --no-restore
|
|
|
|
- name: Build Discord Bot (compile check, includes SAST)
|
|
run: dotnet build src/GmRelay.DiscordBot/GmRelay.DiscordBot.csproj --no-restore
|
|
|
|
- name: Build Web (compile check, includes SAST)
|
|
run: dotnet build src/GmRelay.Web/GmRelay.Web.csproj --no-restore
|
|
|
|
# ── Tests ──
|
|
|
|
- name: Run tests
|
|
run: dotnet test tests/GmRelay.Bot.Tests/GmRelay.Bot.Tests.csproj --verbosity normal
|