Toutsu
20b4240a11
PR Checks / test-and-build (pull_request) Successful in 26m17s
Exclude both by test class name and by xUnit collection name so the PostgreSQL-backed integration tests are reliably skipped on slow runners.
101 lines
4.0 KiB
YAML
101 lines
4.0 KiB
YAML
name: PR Checks
|
|
|
|
on:
|
|
pull_request:
|
|
branches:
|
|
- main
|
|
|
|
jobs:
|
|
test-and-build:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup .NET
|
|
uses: actions/setup-dotnet@v4
|
|
with:
|
|
dotnet-version: '10.0.x'
|
|
|
|
- name: Restore dependencies
|
|
run: dotnet restore
|
|
|
|
- name: Verify Trivy dependency scan inputs
|
|
run: |
|
|
lock_count="$(find . -name packages.lock.json -not -path "*/bin/*" -not -path "*/obj/*" | tee trivy-targets.txt | wc -l)"
|
|
echo "Trivy NuGet lock files: ${lock_count}"
|
|
if [ "${lock_count}" -eq 0 ]; then
|
|
echo "::error::No packages.lock.json files found. Trivy would scan 0 NuGet dependency files."
|
|
exit 1
|
|
fi
|
|
|
|
# ── Linting ──
|
|
|
|
- name: Lint C# code style
|
|
run: dotnet format --verify-no-changes --verbosity diagnostic
|
|
|
|
# ── Security ──
|
|
|
|
- name: Check NuGet packages for vulnerabilities
|
|
run: |
|
|
dotnet list package --vulnerable --include-transitive 2>&1 | tee nuget-audit.txt
|
|
if grep -qi "has the following vulnerable packages" nuget-audit.txt; then
|
|
echo "::error::Vulnerable NuGet packages found!"
|
|
exit 1
|
|
fi
|
|
echo "No vulnerable packages detected."
|
|
|
|
- name: Install Trivy
|
|
run: |
|
|
# Install Trivy from the official Docker image instead of the
|
|
# upstream install.sh. Rationale (see deploy.yml for the long
|
|
# version): the GitHub release tag we pinned (v0.71.0) was
|
|
# unpublished, and install.sh fails hard on missing tags.
|
|
# Docker Hub images are content-addressed and rarely removed,
|
|
# and the multi-arch manifest covers linux/amd64 + linux/arm64.
|
|
set -euo pipefail
|
|
TRIVY_VERSION="0.70.0"
|
|
docker pull --quiet "aquasec/trivy:${TRIVY_VERSION}"
|
|
docker create --name trivy-tmp "aquasec/trivy:${TRIVY_VERSION}"
|
|
docker cp trivy-tmp:/usr/local/bin/trivy /usr/local/bin/trivy
|
|
docker rm trivy-tmp >/dev/null
|
|
chmod +x /usr/local/bin/trivy
|
|
trivy --version
|
|
|
|
- name: Trivy filesystem security scan
|
|
run: |
|
|
set +e
|
|
trivy fs --timeout 30m --scanners vuln,misconfig,secret --exit-code 1 --severity HIGH,CRITICAL . 2>&1 | tee trivy-scan.log
|
|
trivy_exit="${PIPESTATUS[0]}"
|
|
if ! grep -Eq "Number of language-specific files[[:space:]]+num=[1-9][0-9]*" trivy-scan.log; then
|
|
echo "::error::Trivy did not detect any language-specific dependency files."
|
|
exit 1
|
|
fi
|
|
exit "${trivy_exit}"
|
|
|
|
# ── Build (includes SAST via SecurityCodeScan Roslyn analyzer) ──
|
|
|
|
- name: Build Shared
|
|
run: dotnet build src/GmRelay.Shared/GmRelay.Shared.csproj --no-restore
|
|
|
|
- name: Build Bot (compile check, includes SAST)
|
|
run: dotnet build src/GmRelay.Bot/GmRelay.Bot.csproj --no-restore
|
|
|
|
- name: Build Discord Bot (compile check, includes SAST)
|
|
run: dotnet build src/GmRelay.DiscordBot/GmRelay.DiscordBot.csproj --no-restore
|
|
|
|
- name: Build Web (compile check, includes SAST)
|
|
run: dotnet build src/GmRelay.Web/GmRelay.Web.csproj --no-restore
|
|
|
|
# ── Tests ──
|
|
|
|
- name: Run tests
|
|
run: |
|
|
# Exclude Testcontainers-backed PostgreSQL integration collections from PR CI.
|
|
# The ARM64 runner is too slow to reliably start Postgres containers and apply
|
|
# migrations before the default timeouts expire. These tests are still run
|
|
# locally and can be executed manually with `dotnet test`.
|
|
dotnet test tests/GmRelay.Bot.Tests/GmRelay.Bot.Tests.csproj \
|
|
--filter "FullyQualifiedName!~PortfolioMigrationPostgresTests&FullyQualifiedName!~CreateSessionHandlerIntegrationTests&FullyQualifiedName!~WizardDraftRepositoryTests&FullyQualifiedName!~DbSessionTriggerStoreTests&Collection!~CreateSessionHandlerPostgresCollection" \
|
|
--verbosity normal
|