From 007806a5d8d12a36e7231289ffca733554608d43 Mon Sep 17 00:00:00 2001 From: Hermes Agent Date: Mon, 11 May 2026 20:11:15 +0000 Subject: [PATCH] feat(ci): add C# linter and security scanner to PR checks - dotnet format --verify-no-changes (C# code style linting) - dotnet list package --vulnerable --include-transitive (NuGet vulnerability check) - Trivy filesystem scan (CVE, secrets, dependency scanning) --- .gitea/workflows/pr-checks.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/.gitea/workflows/pr-checks.yml b/.gitea/workflows/pr-checks.yml index b9177cb..2f82d1b 100644 --- a/.gitea/workflows/pr-checks.yml +++ b/.gitea/workflows/pr-checks.yml @@ -20,6 +20,31 @@ jobs: - name: Restore dependencies run: dotnet restore + # ── Linting ── + + - name: Lint C# code style + run: dotnet format --verify-no-changes --verbosity diagnostic + + # ── Security ── + + - name: Check NuGet packages for vulnerabilities + run: | + dotnet list package --vulnerable --include-transitive 2>&1 | tee nuget-audit.txt + if grep -qi "has the following vulnerable packages" nuget-audit.txt; then + echo "::error::Vulnerable NuGet packages found!" + exit 1 + fi + echo "No vulnerable packages detected." + + - name: Install Trivy + run: | + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.60.0 + + - name: Trivy filesystem security scan + run: trivy fs --exit-code 1 --severity HIGH,CRITICAL . + + # ── Build ── + - name: Build Shared run: dotnet build src/GmRelay.Shared/GmRelay.Shared.csproj --no-restore @@ -29,5 +54,7 @@ jobs: - name: Build Web (compile check) run: dotnet build src/GmRelay.Web/GmRelay.Web.csproj --no-restore + # ── Tests ── + - name: Run tests run: dotnet test tests/GmRelay.Bot.Tests/GmRelay.Bot.Tests.csproj --verbosity normal \ No newline at end of file