Toutsu/GmRelayBot
1
1
Fork 0
Code Issues 18 Pull Requests Actions 1 Packages Projects Releases 85 Wiki Activity
Files
06d40fdbc8bea03bb40fc7fce36bb85201a36882
GmRelayBot/.gitea/workflows/pr-checks.yml
T
Toutsu 06d40fdbc8
PR Checks / security-scan (pull_request) Failing after 1m17s
Details
PR Checks / test-and-build (pull_request) Successful in 3m27s
Details
ci: add deep SAST via SecurityCodeScan Roslyn analyzer 
- SecurityCodeScan.VS2019 5.6.7 injected into Directory.Build.props
  scans all C# source during every dotnet build
- HIGH/CRITICAL findings fail the build because TreatWarningsAsErrors=true
- No extra CI step needed: analyzer runs inside every build job automatically

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-12 12:45:36 +03:00

52 lines
1.4 KiB
YAML
Raw Blame History

name: PR Checks
on:
pull_request:
branches:
- main
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install Trivy
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
- name: Run Trivy filesystem scan (full repo)
run: |
trivy fs \
--scanners vuln,secret,misconfig \
--severity HIGH,CRITICAL \
--exit-code 1 \
--format table \
.
test-and-build:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:
dotnet-version: '10.0.x'
- name: Restore dependencies
run: dotnet restore
- name: Build Shared (includes SAST via SecurityCodeScan)
run: dotnet build src/GmRelay.Shared/GmRelay.Shared.csproj --no-restore
- name: Build Bot (compile check, includes SAST)
run: dotnet build src/GmRelay.Bot/GmRelay.Bot.csproj --no-restore
- name: Build Web (compile check, includes SAST)
run: dotnet build src/GmRelay.Web/GmRelay.Web.csproj --no-restore
- name: Run tests
run: dotnet test tests/GmRelay.Bot.Tests/GmRelay.Bot.Tests.csproj --verbosity normal
Reference in New Issue View Git Blame Copy Permalink