Use YARA for batched word matching #1327
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Signature Test | |
| on: | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| permissions: | |
| pull-requests: write | |
| contents: read | |
| jobs: | |
| signature-test: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v6 | |
| - name: Set up Python | |
| run: uv python install 3.10 | |
| - name: Install dependencies | |
| run: uv sync --group dev | |
| - name: Check for specific string in PR title and creator | |
| run: | | |
| pr_title=$(printf '%q' "${{ github.event.pull_request.title }}") | |
| pr_creator="${{ github.event.pull_request.user.login }}" | |
| echo "Pull Request title: $pr_title" > signaturetest.log | |
| echo "Pull Request creator: $pr_creator" >> signaturetest.log | |
| if [[ "$pr_title" == "[SignatureBot]"* ]]; then | |
| echo "IS_NEW_SIGNATURE_PR=true" >> "$GITHUB_ENV" | |
| echo "PR $pr_title Qualified" >> signaturetest.log | |
| else | |
| echo "IS_NEW_SIGNATURE_PR=false" >> "$GITHUB_ENV" | |
| echo "PR $pr_title NOT Qualified" >> signaturetest.log | |
| fi | |
| env: | |
| GH_TOKEN: ${{ secrets.DNSBOT_TOKEN }} | |
| - name: Run signature test | |
| if: env.IS_NEW_SIGNATURE_PR == 'true' | |
| run: | | |
| PR_NUMBER=${{ github.event.pull_request.number }} | |
| FILE=$(gh pr diff "$PR_NUMBER" --name-only | grep -v "signature_history.txt" || true) | |
| if [[ -z "$FILE" ]]; then | |
| echo "No valid files to process." >> signaturetest.log | |
| exit 1 | |
| fi | |
| echo "Running signature test against: $FILE" >> signaturetest.log | |
| OUTPUT=$(uv run python3 baddns/scripts/signaturetest.py "$FILE" | jq .) | |
| echo "$OUTPUT" > output.json | |
| echo "Run finished with this output: $OUTPUT" >> signaturetest.log | |
| echo "SIGNATURE_TEST_RESULT=$OUTPUT" >> "$GITHUB_ENV" | |
| SIGNATURE_PASS=$(echo "$OUTPUT" | jq -r '.signature_pass') | |
| if [[ "$SIGNATURE_PASS" == "true" ]]; then | |
| gh pr edit "$PR_NUMBER" --remove-label "tests-failed" --add-label "tests-passed" | |
| else | |
| gh pr edit "$PR_NUMBER" --remove-label "tests-passed" --add-label "tests-failed" | |
| fi | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Post result comment | |
| if: always() && env.IS_NEW_SIGNATURE_PR == 'true' | |
| run: | | |
| output=$(cat output.json) | |
| signature_pass=$(echo "$output" | jq -r '.signature_pass') | |
| match_table=$(echo "$output" | jq -r '.match_table') | |
| error=$(echo "$output" | jq -r '.error') | |
| if [[ "$signature_pass" == "true" ]]; then | |
| emoji=":heavy_check_mark:" | |
| else | |
| emoji=":x:" | |
| fi | |
| comment="**Test results**: | |
| Signature Pass: **$signature_pass** $emoji" | |
| if [[ "$match_table" != "{}" ]]; then | |
| comment+=$'\n\nMatch Table:\n\n| Domain | Match |\n| --- | --- |' | |
| while IFS="|" read -r domain match; do | |
| comment+=$'\n| '"$domain"' | '"$match"' |' | |
| done < <(echo "$match_table" | jq -r 'to_entries[] | "\(.key)|\(.value)"') | |
| fi | |
| if [[ "$signature_pass" == "false" ]]; then | |
| comment+=" | |
| Error: **$error**" | |
| fi | |
| echo "Attempting to add comment to PR..." >> signaturetest.log | |
| gh pr comment "${{ github.event.pull_request.number }}" --body "$comment" | |
| env: | |
| GH_TOKEN: ${{ secrets.DNSBOT_TOKEN }} | |
| - name: Upload Signature Test Log | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: signature-test-log | |
| path: signaturetest.log |