docker-agent/.github/workflows/nightly-scan.yml at 535ec70e45e263a39728fa3d11b1a061de6244c4 · derekmisler/docker-agent · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
name: Nightly Codebase Scan

on:
  schedule:
    # Run every day at 2am UTC
    - cron: "0 2 * * *"
  workflow_dispatch:
    inputs:
      dry-run:
        description: "Log issues only, do not create them"
        type: boolean
        default: false

permissions:
  contents: read
  issues: write

concurrency:
  group: nightly-scan
  cancel-in-progress: false

jobs:
  scan:
    runs-on: ubuntu-latest
    timeout-minutes: 30
    env:
      HAS_APP_SECRETS: ${{ secrets.CAGENT_REVIEWER_APP_ID != '' }}

    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 1

      - name: Ensure cache directory exists
        run: mkdir -p "${{ github.workspace }}/.cache"

      - name: Restore scanner memory
        uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
        with:
          path: ${{ github.workspace }}/.cache/scanner-memory.db
          key: scanner-memory-${{ github.repository }}-${{ github.run_id }}
          restore-keys: |
            scanner-memory-${{ github.repository }}-

      - name: Generate GitHub App token
        if: env.HAS_APP_SECRETS == 'true'
        id: app-token
        continue-on-error: true
        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2
        with:
          app_id: ${{ secrets.CAGENT_REVIEWER_APP_ID }}
          private_key: ${{ secrets.CAGENT_REVIEWER_APP_PRIVATE_KEY }}

      - name: Run nightly scan
        uses: docker/cagent-action@3a12dbd0c6cd7dda3d4e05f24f0143c9701456de # latest (v1.2.13)
        env:
          GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
        with:
          agent: ${{ github.workspace }}/.github/agents/nightly-scanner.yaml
          prompt: "${{ inputs['dry-run'] && 'DRY RUN MODE: Do not create any issues. Just report what you would create.' || 'Run the nightly scan as documented in your instructions.' }}"
          anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
          openai-api-key: ${{ secrets.OPENAI_API_KEY }}
          google-api-key: ${{ secrets.GEMINI_API_KEY }}
          github-token: ${{ steps.app-token.outputs.token || github.token }}
          timeout: 1200

      - name: Save scanner memory
        uses: actions/cache/save@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
        if: always()
        with:
          path: ${{ github.workspace }}/.cache/scanner-memory.db
          key: scanner-memory-${{ github.repository }}-${{ github.run_id }}