Scan Flowkeeper release #16
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Scan Flowkeeper release | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| release: | |
| description: 'Release to scan, e.g. v0.10.0. Empty means latest.' | |
| required: false | |
| default: '' | |
| type: string | |
| workflow_call: | |
| inputs: | |
| release: | |
| description: 'Release to scan, e.g. v0.10.0. Empty means latest.' | |
| required: true | |
| default: '' | |
| type: string | |
| secrets: | |
| VTCLI_APIKEY: | |
| required: true | |
| jobs: | |
| scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Download binaries | |
| shell: bash | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| RELEASE: ${{ inputs.release }} | |
| run: | | |
| ./download-release.sh | |
| RELEASE="$(cat release.txt)" | |
| rm -rf release.txt | |
| echo "::set-output name=release::$RELEASE" | |
| echo "Downloaded release $RELEASE" | |
| - name: Setup Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| - name: Scan binaries | |
| shell: bash | |
| env: | |
| VTCLI_APIKEY: ${{ secrets.VTCLI_APIKEY }} | |
| run: | | |
| pip install -r requirements.txt | |
| SCAN_STATUS=$(python3 vtscan.py downloads/*.exe) | |
| echo "$SCAN_STATUS" | |
| { | |
| echo 'SCAN_STATUS<<EOF' | |
| echo "$SCAN_STATUS" | |
| echo EOF | |
| } >> $GITHUB_ENV | |
| - name: Save scan results as an artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: vtscan-results | |
| path: | | |
| vtscan-results-all.json | |
| vtscan-results-warnings.json | |
| upload: | |
| # Making it a standalone job to limit its security perimeter | |
| runs-on: ubuntu-latest | |
| needs: scan | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false # otherwise, the token used is the GITHUB_TOKEN, instead of your personal access token. | |
| fetch-depth: 0 # otherwise, there would be errors pushing refs to the destination repository. | |
| - name: Download artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: vtscan-results | |
| path: . | |
| - name: Commit scan results | |
| shell: bash | |
| env: | |
| RELEASE: "v1.0.0" | |
| run: | | |
| echo "Will upload files for release $RELEASE" | |
| mv vtscan-results-all.json "vt-scan-results/$RELEASE-all.json" | |
| mv vtscan-results-warnings.json "vt-scan-results/$RELEASE-warnings.json" | |
| python3 html.py > index.html | |
| git config --local user.email "github-actions[bot]@users.noreply.github.com" | |
| git config --local user.name "github-actions[bot]" | |
| git add . | |
| git commit -a -m "Updated VT scan results" | |
| - name: Push changes | |
| uses: ad-m/github-push-action@master | |
| with: | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| branch: main |