fix: build from checked-out source, not stale desktop copy #12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ShieldCI Security Scan | |
| on: | |
| push: | |
| branches: [main, master] | |
| pull_request: | |
| branches: [main, master] | |
| workflow_dispatch: | |
| jobs: | |
| shieldci-scan: | |
| runs-on: self-hosted | |
| timeout-minutes: 30 | |
| steps: | |
| - name: Checkout target repository | |
| uses: actions/checkout@v4 | |
| - name: Gather metadata | |
| id: meta | |
| run: | | |
| echo "repo=${{ github.repository }}" >> "$GITHUB_OUTPUT" | |
| if [ "${{ github.event_name }}" = "pull_request" ]; then | |
| echo "branch=${{ github.head_ref }}" >> "$GITHUB_OUTPUT" | |
| echo "commit=${{ github.event.pull_request.head.sha }}" >> "$GITHUB_OUTPUT" | |
| echo "trigger=PR" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "branch=${{ github.ref_name }}" >> "$GITHUB_OUTPUT" | |
| echo "commit=${{ github.sha }}" >> "$GITHUB_OUTPUT" | |
| echo "trigger=${{ github.event_name }}" >> "$GITHUB_OUTPUT" | |
| fi | |
| echo "commit_msg=$(git log -1 --pretty=%s 2>/dev/null || echo 'scan')" >> "$GITHUB_OUTPUT" | |
| - name: Build ShieldCI engine from checked-out source | |
| run: | | |
| cd "$GITHUB_WORKSPACE" | |
| cargo build --release | |
| - name: Check ShieldCI engine is available | |
| run: | | |
| if [ ! -f "$GITHUB_WORKSPACE/target/release/shield-ci" ]; then | |
| echo "ERROR: ShieldCI engine not found after build" | |
| exit 1 | |
| fi | |
| - name: Build Kali Docker image | |
| run: | | |
| cd "$GITHUB_WORKSPACE" | |
| docker build -t shieldci-kali-image . | |
| - name: Install test app dependencies | |
| run: | | |
| cd "$GITHUB_WORKSPACE/tests" | |
| npm install | |
| - name: Run ShieldCI engine | |
| id: scan | |
| run: | | |
| START_TIME=$(date +%s) | |
| cd "$GITHUB_WORKSPACE/tests" | |
| "$GITHUB_WORKSPACE/target/release/shield-ci" 2>&1 | tee scan_output.log || true | |
| END_TIME=$(date +%s) | |
| echo "duration=$((END_TIME - START_TIME))s" >> "$GITHUB_OUTPUT" | |
| - name: Push results to ShieldCI dashboard | |
| if: always() | |
| env: | |
| SHIELDCI_API_URL: ${{ secrets.SHIELDCI_API_URL }} | |
| SHIELDCI_API_KEY: ${{ secrets.SHIELDCI_API_KEY }} | |
| SHIELDCI_REPO: ${{ steps.meta.outputs.repo }} | |
| SHIELDCI_BRANCH: ${{ steps.meta.outputs.branch }} | |
| SHIELDCI_COMMIT: ${{ steps.meta.outputs.commit }} | |
| SHIELDCI_COMMIT_MSG: ${{ steps.meta.outputs.commit_msg }} | |
| SHIELDCI_DURATION: ${{ steps.scan.outputs.duration }} | |
| SHIELDCI_TRIGGERED_BY: ${{ steps.meta.outputs.trigger }} | |
| SHIELDCI_RESULTS_FILE: ${{ github.workspace }}/tests/shield_results.json | |
| run: | | |
| python3 "$GITHUB_WORKSPACE/push_results.py" | |
| - name: Post scan summary as PR comment | |
| if: github.event_name == 'pull_request' | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const fs = require('fs'); | |
| const reportPath = process.env.GITHUB_WORKSPACE + '/tests/SHIELD_REPORT.md'; | |
| let report = 'Scan completed but no report was generated.'; | |
| try { | |
| report = fs.readFileSync(reportPath, 'utf8'); | |
| if (report.length > 60000) report = report.substring(0, 60000) + '\n\n... (truncated)'; | |
| } catch (e) { report = 'Could not read scan report.'; } | |
| await github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: '## 🛡️ ShieldCI Security Scan Results\n\n' + report | |
| }); |