|
| 1 | +name: VirusTotal Scan |
| 2 | + |
| 3 | +on: |
| 4 | + workflow_dispatch: |
| 5 | + schedule: |
| 6 | + - cron: "0 17 * * *" |
| 7 | + pull_request_target: |
| 8 | + types: [opened, synchronize] |
| 9 | + |
| 10 | +permissions: |
| 11 | + contents: read # Restrict GITHUB_TOKEN |
| 12 | + |
| 13 | +jobs: |
| 14 | + vt-plugin-scan-changes-check: |
| 15 | + if: github.event_name == 'pull_request_target' |
| 16 | + runs-on: ubuntu-latest |
| 17 | + outputs: |
| 18 | + plugins: ${{ steps.filter.outputs.plugins }} |
| 19 | + non_plugin_files: ${{ steps.filter.outputs.non_plugin_files }} |
| 20 | + steps: |
| 21 | + - name: Check out repository code |
| 22 | + uses: actions/checkout@v6 |
| 23 | + with: |
| 24 | + ref: ${{ github.event.pull_request.head.sha }} |
| 25 | + - uses: dorny/paths-filter@v4 |
| 26 | + id: filter |
| 27 | + with: |
| 28 | + predicate-quantifier: 'every' |
| 29 | + filters: | |
| 30 | + plugins: |
| 31 | + - 'plugins/*.json' |
| 32 | + non_plugin_files: |
| 33 | + - '**' |
| 34 | + - '!plugins/*.json' |
| 35 | + - name: Fail if non-plugin files changed |
| 36 | + if: github.event_name == 'pull_request_target' && steps.filter.outputs.plugins == 'true' && steps.filter.outputs.non_plugin_files == 'true' |
| 37 | + run: | |
| 38 | + echo "This PR contains changes to files outside the plugins directory." |
| 39 | + echo "Plugin submission PRs must only create/modify plugin manifest files in the plugins directory." |
| 40 | + exit 1 |
| 41 | +
|
| 42 | + vt-plugin-scan: |
| 43 | + needs: vt-plugin-scan-changes-check |
| 44 | + if: | |
| 45 | + always() && ( |
| 46 | + (github.event_name == 'pull_request_target' && needs.vt-plugin-scan-changes-check.outputs.plugins == 'true' && needs.vt-plugin-scan-changes-check.outputs.non_plugin_files == 'false') || |
| 47 | + github.event_name == 'workflow_dispatch' || |
| 48 | + github.event_name == 'schedule' |
| 49 | + ) |
| 50 | + runs-on: ubuntu-latest |
| 51 | + steps: |
| 52 | + - name: Check out repository code |
| 53 | + uses: actions/checkout@v6 |
| 54 | + # To actually check out and run the plugin downloader from the fork's PR |
| 55 | + with: |
| 56 | + ref: ${{ github.event.pull_request.head.sha }} |
| 57 | + |
| 58 | + - name: Set up Python |
| 59 | + uses: actions/setup-python@v6 |
| 60 | + with: |
| 61 | + python-version: "3.11" |
| 62 | + |
| 63 | + - name: Install dependencies |
| 64 | + run: pip install requests |
| 65 | + |
| 66 | + # Avoid repeat downloads which bump the plugins' download count |
| 67 | + - name: Restore downloaded plugin cache |
| 68 | + uses: actions/cache/restore@v5 |
| 69 | + # No need to restore cache, PR's plugin is downloaded and scanned each time. |
| 70 | + # Plugin dev may repeatedly only update one version |
| 71 | + if: github.event_name != 'pull_request_target' |
| 72 | + with: |
| 73 | + path: | |
| 74 | + scan-files/ |
| 75 | + plugin-download-cache.json |
| 76 | + key: plugin-zips-restore-not-used |
| 77 | + restore-keys: plugin-zips- |
| 78 | + |
| 79 | + - name: Download plugin submitted in this PR |
| 80 | + if: github.event_name == 'pull_request_target' |
| 81 | + run: python ci/src/download_plugins.py --mode new --output-dir scan-files |
| 82 | + |
| 83 | + - name: Download all plugins with cache metadata |
| 84 | + if: github.event_name != 'pull_request_target' |
| 85 | + run: python ci/src/download_plugins.py --output-dir scan-files --cache-meta plugin-download-cache.json |
| 86 | + |
| 87 | + - name: Restore VirusTotal scan cache from previous runs |
| 88 | + uses: actions/cache/restore@v5 |
| 89 | + # Don't use cache, upload/retrieve report from VirustTotal each time for new submissions |
| 90 | + if: github.event_name != 'pull_request_target' |
| 91 | + with: |
| 92 | + path: vt_cache.json |
| 93 | + key: vt-cache-restore-not-used |
| 94 | + restore-keys: vt-cache- |
| 95 | + |
| 96 | + - name: Run VirusTotal scan |
| 97 | + uses: jjw24/virustotal-scanner-action@v1.0.1 |
| 98 | + with: |
| 99 | + api-key: ${{ secrets.VT_API_KEY }} |
| 100 | + scan-paths: | |
| 101 | + ./scan-files/ |
| 102 | + no-cache: false |
| 103 | + cache-path: vt_cache.json |
| 104 | + whitelist-path: vt_whitelist.json |
| 105 | + report-path: vt_report.json |
| 106 | + request-interval-sec: 15 |
| 107 | + analysis-poll-timeout-sec: 600 |
| 108 | + download-timeout-sec: 120 |
| 109 | + max-report-age-days: 30 |
| 110 | + |
| 111 | + - name: Save VirusTotal scan cache for future runs |
| 112 | + uses: actions/cache/save@v5 |
| 113 | + # Cache not used for PR plugin submissions |
| 114 | + if: always() && github.event_name != 'pull_request_target' |
| 115 | + with: |
| 116 | + path: vt_cache.json |
| 117 | + key: vt-cache-${{ hashFiles('vt_cache.json') }} |
| 118 | + |
| 119 | + - name: Save plugin ZIPs and cache metadata for future runs |
| 120 | + uses: actions/cache/save@v5 |
| 121 | + # Upload even if scan fails |
| 122 | + if: always() && github.event_name != 'pull_request_target' |
| 123 | + with: |
| 124 | + path: | |
| 125 | + scan-files/ |
| 126 | + plugin-download-cache.json |
| 127 | + key: plugin-zips-${{ hashFiles('plugin-download-cache.json') }} |
| 128 | + |
| 129 | + - name: Upload VirusTotal scan report as viewable artifact |
| 130 | + uses: actions/upload-artifact@v7 |
| 131 | + if: always() |
| 132 | + with: |
| 133 | + path: vt_report.json |
| 134 | + archive: false |
| 135 | + |
| 136 | + - name: Upload VirusTotal scan cache as viewable artifact |
| 137 | + uses: actions/upload-artifact@v7 |
| 138 | + # Cache not used for PR plugin submissions |
| 139 | + if: always() && github.event_name != 'pull_request_target' |
| 140 | + with: |
| 141 | + path: vt_cache.json |
| 142 | + archive: false |
| 143 | + |
| 144 | + - name: Upload plugin download cache metadata as viewable artifact |
| 145 | + uses: actions/upload-artifact@v7 |
| 146 | + # Upload even if scan fails |
| 147 | + if: always() && github.event_name != 'pull_request_target' |
| 148 | + with: |
| 149 | + path: plugin-download-cache.json |
| 150 | + archive: false |
0 commit comments