Update install.md #6
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Secure Media + Docs Validation | |
| on: | |
| push: | |
| pull_request: | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: validation-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| validate: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v5 | |
| - name: Install dependencies | |
| run: | | |
| set -euo pipefail | |
| sudo apt-get update | |
| sudo apt-get install -y \ | |
| file \ | |
| ffmpeg \ | |
| imagemagick \ | |
| jq \ | |
| clamav \ | |
| clamav-freshclam | |
| - name: Update ClamAV signatures | |
| run: | | |
| set -euo pipefail | |
| sudo systemctl stop clamav-freshclam || true | |
| # Allow fallback if signature update fails (common on CI) | |
| sudo freshclam || true | |
| echo "ClamAV databases:" | |
| ls -lah /var/lib/clamav || true | |
| - name: Scan for malware | |
| run: | | |
| set -euo pipefail | |
| SCAN_TARGETS=() | |
| [ -d media ] && SCAN_TARGETS+=(media) | |
| [ -d docs ] && SCAN_TARGETS+=(docs) | |
| if [ ${#SCAN_TARGETS[@]} -eq 0 ]; then | |
| echo "Neither media/ nor docs/ exists" | |
| exit 1 | |
| fi | |
| if ls /var/lib/clamav/*.cvd >/dev/null 2>&1 || \ | |
| ls /var/lib/clamav/*.cld >/dev/null 2>&1; then | |
| clamscan -r "${SCAN_TARGETS[@]}" \ | |
| --infected \ | |
| --no-summary \ | |
| --max-filesize=50M \ | |
| --max-scansize=100M | |
| else | |
| echo "WARNING: No ClamAV signatures found. Skipping scan." | |
| fi | |
| - name: Validate media files | |
| run: | | |
| set -euo pipefail | |
| if [ ! -d media ]; then | |
| echo "media/ directory not found" | |
| exit 1 | |
| fi | |
| find media -type f -print0 | while IFS= read -r -d '' file; do | |
| echo "Checking media: $file" | |
| mime=$(file --mime-type -b "$file") | |
| case "$mime" in | |
| image/jpeg|image/png|image/gif|image/webp) | |
| identify "$file" >/dev/null | |
| ;; | |
| video/mp4|video/webm|video/quicktime) | |
| ffprobe -v error "$file" >/dev/null | |
| ;; | |
| audio/mpeg|audio/wav|audio/ogg) | |
| ffprobe -v error "$file" >/dev/null | |
| ;; | |
| *) | |
| echo "ERROR: Unsupported media type" | |
| echo "File: $file" | |
| echo "MIME: $mime" | |
| exit 1 | |
| ;; | |
| esac | |
| done | |
| - name: Validate docs files | |
| run: | | |
| set -euo pipefail | |
| if [ ! -d docs ]; then | |
| echo "docs/ directory not found" | |
| exit 1 | |
| fi | |
| find docs -type f -print0 | while IFS= read -r -d '' file; do | |
| echo "Checking docs: $file" | |
| case "$file" in | |
| *.md) | |
| # 1. Must be valid text file (reject binaries properly) | |
| if ! grep -Iq . "$file"; then | |
| echo "ERROR: Non-text or binary markdown detected" | |
| echo "File: $file" | |
| exit 1 | |
| fi | |
| # 2. Enforce UTF-8 encoding (prevents UTF-16 issues) | |
| encoding=$(file --mime-encoding -b "$file" || true) | |
| case "$encoding" in | |
| utf-8|us-ascii) ;; | |
| *) | |
| echo "ERROR: Invalid encoding in markdown: $encoding" | |
| echo "File: $file" | |
| exit 1 | |
| ;; | |
| esac | |
| ;; | |
| *.json) | |
| jq -e . "$file" >/dev/null | |
| ;; | |
| *) | |
| echo "ERROR: Unsupported file in docs/" | |
| echo "File: $file" | |
| exit 1 | |
| ;; | |
| esac | |
| done | |
| - name: Reject executable files | |
| run: | | |
| set -euo pipefail | |
| mapfile -d '' exec_files < <(find media docs -type f -executable -print0 2>/dev/null || true) | |
| if [ ${#exec_files[@]} -gt 0 ]; then | |
| echo "ERROR: Executable files found" | |
| printf '%s\n' "${exec_files[@]}" | |
| exit 1 | |
| fi |