Skip to content

Commit f197069

Browse files
Merge pull request #1 from coder/cat/step-1-scanner-pipeline
feat: scanner pipeline, workflows, tests, repo plumbing
2 parents 3e01d89 + feab0c6 commit f197069

82 files changed

Lines changed: 12742 additions & 153 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/dependabot.yml

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
version: 2
2+
updates:
3+
# Python deps from pyproject.toml. Also picks up the SkillSpector
4+
# git pin if Dependabot's git-pin handling is enabled by GitHub for
5+
# this org; otherwise the pin is bumped manually via PR.
6+
- package-ecosystem: pip
7+
directory: "/"
8+
schedule:
9+
interval: weekly
10+
day: monday
11+
time: "10:00"
12+
timezone: Etc/UTC
13+
open-pull-requests-limit: 5
14+
labels: ["deps", "python"]
15+
commit-message:
16+
prefix: "chore(deps)"
17+
18+
# GitHub Actions SHAs across every workflow.
19+
- package-ecosystem: github-actions
20+
directory: "/"
21+
schedule:
22+
interval: weekly
23+
day: monday
24+
time: "10:00"
25+
timezone: Etc/UTC
26+
open-pull-requests-limit: 5
27+
labels: ["deps", "github-actions"]
28+
commit-message:
29+
prefix: "chore(deps)"

.github/workflows/ci.yaml

Lines changed: 53 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -32,9 +32,8 @@ jobs:
3232
".catalogue.registry_repo.repo"
3333
".catalogue.registry_repo.ref"
3434
".scanners.skillspector.pin"
35-
".scanners.clamav.apt_packages"
36-
".verdict.malicious_if"
37-
".verdict.suspicious_if"
35+
".verdict.malicious_risk_score"
36+
".verdict.suspicious_risk_score"
3837
".publish.release.rolling_tag"
3938
".publish.pages.enabled"
4039
".schedule.cron"
@@ -68,25 +67,26 @@ jobs:
6867
python -m json.tool schema/report.schema.json > /dev/null
6968
check-jsonschema --check-metaschema schema/report.schema.json
7069
71-
lint-shell:
72-
name: ShellCheck and prettier
70+
pytest:
71+
name: pytest + ruff
7372
runs-on: ubuntu-latest
7473
permissions:
7574
contents: read
7675
steps:
7776
- name: Checkout
7877
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
79-
- name: Install shellcheck
80-
run: sudo apt-get update && sudo apt-get install -y shellcheck
81-
- name: ShellCheck
78+
- name: Set up Python
79+
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
80+
with:
81+
python-version: "3.12"
82+
- name: Install
8283
run: |
83-
shopt -s globstar nullglob
84-
files=(scripts/**/*.sh)
85-
if (( ${#files[@]} == 0 )); then
86-
echo "No shell scripts to lint yet."
87-
exit 0
88-
fi
89-
shellcheck "${files[@]}"
84+
python -m pip install --upgrade pip
85+
pip install -e ".[dev]"
86+
- name: ruff
87+
run: ruff check scanner tests
88+
- name: pytest
89+
run: pytest
9090

9191
lint-markdown:
9292
name: Markdownlint
@@ -102,3 +102,41 @@ jobs:
102102
node-version: "20"
103103
- name: Run markdownlint-cli2
104104
run: npx --yes markdownlint-cli2@0.18.1 "**/*.md" "!**/node_modules/**" "!LICENSE"
105+
106+
site:
107+
name: site (lint + types + test + build)
108+
runs-on: ubuntu-latest
109+
permissions:
110+
contents: read
111+
defaults:
112+
run:
113+
working-directory: site
114+
steps:
115+
- name: Checkout
116+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
117+
- name: Install pnpm
118+
uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
119+
with:
120+
version: 10.33.2
121+
- name: Set up Node
122+
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v6.0.0
123+
with:
124+
node-version: "22"
125+
cache: "pnpm"
126+
cache-dependency-path: site/pnpm-lock.yaml
127+
- name: Install
128+
run: pnpm install --frozen-lockfile
129+
- name: Lint
130+
run: pnpm lint
131+
- name: Type-check
132+
run: pnpm lint-types
133+
- name: Test
134+
run: pnpm test:ci
135+
- name: Build
136+
run: pnpm build
137+
- name: Upload SPA build
138+
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
139+
with:
140+
name: site-dist
141+
path: site/dist
142+
retention-days: 7

.github/workflows/prune.yaml

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
name: prune
2+
on:
3+
schedule:
4+
# Weekly Sundays 04:33 UTC.
5+
- cron: "33 4 * * 0"
6+
workflow_dispatch:
7+
8+
permissions: {}
9+
10+
jobs:
11+
prune-releases:
12+
name: Delete scan releases older than retention window
13+
runs-on: ubuntu-latest
14+
permissions:
15+
contents: write
16+
steps:
17+
- name: Checkout
18+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
19+
- name: Determine retention in days
20+
id: cfg
21+
run: |
22+
set -euo pipefail
23+
days="$(grep -E '^\s*retention_days:' config.yaml | head -1 | awk '{print $2}')"
24+
echo "days=${days:-90}" >> "$GITHUB_OUTPUT"
25+
- name: Delete old scan releases
26+
env:
27+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
28+
DAYS: ${{ steps.cfg.outputs.days }}
29+
run: |
30+
set -euo pipefail
31+
cutoff_epoch="$(date -u -d "${DAYS} days ago" +%s)"
32+
gh release list --limit 1000 --json tagName,createdAt \
33+
| jq -r --argjson cutoff "${cutoff_epoch}" \
34+
'.[] | select(.tagName | startswith("scan-")) | select((.createdAt | fromdateiso8601) < $cutoff) | .tagName' \
35+
| while read -r tag; do
36+
echo "Deleting old release ${tag}"
37+
gh release delete "${tag}" --yes --cleanup-tag
38+
done

0 commit comments

Comments
 (0)