Skip to content
.github/workflows/clam-av-scan.yml

Devops/3415 windows virus false positive #10

Sign in to view logs

Devops/3415 windows virus false positive

Devops/3415 windows virus false positive #10

Workflow file for this run

.github/workflows/clam-av-scan.yml at 882bf3b
name: av-clamav

Check failure on line 1 in .github/workflows/clam-av-scan.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/clam-av-scan.yml

Invalid workflow file 

(Line: 11, Col: 3): 'pull_request' is already defined
on:
workflow_dispatch:
inputs:
tag:
description: 'Release tag to scan (e.g., v0.15.16)'
required: false
release:
types: [published]
pull_request:
pull_request:
push:
branches: [dev]
schedule:
- cron: "0 3 * * 1"
permissions:
contents: read
actions: read
defaults:
run:
shell: bash
jobs:
clamav-pr:
if: github.event_name == 'pull_request' || github.event_name == 'push'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Detect repo meta
id: meta
run: |
echo "has_bun_lock=$([ -f bun.lockb ] && echo true || echo false)" >> "$GITHUB_OUTPUT"
echo "has_package_json=$([ -f package.json ] && echo true || echo false)" >> "$GITHUB_OUTPUT"
echo "has_pnpm_lock=$([ -f pnpm-lock.yaml ] && echo true || echo false)" >> "$GITHUB_OUTPUT"
echo "has_yarn_lock=$([ -f yarn.lock ] && echo true || echo false)" >> "$GITHUB_OUTPUT"
echo "has_package_lock=$([ -f package-lock.json ] && echo true || echo false)" >> "$GITHUB_OUTPUT"
echo "has_cargo=$([ -n \"$(git ls-files | grep -E '(^|/)Cargo.toml$')\" ] && echo true || echo false)" >> "$GITHUB_OUTPUT"
echo "has_go=$([ -f go.mod ] && echo true || echo false)" >> "$GITHUB_OUTPUT"
# --- JavaScript path (Bun/Node) ---
- name: Setup Bun (no external action)
if: steps.meta.outputs.has_bun_lock == 'true'
run: |
curl -fsSL https://bun.sh/install | bash
echo "$HOME/.bun/bin" >> $GITHUB_PATH
bun --version
- name: Setup Node via corepack (fallback when not Bun)
if: steps.meta.outputs.has_package_json == 'true' && steps.meta.outputs.has_bun_lock != 'true'
run: |
sudo apt-get update -y
sudo apt-get install -y nodejs npm || true
npm i -g corepack || true
corepack enable || true
if [ "${{ steps.meta.outputs.has_yarn_lock }}" = "true" ]; then corepack prepare yarn@stable --activate || true; fi
if [ "${{ steps.meta.outputs.has_pnpm_lock }}" = "true" ]; then corepack prepare pnpm@9 --activate || true; fi
node -v || true
corepack -v || true
- name: Install deps (Bun)
if: steps.meta.outputs.has_bun_lock == 'true'
run: |
bun install --frozen-lockfile || bun install || true
- name: Build (Bun)
if: steps.meta.outputs.has_bun_lock == 'true'
run: |
bun run build || true
- name: Install deps (Node)
if: steps.meta.outputs.has_package_json == 'true' && steps.meta.outputs.has_bun_lock != 'true'
run: |
if [ "${{ steps.meta.outputs.has_pnpm_lock }}" = "true" ]; then pnpm install --frozen-lockfile || pnpm install || true; fi
if [ "${{ steps.meta.outputs.has_package_lock }}" = "true" ]; then npm ci || npm i || true; fi
if [ "${{ steps.meta.outputs.has_yarn_lock }}" = "true" ]; then (yarn --version || true) && (yarn install --frozen-lockfile || yarn install || true); fi
- name: Build (Node)
if: steps.meta.outputs.has_package_json == 'true' && steps.meta.outputs.has_bun_lock != 'true'
run: |
pnpm run -c build || pnpm -r build || pnpm -w build || \n npm run build || yarn build || true
# --- Rust path (no external action) ---
- name: Setup Rust (rustup)
if: steps.meta.outputs.has_cargo == 'true'
run: |
curl https://sh.rustup.rs -sSf | sh -s -- -y
echo "$HOME/.cargo/bin" >> $GITHUB_PATH
rustc --version || true
- name: Build (Rust)
if: steps.meta.outputs.has_cargo == 'true'
run: cargo build --release || true
# --- Go path (first-party action ok) ---
- name: Setup Go
if: steps.meta.outputs.has_go == 'true'
uses: actions/setup-go@v5
with:
go-version: '1.22.x'
- name: Build (Go)
if: steps.meta.outputs.has_go == 'true'
run: |
mkdir -p dist
if ls cmd >/dev/null 2>&1; then
for d in cmd/*; do name=$(basename "$d"); go build -o "dist/$name" "./$d" || true; done
else
go build -o dist/opencode ./... || true
fi
- name: Package build outputs
run: |
set -e
mkdir -p dist-pr
if [ -d dist ]; then tar -czf dist-pr/scan.tgz -C dist .
elif [ -d build ]; then tar -czf dist-pr/scan.tgz -C build .
elif [ -d target/release ]; then tar -czf dist-pr/scan.tgz -C target/release .
else tar -czf dist-pr/scan.tgz --exclude=.git --exclude=.github .
fi
- name: Install ClamAV
run: |
sudo apt-get update
sudo apt-get install -y clamav
sudo freshclam || true
- name: ClamAV scan (PR)
run: |
clamscan -ri --scan-archive=yes dist-pr | tee clamav-pr.log
! grep -q 'Infected files: [1-9]' clamav-pr.log
- name: Upload PR scan results
uses: actions/upload-artifact@v4
with:
name: clamav-pr-scan-results
path: |
clamav-pr.log
dist-pr/scan.tgz
clamav-scan:
if: github.event_name == 'release' || github.event_name == 'workflow_dispatch' || github.event_name == 'schedule'
name: ClamAV scan (release assets)
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Install ClamAV
run: |
sudo apt-get update
sudo apt-get install -y clamav
sudo freshclam || true
- name: Resolve release tag
id: resolve_tag
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
tag="${{ github.event.release.tag_name }}"
if [ -z "$tag" ]; then tag="${{ github.event.inputs.tag }}"; fi
if [ -z "$tag" ]; then tag="$(gh release list --limit 1 --json tagName -q '.[0].tagName')"; fi
if [ -z "$tag" ]; then echo 'No release tag found' >&2; exit 1; fi
echo "tag=$tag" >> "$GITHUB_OUTPUT"
- name: Download assets
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
mkdir -p dist-release
gh release download "${{ steps.resolve_tag.outputs.tag }}" --dir dist-release --clobber
- name: Scan with ClamAV (release assets)
run: |
clamscan -ri dist-release | tee clamav.log
! grep -q 'Infected files: [1-9]' clamav.log
- name: Upload scan results
uses: actions/upload-artifact@v4
with:
name: clamav-scan-results
path: clamav.log