ci(clamav): unify into single workflow .github/workflows/clam-av.yml; PR/release/dispatch share one build via composite; deprecate old PR/Release files

riatzukiza · riatzukiza · commit 2b38bbe27fc0 · 2025-10-24T18:23:49.000-05:00
diff --git a/.github/workflows/clam-av-pr.yml b/.github/workflows/clam-av-pr.yml
@@ -1,50 +1,11 @@
-name: av-clamav-pr
+name: (deprecated) av-clamav-pr
+# This workflow is intentionally disabled to avoid duplication.
+# Use .github/workflows/clam-av.yml instead.
 on:
-  pull_request:
-
-permissions:
-  contents: read
+  workflow_call:
 
 jobs:
-  clamav-pr:
+  noop:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-
-      - name: Build and package
-        id: build
-        uses: ./.github/actions/build-package
-
-      - name: Upload build bundle
-        uses: actions/upload-artifact@v4
-        with:
-          name: opencode-bundle
-          path: bundle/opencode.zip
-
-      - name: Install & update ClamAV DB
-        run: |
-          set -e
-          sudo apt-get update
-          sudo apt-get install -y clamav clamav-freshclam unzip
-          sudo systemctl stop clamav-freshclam || true
-          sudo mkdir -p /var/lib/clamav
-          sudo chown -R clamav:clamav /var/lib/clamav
-          sudo freshclam --verbose
-          ls -lh /var/lib/clamav
-
-      - name: Extract bundle and scan
-        run: |
-          set -e
-          rm -rf dist-pr/extracted && mkdir -p dist-pr/extracted
-          unzip -q bundle/opencode.zip -d dist-pr/extracted
-          echo "File count in payload: $(find dist-pr/extracted -type f | wc -l)"
-          clamscan -ri --scan-archive=yes dist-pr/extracted | tee clamav-pr.log
-          ! grep -q 'Infected files: [1-9]' clamav-pr.log
-
-      - name: Upload PR scan results
-        uses: actions/upload-artifact@v4
-        with:
-          name: clamav-pr-scan-results
-          path: |
-            clamav-pr.log
-            bundle/opencode.zip
+      - run: echo 'Deprecated: use clam-av.yml'
diff --git a/.github/workflows/clam-av-scan.yml b/.github/workflows/clam-av-scan.yml
@@ -1,54 +1,11 @@
-name: av-clamav-release
+name: (deprecated) av-clamav-release
+# This workflow is intentionally disabled to avoid duplication.
+# Use .github/workflows/clam-av.yml instead.
 on:
-  workflow_dispatch:
-  release:
-    types: [published]
-
-permissions:
-  contents: read
-  actions: read
+  workflow_call:
 
 jobs:
-  clamav-release:
+  noop:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout (release tag)
-        if: github.event_name == 'release'
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.release.tag_name }}
-      - name: Checkout (manual/default)
-        if: github.event_name != 'release'
-        uses: actions/checkout@v4
-
-      - name: Build and package
-        id: build
-        uses: ./.github/actions/build-package
-
-      - name: Install & update ClamAV DB
-        run: |
-          set -e
-          sudo apt-get update
-          sudo apt-get install -y clamav clamav-freshclam unzip
-          sudo systemctl stop clamav-freshclam || true
-          sudo mkdir -p /var/lib/clamav
-          sudo chown -R clamav:clamav /var/lib/clamav
-          sudo freshclam --verbose
-          ls -lh /var/lib/clamav
-
-      - name: Extract bundle and scan
-        run: |
-          set -e
-          rm -rf dist-release/extracted && mkdir -p dist-release/extracted
-          unzip -q bundle/opencode.zip -d dist-release/extracted
-          echo "File count in payload: $(find dist-release/extracted -type f | wc -l)"
-          clamscan -ri --scan-archive=yes dist-release/extracted | tee clamav.log
-          ! grep -q 'Infected files: [1-9]' clamav.log
-
-      - name: Upload scan results
-        uses: actions/upload-artifact@v4
-        with:
-          name: clamav-release-scan-results
-          path: |
-            clamav.log
-            bundle/opencode.zip
+      - run: echo 'Deprecated: use clam-av.yml'
diff --git a/.github/workflows/clam-av.yml b/.github/workflows/clam-av.yml
@@ -0,0 +1,59 @@
+name: av-clamav
+on:
+  pull_request:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  actions: read
+
+jobs:
+  clamav:
+    runs-on: ubuntu-latest
+    steps:
+      # Checkout the right ref
+      - name: Checkout (release tag)
+        if: github.event_name == 'release'
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.release.tag_name }}
+      - name: Checkout (PR/default)
+        if: github.event_name != 'release'
+        uses: actions/checkout@v4
+
+      # Single source-of-truth build -> one file
+      - name: Build and package
+        id: build
+        uses: ./.github/actions/build-package
+
+      # Install fresh ClamAV DB
+      - name: Install & update ClamAV DB
+        run: |
+          set -e
+          sudo apt-get update
+          sudo apt-get install -y clamav clamav-freshclam unzip
+          sudo systemctl stop clamav-freshclam || true
+          sudo mkdir -p /var/lib/clamav
+          sudo chown -R clamav:clamav /var/lib/clamav
+          sudo freshclam --verbose
+          ls -lh /var/lib/clamav
+
+      # Scan extracted bundle so counts reflect actual files
+      - name: Extract bundle and scan
+        run: |
+          set -e
+          rm -rf scan && mkdir -p scan
+          unzip -q bundle/opencode.zip -d scan
+          echo "File count in payload: $(find scan -type f | wc -l)"
+          clamscan -ri --scan-archive=yes scan | tee clamav.log
+          ! grep -q 'Infected files: [1-9]' clamav.log
+
+      - name: Upload scan results
+        uses: actions/upload-artifact@v4
+        with:
+          name: clamav-scan-results
+          path: |
+            clamav.log
+            bundle/opencode.zip
