ci: enable PR/push AV scans (no releases required)

riatzukiza · riatzukiza · commit 7ee7e7571023 · 2025-10-24T14:36:03.000-05:00
- Add PR/push jobs for ClamAV (Linux) and Windows Defender (Windows)
- Keep release/workflow_dispatch jobs for scanning published assets
- No secret usage in PR/push jobs; uses repo/build outputs or repo archive
- Upload PR scan payload/logs as artifacts
diff --git a/.github/workflows/clam-av-scan.yml b/.github/workflows/clam-av-scan.yml
@@ -1,23 +1,46 @@
 name: av-clamav
 on:
   workflow_dispatch:
-    inputs:
-      tag:
-        description: 'Release tag to scan (e.g., v0.15.16)'
-        required: false
   release:
     types: [published]
   pull_request:
-    branches: [dev]
+  push:
   schedule:
-    - cron: "0 3 * * 1" # weekly, 03:00 UTC Mondays
+    - cron: "0 3 * * 1"
 permissions:
   contents: read
 
 jobs:
+  clamav-pr:
+    if: github.event_name == 'pull_request' || github.event_name == 'push'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install ClamAV
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y clamav
+          sudo freshclam || true
+      - name: Prepare PR scan payload
+        run: |
+          mkdir -p dist-pr
+          if [ -d dist ]; then tar -czf dist-pr/scan.tgz -C dist .; \
+          elif [ -d build ]; then tar -czf dist-pr/scan.tgz -C build .; \
+          else tar -czf dist-pr/scan.tgz --exclude=.git --exclude=.github .; fi
+      - name: ClamAV scan (PR)
+        run: |
+          clamscan -ri --scan-archive=yes dist-pr | tee clamav-pr.log
+          ! grep -q "Infected files: [1-9]" clamav-pr.log
+      - name: Upload PR scan results
+        uses: actions/upload-artifact@v4
+        with:
+          name: clamav-pr-scan-results
+          path: |
+            clamav-pr.log
+            dist-pr/scan.tgz
+
   clamav-scan:
     if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
-    name: ClamAV scan (release assets)
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -27,7 +50,6 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y clamav
           sudo freshclam || true
-
       - name: Resolve release tag
         id: resolve_tag
         env:
@@ -38,20 +60,16 @@ jobs:
           if [ -z "$tag" ]; then tag="$(gh release list --limit 1 --json tagName -q '.[0].tagName')"; fi
           if [ -z "$tag" ]; then echo "No release tag found" >&2; exit 1; fi
           echo "tag=$tag" >> "$GITHUB_OUTPUT"
-
       - name: Download assets
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           mkdir -p dist-release
           gh release download "${{ steps.resolve_tag.outputs.tag }}" --dir dist-release --clobber
-
-      - name: Scan with ClamAV
+      - name: Scan with ClamAV (release assets)
         run: |
           clamscan -ri dist-release | tee clamav.log
-          # Fail if infected found
           ! grep -q "Infected files: [1-9]" clamav.log
-
       - name: Upload scan results
         uses: actions/upload-artifact@v4
         with:
diff --git a/.github/workflows/windows-defender-scan.yml b/.github/workflows/windows-defender-scan.yml
@@ -8,14 +8,39 @@ on:
   release:
     types: [published]
   pull_request:
-    branches: [dev]
+  push:
   schedule:
-    - cron: "0 4 * * 1" # weekly, 04:00 UTC Mondays
+    - cron: "0 4 * * 1"
 
 permissions:
   contents: read
 
 jobs:
+  defender-pr:
+    if: github.event_name == 'pull_request' || github.event_name == 'push'
+    runs-on: windows-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Prepare PR scan payload
+        shell: pwsh
+        run: |
+          New-Item -ItemType Directory -Force -Path dist-pr | Out-Null
+          if (Test-Path dist) { Compress-Archive -Path dist\* -DestinationPath dist-pr\scan.zip -Force }
+          elseif (Test-Path build) { Compress-Archive -Path build\* -DestinationPath dist-pr\scan.zip -Force }
+          else { Compress-Archive -Path * -DestinationPath dist-pr\scan.zip -Force }
+      - name: Windows Defender scan (PR)
+        shell: pwsh
+        run: |
+          $mp = (Get-Command MpCmdRun.exe -ErrorAction SilentlyContinue).Source
+          if (-not $mp) { $mp = "$env:ProgramFiles\Windows Defender\MpCmdRun.exe" }
+          if (-not (Test-Path $mp)) { throw 'MpCmdRun.exe not found' }
+          & $mp -Scan -ScanType 3 -File (Resolve-Path 'dist-pr\scan.zip')
+      - name: Upload PR scan results
+        uses: actions/upload-artifact@v4
+        with:
+          name: defender-pr-scan-input
+          path: dist-pr/scan.zip
+
   defender-scan:
     if: github.event_name == 'release' || github.event_name == 'workflow_dispatch'
     name: Windows Defender scan (release assets)
@@ -27,7 +52,6 @@ jobs:
       - name: Prepare download dir
         shell: pwsh
         run: New-Item -ItemType Directory -Force -Path dist-release | Out-Null
-
       - name: Resolve release tag
         id: resolve_tag
         shell: pwsh
@@ -39,18 +63,15 @@ jobs:
           if (-not $tag) { $tag = (gh release list --limit 1 --json tagName -q ".[0].tagName") }
           if (-not $tag) { throw 'No release tag found' }
           "tag=$tag" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
-
       - name: Download assets for this release
         shell: pwsh
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           gh release download "${{ steps.resolve_tag.outputs.tag }}" --dir dist-release --clobber
-
       - name: List assets
         shell: pwsh
         run: Get-ChildItem -File dist-release | Select-Object FullName, Length | Format-Table | Out-String | Tee-Object -FilePath dist-release\asset-list.txt
-
       - name: Scan each asset with Defender
         shell: pwsh
         run: |
@@ -62,7 +83,6 @@ jobs:
             & $mp -Scan -ScanType 3 -File $_.FullName
             Start-Sleep -Seconds 3
           }
-          # Collect recent detections (last 30 minutes) and only for our folder
           $since = (Get-Date).AddMinutes(-30)
           $recent = Get-MpThreatDetection | Where-Object {
             $_.InitialDetectionTime -ge $since -and
@@ -72,9 +92,8 @@ jobs:
             $recent | ConvertTo-Json -Depth 5 | Out-File dist-release\defender-detections.json -Encoding UTF8
             Write-Error "Windows Defender found detections. See artifact."
           } else {
-            '{"status":"clean"}' | Out-File dist-release\defender-detections.json -Encoding UTF8
+            '{\"status\":\"clean\"}' | Out-File dist-release\defender-detections.json -Encoding UTF8
           }
-
       - name: Upload scan results
         uses: actions/upload-artifact@v4
         with:
