Skip to content
.github/workflows/pr-check.yml

Add VulnHawk - AI-powered code security scanner #96

Sign in to view logs

Add VulnHawk - AI-powered code security scanner

Add VulnHawk - AI-powered code security scanner #96

Workflow file for this run

.github/workflows/pr-check.yml at 2b81bec
name: PR Check
on:
pull_request:
branches: [master]
paths:
- "data/tools/**.yml"
- "ci/**"
workflow_dispatch:
inputs:
pr_number:
description: "PR number to check"
required: true
tool_files:
description: "Space-separated list of tool YAML files to check (e.g. data/tools/foo.yml)"
required: true
jobs:
pr-check:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Check out PR head for manual runs
if: github.event_name == 'workflow_dispatch'
run: |
git fetch origin "refs/pull/${{ inputs.pr_number }}/head"
git checkout FETCH_HEAD -- ${{ inputs.tool_files }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Get changed tool files
id: changed
run: |
if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
FILES="${{ inputs.tool_files }}"
else
FILES=$(git diff --name-only --diff-filter=A origin/master...HEAD -- 'data/tools/*.yml' 'data/tools/*.yaml' | tr '\n' ' ')
fi
FILES=$(echo "$FILES" | xargs) # trim leading/trailing whitespace
echo "files=$FILES" >> "$GITHUB_OUTPUT"
echo "has_files=$( [ -n "$FILES" ] && echo true || echo false )" >> "$GITHUB_OUTPUT"
- name: Skip: no tool files to check

Check failure on line 48 in .github/workflows/pr-check.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/pr-check.yml

Invalid workflow file 

You have an error in your yaml syntax on line 48
if: steps.changed.outputs.has_files == 'false'
run: |
mkdir -p pr-check-output
echo "${{ github.event_name == 'workflow_dispatch' && inputs.pr_number || github.event.pull_request.number }}" > pr-check-output/pr_number.txt
echo "passed" > pr-check-output/result.txt
- name: Install Rust toolchain
if: steps.changed.outputs.has_files == 'true'
uses: dtolnay/rust-toolchain@stable
- name: Cache cargo registry
if: steps.changed.outputs.has_files == 'true'
uses: actions/cache@v4
with:
path: |
~/.cargo/registry
~/.cargo/git
ci/target
key: pr-check-${{ runner.os }}-${{ hashFiles('ci/Cargo.lock') }}
restore-keys: |
pr-check-${{ runner.os }}-
- name: Build pr-check
if: steps.changed.outputs.has_files == 'true'
run: cargo build --release --manifest-path ci/Cargo.toml -p pr-check
- name: Run pr-check
if: steps.changed.outputs.has_files == 'true'
id: run-check
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_REPOSITORY: ${{ github.repository }}
PR_NUMBER: ${{ github.event_name == 'workflow_dispatch' && inputs.pr_number || github.event.pull_request.number }}
# For pull_request events (including forks), write the comment to a
# file instead of posting it directly. The fork's GITHUB_TOKEN does
# not have write access to the base repository, so direct posting
# returns 403. The pr-comment workflow picks up this artifact and
# posts the comment with the right permissions.
COMMENT_OUTPUT_FILE: ${{ github.event_name == 'pull_request' && 'pr-check-output/comment.md' || '' }}
run: |
mkdir -p pr-check-output
echo "$PR_NUMBER" > pr-check-output/pr_number.txt
if ci/target/release/pr-check ${{ steps.changed.outputs.files }}; then
echo "passed" > pr-check-output/result.txt
else
echo "failed" > pr-check-output/result.txt
fi
- name: Upload check results
if: always() && github.event_name == 'pull_request'
uses: actions/upload-artifact@v4
with:
name: pr-check-output
path: pr-check-output/
- name: Fail if checks did not pass
if: always()
run: |
result=$(cat pr-check-output/result.txt 2>/dev/null || echo "failed")
[ "$result" = "passed" ]