From a305f5f4f19a11682a2291f73bfd9c0beb850aed Mon Sep 17 00:00:00 2001
From: Carter Jernigan <git@carterjernigan.com>
Date: Sat, 11 Jun 2022 10:32:51 -0400
Subject: [PATCH] [#381] Scan release builds for malware

---
 .github/actions/antivirus/Dockerfile |  3 +++
 .github/actions/antivirus/action.yml |  9 +++++++++
 .github/actions/setup/action.yml     |  2 +-
 .github/workflows/deploy.yml         | 26 ++++++++++++++++++++++++++
 4 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 .github/actions/antivirus/Dockerfile
 create mode 100644 .github/actions/antivirus/action.yml

diff --git a/.github/actions/antivirus/Dockerfile b/.github/actions/antivirus/Dockerfile
new file mode 100644
index 00000000..19a85e2c
--- /dev/null
+++ b/.github/actions/antivirus/Dockerfile
@@ -0,0 +1,3 @@
+FROM clamav/clamav:0.105.0
+RUN freshclam
+ENTRYPOINT ["clamscan", "--recursive"]
diff --git a/.github/actions/antivirus/action.yml b/.github/actions/antivirus/action.yml
new file mode 100644
index 00000000..c533fb35
--- /dev/null
+++ b/.github/actions/antivirus/action.yml
@@ -0,0 +1,9 @@
+name: 'Run antivirus scan'
+inputs:
+  path-to-scan:
+    required: true
+runs:
+  using: 'docker'
+  image: 'Dockerfile'
+  args:
+    - ${{ inputs.path-to-scan }}
diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
index 37b6ceba..951569b3 100644
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@@ -31,7 +31,7 @@ runs:
         path: ~/.gradle/caches/modules-2
         key: ${{ runner.os }}-gradle-deps-${{ hashFiles(format('{0}{1}', github.workspace, '/gradle.properties')) }}
         restore-keys: |
-          ${{ runner.os }}-gradle-deps
+          ${{ runner.os }}-gradle-deps-
     - name: Download Gradle
       if: steps.gradle-wrapper-cache.outputs.cache-hit != 'true'
       shell: bash
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 693650b7..f896d57a 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -113,3 +113,29 @@ jobs:
         with:
           name: Binaries
           path: ~/artifacts
+
+# Due to how the Gradle publishing plugin works, this scan happens after the upload to Google Play.
+# Rather than being preventative, this is primarily an "early warning system" to verify that our
+# binaries aren't being misclassified as malware.
+  antivirus:
+    needs: [build]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        timeout-minutes: 1
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      - name: Download release artifact
+        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
+        with:
+          name: Binaries
+      - name: Unzip artifacts
+        timeout-minutes: 1
+        run: |
+          unzip binaries.zip
+      - name: Antivirus
+        timeout-minutes: 12
+        with:
+          path-to-scan: .
+        uses: ./.github/actions/antivirus