[#381] Scan release builds for malware
This commit is contained in:
parent
32c20953f7
commit
a305f5f4f1
|
@ -0,0 +1,3 @@
|
||||||
|
FROM clamav/clamav:0.105.0
|
||||||
|
RUN freshclam
|
||||||
|
ENTRYPOINT ["clamscan", "--recursive"]
|
|
@ -0,0 +1,9 @@
|
||||||
|
name: 'Run antivirus scan'
|
||||||
|
inputs:
|
||||||
|
path-to-scan:
|
||||||
|
required: true
|
||||||
|
runs:
|
||||||
|
using: 'docker'
|
||||||
|
image: 'Dockerfile'
|
||||||
|
args:
|
||||||
|
- ${{ inputs.path-to-scan }}
|
|
@ -31,7 +31,7 @@ runs:
|
||||||
path: ~/.gradle/caches/modules-2
|
path: ~/.gradle/caches/modules-2
|
||||||
key: ${{ runner.os }}-gradle-deps-${{ hashFiles(format('{0}{1}', github.workspace, '/gradle.properties')) }}
|
key: ${{ runner.os }}-gradle-deps-${{ hashFiles(format('{0}{1}', github.workspace, '/gradle.properties')) }}
|
||||||
restore-keys: |
|
restore-keys: |
|
||||||
${{ runner.os }}-gradle-deps
|
${{ runner.os }}-gradle-deps-
|
||||||
- name: Download Gradle
|
- name: Download Gradle
|
||||||
if: steps.gradle-wrapper-cache.outputs.cache-hit != 'true'
|
if: steps.gradle-wrapper-cache.outputs.cache-hit != 'true'
|
||||||
shell: bash
|
shell: bash
|
||||||
|
|
|
@ -113,3 +113,29 @@ jobs:
|
||||||
with:
|
with:
|
||||||
name: Binaries
|
name: Binaries
|
||||||
path: ~/artifacts
|
path: ~/artifacts
|
||||||
|
|
||||||
|
# Due to how the Gradle publishing plugin works, this scan happens after the upload to Google Play.
|
||||||
|
# Rather than being preventative, this is primarily an "early warning system" to verify that our
|
||||||
|
# binaries aren't being misclassified as malware.
|
||||||
|
antivirus:
|
||||||
|
needs: [build]
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
steps:
|
||||||
|
- name: Checkout
|
||||||
|
timeout-minutes: 1
|
||||||
|
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
|
||||||
|
- name: Download release artifact
|
||||||
|
uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
|
||||||
|
with:
|
||||||
|
name: Binaries
|
||||||
|
- name: Unzip artifacts
|
||||||
|
timeout-minutes: 1
|
||||||
|
run: |
|
||||||
|
unzip binaries.zip
|
||||||
|
- name: Antivirus
|
||||||
|
timeout-minutes: 12
|
||||||
|
with:
|
||||||
|
path-to-scan: .
|
||||||
|
uses: ./.github/actions/antivirus
|
||||||
|
|
Loading…
Reference in New Issue