akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity
Files
26a75f5fe3c00b3b41dee060300c612deb63fb2d
Charon/.github/skills/examples/gorm-scanner-ci-workflow.yml
Jeremy 114dca89c6 Merge pull request #944 from Wikid82/renovate/feature/beta-release-major-7-github-artifact-actions 
chore(deps): update actions/upload-artifact action to v7 (feature/beta-release)
2026-04-13 09:05:00 -04:00

125 lines
4.2 KiB
YAML
Raw Blame History

# Example GitHub Actions Workflow - GORM Security Scanner with Report Artifacts
# This demonstrates how to use the GORM scanner skill in CI/CD with report export
name: GORM Security Scan
on:
pull_request:
paths:
- 'backend/**/*.go'
- 'backend/go.mod'
push:
branches:
- main
- development
jobs:
gorm-security-scan:
name: GORM Security Analysis
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Setup Go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
with:
go-version: "1.26.2"
- name: Run GORM Security Scanner
id: gorm-scan
run: |
# Generate report file for artifact upload
.github/skills/scripts/skill-runner.sh security-scan-gorm \
--check \
docs/reports/gorm-scan-ci-${{ github.run_id }}.txt
continue-on-error: true
- name: Parse Report for PR Comment
if: always() && github.event_name == 'pull_request'
id: parse-report
run: |
REPORT_FILE="docs/reports/gorm-scan-ci-${{ github.run_id }}.txt"
# Extract summary metrics
CRITICAL=$(grep -oP '🔴 CRITICAL: \K\d+' "$REPORT_FILE" || echo "0")
HIGH=$(grep -oP '🟡 HIGH: \K\d+' "$REPORT_FILE" || echo "0")
MEDIUM=$(grep -oP '🔵 MEDIUM: \K\d+' "$REPORT_FILE" || echo "0")
INFO=$(grep -oP '🟢 INFO: \K\d+' "$REPORT_FILE" || echo "0")
# Create summary for PR comment
echo "critical=$CRITICAL" >> $GITHUB_OUTPUT
echo "high=$HIGH" >> $GITHUB_OUTPUT
echo "medium=$MEDIUM" >> $GITHUB_OUTPUT
echo "info=$INFO" >> $GITHUB_OUTPUT
- name: Comment on PR
if: always() && github.event_name == 'pull_request'
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
with:
script: |
const critical = ${{ steps.parse-report.outputs.critical }};
const high = ${{ steps.parse-report.outputs.high }};
const medium = ${{ steps.parse-report.outputs.medium }};
const info = ${{ steps.parse-report.outputs.info }};
const status = (critical > 0 || high > 0) ? '❌' : '✅';
const message = `## ${status} GORM Security Scan Results
| Severity | Count |
|----------|-------|
| 🔴 CRITICAL | ${critical} |
| 🟡 HIGH | ${high} |
| 🔵 MEDIUM | ${medium} |
| 🟢 INFO | ${info} |
**Total Issues:** ${critical + high + medium} (excluding informational)
${critical > 0 || high > 0 ? '⚠️ **Action Required:** Fix CRITICAL/HIGH issues before merge.' : '✅ No critical issues found.'}
📄 Full report available in workflow artifacts.`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: message
});
- name: Upload GORM Scan Report
if: always()
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: gorm-security-report-${{ github.run_id }}
path: docs/reports/gorm-scan-ci-*.txt
retention-days: 30
if-no-files-found: error
- name: Fail Build on Critical Issues
if: steps.gorm-scan.outcome == 'failure'
run: |
echo "::error title=GORM Security Issues::Critical security issues detected. See report artifact for details."
exit 1
# Usage in other workflows:
#
# 1. Download previous report for comparison:
# - uses: actions/download-artifact@v4
# with:
# name: gorm-security-report-previous
# path: reports/previous/
#
# 2. Compare reports:
# - run: |
# diff reports/previous/gorm-scan-ci-*.txt \
# docs/reports/gorm-scan-ci-*.txt \
# || echo "Issues changed"
#
# 3. AI Agent Analysis:
# - name: Analyze with AI
# run: |
# # AI agent reads the report file
# REPORT=$(cat docs/reports/gorm-scan-ci-*.txt)
# # Process findings, suggest fixes, create issues, etc.
Reference in New Issue View Git Blame Copy Permalink