🔧 修复安全扫描误报 #3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [ main, master ] | |
| pull_request: | |
| branches: [ main, master ] | |
| jobs: | |
| test: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup MoonBit | |
| uses: hustcer/setup-moonbit@v1 | |
| with: | |
| version: "latest" | |
| - name: Check MoonBit installation | |
| run: | | |
| moon version --all | |
| which moon | |
| - name: Install dependencies | |
| run: | | |
| moon install | |
| - name: Check code format | |
| run: | | |
| moon fmt --check | |
| - name: Run tests | |
| run: | | |
| moon test --enable-coverage | |
| - name: Generate coverage report | |
| run: | | |
| moon coverage report -f cobertura -o coverage.xml | |
| moon coverage report -f html | |
| - name: Upload coverage reports | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: coverage-report | |
| path: | | |
| coverage.xml | |
| _coverage/ | |
| - name: Build project | |
| run: | | |
| moon build | |
| - name: Run examples | |
| run: | | |
| cd examples | |
| moon run cli_demo | |
| security: | |
| name: 🔒 Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: 🔒 Run security audit | |
| run: | | |
| # 检查真正的敏感信息泄露(排除配置文件和常见关键词) | |
| if grep -r -i "password\s*=\|secret\s*=\|api_key\s*=\|private_key\|access_token" . \ | |
| --exclude-dir=.git \ | |
| --exclude-dir=.github \ | |
| --exclude-dir=node_modules \ | |
| --exclude="*.md" \ | |
| --exclude="*.json" \ | |
| --exclude="*.toml" \ | |
| --exclude="*.yml" \ | |
| --exclude="*.yaml"; then | |
| echo "⚠️ 发现可能的敏感信息" | |
| exit 1 | |
| else | |
| echo "✅ 安全检查通过" | |
| fi |