smart-intent-sc/.github/workflows/audit_agent.yml at 09a39d152f384e8eb8ea5cf63702226fca7792b2 · KyberNetwork/smart-intent-sc · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
name: Audit Agent

on:
    pull_request:

jobs:
    quick-scan:
      runs-on: ubuntu-latest
      env:
        AUDIT_AGENT_TOKEN: ${{ secrets.AUDIT_AGENT_TOKEN }}
      steps:
        - uses: actions/checkout@v4
          with:
            fetch-depth: 2

        - name: Extract commit message and files
          id: extract
          run: |
            # Get the commit message from the PR head
            COMMIT_MSG=$(git log -1 --format=%B ${{ github.event.pull_request.head.sha }})

            echo "Commit message: $COMMIT_MSG"

            # Check if commit message matches pattern "scan: [...]"
            if echo "$COMMIT_MSG" | grep -q '^scan: \[.*\]'; then
              echo "should_scan=true" >> $GITHUB_OUTPUT
              # Extract the file list (everything after "scan: ")
              FILES=$(echo "$COMMIT_MSG" | sed 's/^scan: //')

              # Check if files are already quoted, if not add quotes
              if ! echo "$FILES" | grep -q '"'; then
                # No quotes found, add them around each file
                # Convert [file1,file2,file3] to ["file1","file2","file3"]
                FILES=$(echo "$FILES" | sed 's/\[/["/; s/\]/"]/' | sed 's/,/","/g' | sed 's/ //g')
              fi

              echo "files=$FILES" >> $GITHUB_OUTPUT
              echo "Found scan request with files: $FILES"
            else
              echo "should_scan=false" >> $GITHUB_OUTPUT
              echo "No scan request found in commit message"
            fi

        - name: Quick Scan
          if: steps.extract.outputs.should_scan == 'true'
          run: |
            set -e
            API_URL="https://api.auditagent.nethermind.io"
            HTTP_CODE=$(curl -s -w "%{http_code}" -o launch_response.json -X POST -H "Content-Type: application/json" -H "X-Api-Key: $AUDIT_AGENT_TOKEN" -d '{
              "githubUrl": "${{ github.event.repository.html_url }}",
              "baseBranchName": "${{ github.event.pull_request.base.ref }}",
              "branchName": "${{ github.event.pull_request.head.ref }}",
              "issueNumber": ${{ github.event.number }},
              "baseCommitHash": "${{ github.event.pull_request.base.sha }}",
              "commitHash": "${{ github.event.pull_request.head.sha }}",
              "contractFiles": ${{ steps.extract.outputs.files }},
              "language": "solidity"
            }' "$API_URL/api/v1/scanner/quick-scan/diff-scan")
            if [ "$HTTP_CODE" != "202" ]; then
              echo "Launch failed. Expected 202, got $HTTP_CODE."
              cat launch_response.json
              exit 1
            fi
            SCAN_ID=$(cat launch_response.json | tr -d '\000-\037' | jq -r '.data.scan_id // empty')
            if [ -z "$SCAN_ID" ]; then
              echo "No relevant changes found. No scan needed."
              exit 0
            fi
            echo "Scan started: $SCAN_ID"
            while true; do
              RESULT_JSON=$(curl -s -f -H "X-Api-Key: $AUDIT_AGENT_TOKEN" "$API_URL/api/v1/scans/ci-result/$SCAN_ID")
              STATUS=$(echo "$RESULT_JSON" | tr -d '\000-\037' | jq -r '.data.scan.status // empty')
              if [ "$STATUS" = "completed" ]; then
                echo "Scan completed successfully."
                exit 0
              fi
              if [ "$STATUS" = "failed" ]; then
                echo "Scan failed."
                exit 1
              fi
              echo "Scan status: $STATUS (waiting...)"
              sleep 60
            done
    merge-context:
      if: ${{ github.event.action == 'closed' && github.event.pull_request.merged == true }}
      runs-on: ubuntu-latest
      env:
        AUDIT_AGENT_TOKEN: ${{ secrets.AUDIT_AGENT_TOKEN }}
      steps:
        - uses: actions/checkout@v4
          with:
            fetch-depth: 0
        - name: Fetch latest target branch and get new commit hash
          id: merged_commit
          run: |
            git fetch origin main:origin/main
            NEW_COMMIT_HASH=$(git rev-parse origin/main)
            echo "hash=$NEW_COMMIT_HASH" >> $GITHUB_OUTPUT
        - name: Merge Context
          run: |
            RESPONSE=$(curl -s -w "%{http_code}" -o response.json -X POST -H "Content-Type: application/json" -H "X-Api-Key: $AUDIT_AGENT_TOKEN" -d '{
                  "githubUrl": "${{ github.event.repository.html_url }}",
                  "baseBranchName": "${{ github.event.pull_request.base.ref }}",
                  "baseCommitHash": "${{ steps.merged_commit.outputs.hash }}",
                  "branchName": "${{ github.event.pull_request.head.ref }}",
                  "issueNumber": ${{ github.event.number }},
                  "commitHash": "${{ github.event.pull_request.head.sha }}"
                }' https://api.auditagent.nethermind.io/api/v1/scanner/quick-scan/merge)
            STATUS_CODE="${RESPONSE: -3}"
            if [ "$STATUS_CODE" != "202" ]; then
              echo "API call failed. Expected 202, got $STATUS_CODE."
              cat response.json
              exit 1
            fi