ci: run virus scan during build process

Author: mvach

.github/workflows/build.yml

@@ -14,17 +14,38 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+        fetch-tags: true
 
     - name: Set up Go
       uses: actions/setup-go@v4
       with:
         go-version: '1.23'
 
-    - name: Install keepassxc-cli
-      run: sudo apt-get update && sudo apt-get install -y keepassxc
-
-    - name: Build
-      run: go build
+    - name: Install system dependencies (keepassxc + clamav)
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y --no-install-recommends keepassxc clamav
 
-    - name: Test
+    - name: Run unit tests
       run: go test ./...
+
+    - name: Run build
+      run: scripts/build_binaries
+
+    - name: Virus scan
+      run: |
+        scannerVersion=$(clamscan --version)
+        echo "Using scanner version: $scannerVersion"
+
+        echo "Scanning built binary with ClamAV..."
+        clamscan --recursive --infected --verbose dist/ || SCAN_STATUS=$?
+        if [ "${SCAN_STATUS:-0}" -eq 1 ]; then
+          echo "❌ Virus detected in built binary. Build failed." >&2
+          exit 1
+        elif [ "${SCAN_STATUS:-0}" -gt 1 ]; then
+          echo "❌ ClamAV scan error (exit code $SCAN_STATUS). Build failed." >&2
+          exit $SCAN_STATUS
+        fi
+        echo "✅ No viruses found in built binary."

.github/workflows/release.yml

@@ -29,10 +29,6 @@ jobs:
         run: |
           sudo apt-get update
           sudo apt-get install -y --no-install-recommends keepassxc clamav
-          # Update ClamAV signatures using GitHub token to avoid rate limits
-          echo "Updating ClamAV signatures..."
-          sudo freshclam --user-agent="ClamAV-GitHub/${{ github.repository }} (${{ secrets.GITHUB_TOKEN }})" || echo "freshclam failed; using existing signatures"
-          clamscan --version
 
       - name: Run unit tests
         run: go test ./...
@@ -44,15 +40,17 @@ jobs:
           version: '~> v2'
           install-only: true
 
-      - name: GoReleaser release (build only, skip publish & announce)
+      - name: GoReleaser build
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: goreleaser release --clean --skip=publish --skip=announce
 
-      - name: Virus scan dist artifacts
+      - name: Virus scan
         run: |
-          echo "Scanning dist/ with ClamAV..."
+          scannerVersion=$(clamscan --version)
+          echo "Using scanner version: $scannerVersion"
 
+          echo "Scanning built binary with ClamAV..."
           clamscan --recursive --infected --verbose dist/ || SCAN_STATUS=$?
           if [ "${SCAN_STATUS:-0}" -eq 1 ]; then
             echo "❌ Virus detected in build artifacts. Aborting publish." >&2

scripts/build_binaries

@@ -8,7 +8,7 @@ PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
 cd "$PROJECT_ROOT"
 
 # Define the output directory for the binaries
-OUTPUT_DIR="$PROJECT_ROOT/bin/ctRestClient"
+OUTPUT_DIR="$PROJECT_ROOT/dist"
 
 # Clean the output directory
 echo "Cleaning the output directory..."