mirror of
https://github.com/tw93/Mole.git
synced 2026-03-22 23:40:09 +00:00
c1d2e221a2
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
102 lines
2.9 KiB
YAML
102 lines
2.9 KiB
YAML
name: Validation
|
|
|
|
on:
|
|
push:
|
|
branches: [main, dev]
|
|
pull_request:
|
|
branches: [main, dev]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
tests:
|
|
name: Unit & Integration Tests
|
|
runs-on: macos-latest
|
|
steps:
|
|
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4
|
|
|
|
- name: Install tools
|
|
run: brew install bats-core shellcheck
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5
|
|
with:
|
|
go-version-file: go.mod
|
|
|
|
- name: Run test script
|
|
env:
|
|
MOLE_PERF_BYTES_TO_HUMAN_LIMIT_MS: "6000"
|
|
MOLE_PERF_GET_FILE_SIZE_LIMIT_MS: "3000"
|
|
BATS_FORMATTER: tap
|
|
LANG: en_US.UTF-8
|
|
LC_ALL: en_US.UTF-8
|
|
run: ./scripts/test.sh
|
|
|
|
compatibility:
|
|
name: macOS
|
|
strategy:
|
|
matrix:
|
|
os: [macos-14, macos-15]
|
|
runs-on: ${{ matrix.os }}
|
|
steps:
|
|
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4
|
|
|
|
- name: Test on ${{ matrix.os }}
|
|
run: |
|
|
echo "Testing on ${{ matrix.os }}..."
|
|
bash -n mole
|
|
source lib/core/common.sh
|
|
echo "✓ Successfully loaded on ${{ matrix.os }}"
|
|
|
|
security:
|
|
name: Security Checks
|
|
runs-on: macos-latest
|
|
steps:
|
|
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4
|
|
|
|
- name: Install tools
|
|
run: brew install bats-core
|
|
|
|
- name: Check for unsafe rm usage
|
|
run: |
|
|
echo "Checking for unsafe rm patterns..."
|
|
if grep -r "rm -rf" --include="*.sh" lib/ | grep -v "safe_remove\|validate_path\|# "; then
|
|
echo "✗ Unsafe rm -rf usage found"
|
|
exit 1
|
|
fi
|
|
echo "✓ No unsafe rm usage found"
|
|
|
|
- name: Verify app protection
|
|
run: |
|
|
echo "Verifying critical file protection..."
|
|
bash -c '
|
|
source lib/core/common.sh
|
|
if should_protect_from_uninstall "com.apple.Safari"; then
|
|
echo "✓ Safari is protected"
|
|
else
|
|
echo "✗ Safari protection failed"
|
|
exit 1
|
|
fi
|
|
'
|
|
|
|
- name: Check for secrets
|
|
run: |
|
|
echo "Checking for hardcoded secrets..."
|
|
matches=$(grep -r "password\|secret\|api_key" --include="*.sh" . \
|
|
| grep -v "# \|test" \
|
|
| grep -v -E "lib/core/sudo\.sh|lib/core/app_protection\.sh|lib/clean/user\.sh|lib/clean/brew\.sh|bin/optimize\.sh|lib/clean/apps\.sh|lib/uninstall/batch\.sh" || true)
|
|
if [[ -n "$matches" ]]; then
|
|
echo "$matches"
|
|
echo "✗ Potential secrets found"
|
|
exit 1
|
|
fi
|
|
echo "✓ No secrets found"
|
|
|
|
- name: Run high-risk path regression tests
|
|
env:
|
|
BATS_FORMATTER: tap
|
|
LANG: en_US.UTF-8
|
|
LC_ALL: en_US.UTF-8
|
|
run: bats tests/core_safe_functions.bats tests/purge.bats tests/installer.bats
|