SmartTube/.github/workflows/virustotal_scan.yml at master · yuliskov/SmartTube · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
name: VirusTotal Scan

on:
  release:
    types: [published]
  workflow_dispatch:
    inputs:
      release_tag:
        description: 'Release tag to scan'
        required: true

jobs:
  virustotal_scan:
    permissions:
      contents: write
    runs-on: ubuntu-latest
    env:
      HAS_VT_KEY: ${{ secrets.VIRUS_TOTAL_API_KEY != '' }}

    steps:
      - name: Set tag variable
        run: |
          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
            echo "TAG_NAME=${{ github.event.inputs.release_tag }}" >> $GITHUB_ENV
          else
            echo "TAG_NAME=${{ github.event.release.tag_name }}" >> $GITHUB_ENV
          fi

      - name: Set report marker variable
        run: |
          echo -e "MARKER=\t\t\t" >> $GITHUB_ENV

      - name: Checkout code
        uses: actions/checkout@v6

      - name: Download Release Assets
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          mkdir -p release_assets
          gh release download "$TAG_NAME" --dir release_assets --pattern "*.apk"

      - name: VirusTotal Scan
        if: ${{ env.HAS_VT_KEY == 'true' }}
        id: vt
        uses: crazy-max/ghaction-virustotal@v5
        with:
          vt_api_key: ${{ secrets.VIRUS_TOTAL_API_KEY }}
          files: |
            release_assets/*.apk
          request_rate: 4

      - name: Generate Custom Badge Report
        if: steps.vt.outcome == 'success'
        run: |
          echo "Waiting 150s for VirusTotal engines to report..."
          sleep 150

          echo -e "$MARKER\n## 🛡️ VirusTotal Analysis" > vt_report.txt
          echo "" >> vt_report.txt

          echo "| Build Variant | VirusTotal Status | Detailed Report |" >> vt_report.txt
          echo "| :--- | :--- | :--- |" >> vt_report.txt

          for file in release_assets/*.apk; do
            [ -e "$file" ] || continue
            filename=$(basename "$file")
            sha256=$(sha256sum "$file" | awk '{print $1}')

            vt_link="https://www.virustotal.com/gui/file/$sha256/detection"
            badge_url="https://badges.cssnr.com/vt/id/$sha256?start=green&end=red&n=8"

            echo "Purging badge cache for $filename..."
            curl -s -X POST $badge_url

            asset_link="https://github.com/${{ github.repository }}/releases/download/${{ env.TAG_NAME }}/$filename"

            echo "| [$filename]($asset_link) | [![]($badge_url&v=$(date +%s))]($vt_link) | [View Report]($vt_link) |" >> vt_report.txt
          done

      - name: Update Release Notes
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          gh release view "$TAG_NAME" --json body -q .body > current_notes.txt || echo "" > current_notes.txt

          # If the header exists, delete from that line to the end
          if grep -q "$MARKER" current_notes.txt; then
            echo "Previous report found. Cleaning up..."
            sed -i "/$MARKER/,\$d" current_notes.txt
          fi

          {
            cat current_notes.txt
            cat vt_report.txt
          } > final_notes.txt

          gh release edit "$TAG_NAME" --notes-file final_notes.txt