From 56ba11d717afa459cd298e6510fbf6c27aaa76d0 Mon Sep 17 00:00:00 2001
From: alpha-nerd <alpha-nerd@noreply.localhost>
Date: Wed, 13 May 2026 07:22:39 +0200
Subject: [PATCH 01/13] =?UTF-8?q?.forgejo/workflows/nyxscanner.yml=20hinzu?=
 =?UTF-8?q?gef=C3=BCgt?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .forgejo/workflows/nyxscanner.yml | 44 +++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 .forgejo/workflows/nyxscanner.yml

diff --git a/.forgejo/workflows/nyxscanner.yml b/.forgejo/workflows/nyxscanner.yml
new file mode 100644
index 0000000..ffe47fa
--- /dev/null
+++ b/.forgejo/workflows/nyxscanner.yml
@@ -0,0 +1,44 @@
+name: NYX Security Scan
+
+on:
+  pull_request:
+    branches: [main, master]
+
+jobs:
+  nyx-scan:
+    runs-on: docker-amd64  # eine Architektur reicht für SAST
+
+    steps:
+      - name: Checkout target repo
+        uses: actions/checkout@v4
+
+      - name: Checkout nyx from Forgejo mirror
+        uses: actions/checkout@v4
+        with:
+          repository: apunkt/nyx
+          # URL deiner Forgejo-Instanz:
+          server_url: https://deine-forgejo-instanz.example.com
+          ref: master
+          path: .nyx-src
+
+      - name: Install Rust
+        uses: https://github.com/actions-rust-lang/setup-rust-toolchain@v1
+        with:
+          toolchain: stable
+
+      - name: Build nyx from source
+        run: |
+          cd .nyx-src
+          cargo build --release
+          sudo cp target/release/nyx /usr/local/bin/nyx
+
+      - name: Run NYX scan
+        run: |
+          nyx scan --format sarif --fail-on MEDIUM > nyx-results.sarif
+
+      - name: Upload results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: nyx-sarif-report
+          path: nyx-results.sarif
\ No newline at end of file

From 7d874842e1725d6f937c374b9ada7206e1ea4607 Mon Sep 17 00:00:00 2001
From: alpha-nerd <alpha-nerd@noreply.localhost>
Date: Wed, 13 May 2026 07:28:55 +0200
Subject: [PATCH 02/13] .forgejo/workflows/nyxscanner.yml aktualisiert

---
 .forgejo/workflows/nyxscanner.yml | 28 ++++++++++++----------------
 1 file changed, 12 insertions(+), 16 deletions(-)

diff --git a/.forgejo/workflows/nyxscanner.yml b/.forgejo/workflows/nyxscanner.yml
index ffe47fa..c8e40c6 100644
--- a/.forgejo/workflows/nyxscanner.yml
+++ b/.forgejo/workflows/nyxscanner.yml
@@ -6,25 +6,21 @@ on:
 
 jobs:
   nyx-scan:
-    runs-on: docker-amd64  # eine Architektur reicht für SAST
+    runs-on: docker-amd64
 
     steps:
-      - name: Checkout target repo
-        uses: actions/checkout@v4
+      - name: Checkout PR
+        uses: https://code.forgejo.org/actions/checkout@v4
 
-      - name: Checkout nyx from Forgejo mirror
-        uses: actions/checkout@v4
-        with:
-          repository: apunkt/nyx
-          # URL deiner Forgejo-Instanz:
-          server_url: https://deine-forgejo-instanz.example.com
-          ref: master
-          path: .nyx-src
+      - name: Clone nyx from Forgejo mirror
+        run: |
+          git clone --depth=1 --branch master \
+            https://bitfreedom.net/code/apunkt/nyx .nyx-src
 
       - name: Install Rust
-        uses: https://github.com/actions-rust-lang/setup-rust-toolchain@v1
-        with:
-          toolchain: stable
+        run: |
+          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable
+          echo "$HOME/.cargo/bin" >> $GITHUB_PATH
 
       - name: Build nyx from source
         run: |
@@ -36,9 +32,9 @@ jobs:
         run: |
           nyx scan --format sarif --fail-on MEDIUM > nyx-results.sarif
 
-      - name: Upload results
+      - name: Upload SARIF results
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: https://code.forgejo.org/actions/upload-artifact@v4
         with:
           name: nyx-sarif-report
           path: nyx-results.sarif
\ No newline at end of file

From 8f33944a65fa3d768199c39b833369ebfa50da51 Mon Sep 17 00:00:00 2001
From: alpha-nerd <alpha-nerd@noreply.localhost>
Date: Wed, 13 May 2026 07:36:50 +0200
Subject: [PATCH 03/13] .forgejo/workflows/nyxscanner.yml aktualisiert

---
 .forgejo/workflows/nyxscanner.yml | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/.forgejo/workflows/nyxscanner.yml b/.forgejo/workflows/nyxscanner.yml
index c8e40c6..4cd031d 100644
--- a/.forgejo/workflows/nyxscanner.yml
+++ b/.forgejo/workflows/nyxscanner.yml
@@ -10,12 +10,18 @@ jobs:
 
     steps:
       - name: Checkout PR
-        uses: https://code.forgejo.org/actions/checkout@v4
+        run: |
+          git clone --depth=1 \
+            "https://oauth2:${{ github.token }}@bitfreedom.net/code/${{ github.repository }}.git" \
+            .
+          git fetch --depth=1 origin ${{ github.sha }}
+          git checkout ${{ github.sha }}
 
       - name: Clone nyx from Forgejo mirror
         run: |
           git clone --depth=1 --branch master \
-            https://bitfreedom.net/code/apunkt/nyx .nyx-src
+            "https://oauth2:${{ github.token }}@bitfreedom.net/code/apunkt/nyx.git" \
+            .nyx-src
 
       - name: Install Rust
         run: |

From d5831dc358026ba81ba09740486a4ba4c47fa4a8 Mon Sep 17 00:00:00 2001
From: alpha-nerd <alpha-nerd@noreply.localhost>
Date: Wed, 13 May 2026 07:47:04 +0200
Subject: [PATCH 04/13] .forgejo/workflows/nyxscanner.yml aktualisiert

---
 .forgejo/workflows/nyxscanner.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.forgejo/workflows/nyxscanner.yml b/.forgejo/workflows/nyxscanner.yml
index 4cd031d..efe6303 100644
--- a/.forgejo/workflows/nyxscanner.yml
+++ b/.forgejo/workflows/nyxscanner.yml
@@ -32,11 +32,11 @@ jobs:
         run: |
           cd .nyx-src
           cargo build --release
-          sudo cp target/release/nyx /usr/local/bin/nyx
+          cp target/release/nyx /usr/local/bin/nyx
 
       - name: Run NYX scan
         run: |
-          nyx scan --format sarif --fail-on MEDIUM > nyx-results.sarif
+          .nyx-src/target/release/nyx scan --format sarif --fail-on MEDIUM > nyx-results.sarif
 
       - name: Upload SARIF results
         if: always()

From e7e93a3daaea0e4a99428327e31a184b52f4e74a Mon Sep 17 00:00:00 2001
From: alpha-nerd <alpha-nerd@noreply.localhost>
Date: Wed, 13 May 2026 07:56:10 +0200
Subject: [PATCH 05/13] .forgejo/workflows/nyxscanner.yml aktualisiert

---
 .forgejo/workflows/nyxscanner.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.forgejo/workflows/nyxscanner.yml b/.forgejo/workflows/nyxscanner.yml
index efe6303..8ffb685 100644
--- a/.forgejo/workflows/nyxscanner.yml
+++ b/.forgejo/workflows/nyxscanner.yml
@@ -36,7 +36,7 @@ jobs:
 
       - name: Run NYX scan
         run: |
-          .nyx-src/target/release/nyx scan --format sarif --fail-on MEDIUM > nyx-results.sarif
+          .nyx-src/target/release/nyx scan --format sarif --fail-on MEDIUM > nyx-results.sarif || true
 
       - name: Upload SARIF results
         if: always()

From 7db4e8220fbc553c82d01e453ee0d0df4895bf63 Mon Sep 17 00:00:00 2001
From: alpha-nerd <alpha-nerd@noreply.localhost>
Date: Wed, 13 May 2026 07:58:15 +0200
Subject: [PATCH 06/13] .forgejo/workflows/nyxscanner.yml aktualisiert

---
 .forgejo/workflows/nyxscanner.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.forgejo/workflows/nyxscanner.yml b/.forgejo/workflows/nyxscanner.yml
index 8ffb685..3093264 100644
--- a/.forgejo/workflows/nyxscanner.yml
+++ b/.forgejo/workflows/nyxscanner.yml
@@ -38,6 +38,9 @@ jobs:
         run: |
           .nyx-src/target/release/nyx scan --format sarif --fail-on MEDIUM > nyx-results.sarif || true
 
+      - name: Show findings
+        run: cat nyx-results.sarif
+
       - name: Upload SARIF results
         if: always()
         uses: https://code.forgejo.org/actions/upload-artifact@v4

From ea417b54f188674237363fcc25a2d4cc72c80492 Mon Sep 17 00:00:00 2001
From: alpha-nerd <alpha-nerd@noreply.localhost>
Date: Wed, 13 May 2026 08:10:27 +0200
Subject: [PATCH 07/13] .forgejo/workflows/nyxscanner.yml aktualisiert

---
 .forgejo/workflows/nyxscanner.yml | 50 ++++++++++++++++++++++++-------
 1 file changed, 40 insertions(+), 10 deletions(-)

diff --git a/.forgejo/workflows/nyxscanner.yml b/.forgejo/workflows/nyxscanner.yml
index 3093264..bdda042 100644
--- a/.forgejo/workflows/nyxscanner.yml
+++ b/.forgejo/workflows/nyxscanner.yml
@@ -32,18 +32,48 @@ jobs:
         run: |
           cd .nyx-src
           cargo build --release
-          cp target/release/nyx /usr/local/bin/nyx
 
       - name: Run NYX scan
+        id: nyx
         run: |
-          .nyx-src/target/release/nyx scan --format sarif --fail-on MEDIUM > nyx-results.sarif || true
+          .nyx-src/target/release/nyx scan --format sarif --fail-on HIGH > nyx-results.sarif 2>&1
+        continue-on-error: true
 
-      - name: Show findings
-        run: cat nyx-results.sarif
-
-      - name: Upload SARIF results
+      - name: Post findings as PR comment
         if: always()
-        uses: https://code.forgejo.org/actions/upload-artifact@v4
-        with:
-          name: nyx-sarif-report
-          path: nyx-results.sarif
\ No newline at end of file
+        run: |
+          FINDINGS=$(python3 -c "
+          import json, sys
+
+          with open('nyx-results.sarif') as f:
+              data = json.load(f)
+
+          results = data.get('runs', [{}])[0].get('results', [])
+
+          if not results:
+              body = '✅ NYX scan: no findings above threshold.'
+          else:
+              lines = [f'## 🔴 NYX found {len(results)} issue(s)\n']
+              for r in results:
+                  level = r.get('level', '?')
+                  msg = r.get('message', {}).get('text', '?')
+                  rule = r.get('ruleId', '?')
+                  loc = r.get('locations', [{}])[0].get('physicalLocation', {})
+                  path = loc.get('artifactLocation', {}).get('uri', '?')
+                  line = loc.get('region', {}).get('startLine', '?')
+                  col  = loc.get('region', {}).get('startColumn', '?')
+                  lines.append(f'- **{level.upper()}** \`{path}:{line}:{col}\` [{rule}] — {msg}')
+              body = '\n'.join(lines)
+
+          print(body)
+          ")
+
+          curl -s -X POST \
+            -H "Authorization: token ${{ github.token }}" \
+            -H "Content-Type: application/json" \
+            "https://bitfreedom.net/code/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
+            -d "{\"body\": $(python3 -c 'import json,sys; print(json.dumps(sys.stdin.read()))' <<< "$FINDINGS")}"
+
+      - name: Fail if HIGH or above findings found
+        if: steps.nyx.outcome == 'failure'
+        run: exit 1
\ No newline at end of file

From 8af8b079ebb1f82f6232612844fc2869c24a5f60 Mon Sep 17 00:00:00 2001
From: alpha-nerd <alpha-nerd@noreply.localhost>
Date: Wed, 13 May 2026 08:23:41 +0200
Subject: [PATCH 08/13] .forgejo/workflows/nyxscanner.yml aktualisiert

---
 .forgejo/workflows/nyxscanner.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.forgejo/workflows/nyxscanner.yml b/.forgejo/workflows/nyxscanner.yml
index bdda042..2f19de7 100644
--- a/.forgejo/workflows/nyxscanner.yml
+++ b/.forgejo/workflows/nyxscanner.yml
@@ -7,6 +7,9 @@ on:
 jobs:
   nyx-scan:
     runs-on: docker-amd64
+  permissions:
+    issues: write
+    pull-requests: write
 
     steps:
       - name: Checkout PR

From e04386f838b08edd862f3c1c40ed6d2987ef6314 Mon Sep 17 00:00:00 2001
From: alpha-nerd <alpha-nerd@noreply.localhost>
Date: Wed, 13 May 2026 08:25:21 +0200
Subject: [PATCH 09/13] .forgejo/workflows/nyxscanner.yml aktualisiert

---
 .forgejo/workflows/nyxscanner.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.forgejo/workflows/nyxscanner.yml b/.forgejo/workflows/nyxscanner.yml
index 2f19de7..5560d5c 100644
--- a/.forgejo/workflows/nyxscanner.yml
+++ b/.forgejo/workflows/nyxscanner.yml
@@ -7,9 +7,9 @@ on:
 jobs:
   nyx-scan:
     runs-on: docker-amd64
-  permissions:
-    issues: write
-    pull-requests: write
+    permissions:
+      issues: write
+      pull-requests: write
 
     steps:
       - name: Checkout PR

From efd30207e2e222662d52968835516aed7b04cbe4 Mon Sep 17 00:00:00 2001
From: alpha-nerd <alpha-nerd@noreply.localhost>
Date: Wed, 13 May 2026 08:36:18 +0200
Subject: [PATCH 10/13] .forgejo/workflows/nyxscanner.yml aktualisiert

---
 .forgejo/workflows/nyxscanner.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.forgejo/workflows/nyxscanner.yml b/.forgejo/workflows/nyxscanner.yml
index 5560d5c..f3c3d0c 100644
--- a/.forgejo/workflows/nyxscanner.yml
+++ b/.forgejo/workflows/nyxscanner.yml
@@ -74,7 +74,7 @@ jobs:
           curl -s -X POST \
             -H "Authorization: token ${{ github.token }}" \
             -H "Content-Type: application/json" \
-            "https://bitfreedom.net/code/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
+            "https://bitfreedom.net/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
             -d "{\"body\": $(python3 -c 'import json,sys; print(json.dumps(sys.stdin.read()))' <<< "$FINDINGS")}"
 
       - name: Fail if HIGH or above findings found

From 6e2cab6143ed3fab01fbc2342e8b64208b7acfcd Mon Sep 17 00:00:00 2001
From: alpha-nerd <alpha-nerd@noreply.localhost>
Date: Wed, 13 May 2026 09:35:40 +0200
Subject: [PATCH 11/13] .forgejo/workflows/nyxscanner.yml aktualisiert

---
 .forgejo/workflows/nyxscanner.yml | 37 +++++++++++++------------------
 1 file changed, 15 insertions(+), 22 deletions(-)

diff --git a/.forgejo/workflows/nyxscanner.yml b/.forgejo/workflows/nyxscanner.yml
index f3c3d0c..2708ca7 100644
--- a/.forgejo/workflows/nyxscanner.yml
+++ b/.forgejo/workflows/nyxscanner.yml
@@ -7,9 +7,6 @@ on:
 jobs:
   nyx-scan:
     runs-on: docker-amd64
-    permissions:
-      issues: write
-      pull-requests: write
 
     steps:
       - name: Checkout PR
@@ -43,7 +40,7 @@ jobs:
         continue-on-error: true
 
       - name: Post findings as PR comment
-        if: always()
+        if: steps.nyx.outcome == 'failure'
         run: |
           FINDINGS=$(python3 -c "
           import json, sys
@@ -53,28 +50,24 @@ jobs:
 
           results = data.get('runs', [{}])[0].get('results', [])
 
-          if not results:
-              body = '✅ NYX scan: no findings above threshold.'
-          else:
-              lines = [f'## 🔴 NYX found {len(results)} issue(s)\n']
-              for r in results:
-                  level = r.get('level', '?')
-                  msg = r.get('message', {}).get('text', '?')
-                  rule = r.get('ruleId', '?')
-                  loc = r.get('locations', [{}])[0].get('physicalLocation', {})
-                  path = loc.get('artifactLocation', {}).get('uri', '?')
-                  line = loc.get('region', {}).get('startLine', '?')
-                  col  = loc.get('region', {}).get('startColumn', '?')
-                  lines.append(f'- **{level.upper()}** \`{path}:{line}:{col}\` [{rule}] — {msg}')
-              body = '\n'.join(lines)
+          lines = [f'## 🔴 NYX found {len(results)} issue(s)\n']
+          for r in results:
+              level = r.get('level', '?')
+              msg = r.get('message', {}).get('text', '?')
+              rule = r.get('ruleId', '?')
+              loc = r.get('locations', [{}])[0].get('physicalLocation', {})
+              path = loc.get('artifactLocation', {}).get('uri', '?')
+              line = loc.get('region', {}).get('startLine', '?')
+              col  = loc.get('region', {}).get('startColumn', '?')
+              lines.append(f'- **{level.upper()}** \`{path}:{line}:{col}\` [{rule}] — {msg}')
 
-          print(body)
+          print('\n'.join(lines))
           ")
 
-          curl -s -X POST \
-            -H "Authorization: token ${{ github.token }}" \
+          curl -sf -X POST \
+            -H "Authorization: token ${{ secrets.FORGEJO_PUSH_TOKEN }}" \
             -H "Content-Type: application/json" \
-            "https://bitfreedom.net/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
+            "https://bitfreedom.net/code/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
             -d "{\"body\": $(python3 -c 'import json,sys; print(json.dumps(sys.stdin.read()))' <<< "$FINDINGS")}"
 
       - name: Fail if HIGH or above findings found

From af05a4772e59d64e1ad698ccdad623b01c82e1be Mon Sep 17 00:00:00 2001
From: alpha-nerd <alpha-nerd@noreply.localhost>
Date: Wed, 13 May 2026 09:44:49 +0200
Subject: [PATCH 12/13] .forgejo/workflows/nyxscanner.yml aktualisiert

test LOW for PR comments to work or not
---
 .forgejo/workflows/nyxscanner.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.forgejo/workflows/nyxscanner.yml b/.forgejo/workflows/nyxscanner.yml
index 2708ca7..c508ca4 100644
--- a/.forgejo/workflows/nyxscanner.yml
+++ b/.forgejo/workflows/nyxscanner.yml
@@ -36,7 +36,7 @@ jobs:
       - name: Run NYX scan
         id: nyx
         run: |
-          .nyx-src/target/release/nyx scan --format sarif --fail-on HIGH > nyx-results.sarif 2>&1
+          .nyx-src/target/release/nyx scan --format sarif --fail-on LOW > nyx-results.sarif 2>&1
         continue-on-error: true
 
       - name: Post findings as PR comment

From aebbe832c2269fd14b54aa22c58b0950ca78782e Mon Sep 17 00:00:00 2001
From: alpha-nerd <alpha-nerd@noreply.localhost>
Date: Wed, 13 May 2026 10:05:06 +0200
Subject: [PATCH 13/13] .forgejo/workflows/nyxscanner.yml aktualisiert

---
 .forgejo/workflows/nyxscanner.yml | 63 +++++--------------------------
 1 file changed, 10 insertions(+), 53 deletions(-)

diff --git a/.forgejo/workflows/nyxscanner.yml b/.forgejo/workflows/nyxscanner.yml
index c508ca4..2ee672c 100644
--- a/.forgejo/workflows/nyxscanner.yml
+++ b/.forgejo/workflows/nyxscanner.yml
@@ -17,59 +17,16 @@ jobs:
           git fetch --depth=1 origin ${{ github.sha }}
           git checkout ${{ github.sha }}
 
-      - name: Clone nyx from Forgejo mirror
+      - name: Fetch action source
         run: |
           git clone --depth=1 --branch master \
-            "https://oauth2:${{ github.token }}@bitfreedom.net/code/apunkt/nyx.git" \
-            .nyx-src
+            "https://oauth2:${{ github.token }}@bitfreedom.net/code/nomyo-ai/actions.git" \
+            ./.nyx-action
 
-      - name: Install Rust
-        run: |
-          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable
-          echo "$HOME/.cargo/bin" >> $GITHUB_PATH
-
-      - name: Build nyx from source
-        run: |
-          cd .nyx-src
-          cargo build --release
-
-      - name: Run NYX scan
-        id: nyx
-        run: |
-          .nyx-src/target/release/nyx scan --format sarif --fail-on LOW > nyx-results.sarif 2>&1
-        continue-on-error: true
-
-      - name: Post findings as PR comment
-        if: steps.nyx.outcome == 'failure'
-        run: |
-          FINDINGS=$(python3 -c "
-          import json, sys
-
-          with open('nyx-results.sarif') as f:
-              data = json.load(f)
-
-          results = data.get('runs', [{}])[0].get('results', [])
-
-          lines = [f'## 🔴 NYX found {len(results)} issue(s)\n']
-          for r in results:
-              level = r.get('level', '?')
-              msg = r.get('message', {}).get('text', '?')
-              rule = r.get('ruleId', '?')
-              loc = r.get('locations', [{}])[0].get('physicalLocation', {})
-              path = loc.get('artifactLocation', {}).get('uri', '?')
-              line = loc.get('region', {}).get('startLine', '?')
-              col  = loc.get('region', {}).get('startColumn', '?')
-              lines.append(f'- **{level.upper()}** \`{path}:{line}:{col}\` [{rule}] — {msg}')
-
-          print('\n'.join(lines))
-          ")
-
-          curl -sf -X POST \
-            -H "Authorization: token ${{ secrets.FORGEJO_PUSH_TOKEN }}" \
-            -H "Content-Type: application/json" \
-            "https://bitfreedom.net/code/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
-            -d "{\"body\": $(python3 -c 'import json,sys; print(json.dumps(sys.stdin.read()))' <<< "$FINDINGS")}"
-
-      - name: Fail if HIGH or above findings found
-        if: steps.nyx.outcome == 'failure'
-        run: exit 1
\ No newline at end of file
+      - uses: ./.nyx-action/nyx-scan
+        with:
+          forgejo_push_token: ${{ secrets.FORGEJO_PUSH_TOKEN }}
+          repository: ${{ github.repository }}
+          pr_number: ${{ github.event.pull_request.number }}
+          sha: ${{ github.sha }}
+          fail_on: HIGH
\ No newline at end of file