From 69253a7e0db71993bf99776df63c715d5d30dd46 Mon Sep 17 00:00:00 2001 From: alpha-nerd Date: Wed, 13 May 2026 07:18:17 +0200 Subject: [PATCH 1/3] nyx security scanner integration --- .forgejo/workflows/nyxscanner.yml | 44 +++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 .forgejo/workflows/nyxscanner.yml diff --git a/.forgejo/workflows/nyxscanner.yml b/.forgejo/workflows/nyxscanner.yml new file mode 100644 index 0000000..7c9313f --- /dev/null +++ b/.forgejo/workflows/nyxscanner.yml @@ -0,0 +1,44 @@ +name: NYX Security Scan + +on: + pull_request: + branches: [main, master] + +jobs: + nyx-scan: + runs-on: docker-amd64 # eine Architektur reicht für SAST + + steps: + - name: Checkout target repo + uses: actions/checkout@v4 + + - name: Checkout nyx from Forgejo mirror + uses: actions/checkout@v4 + with: + repository: apunkt/nyx + # URL deiner Forgejo-Instanz: + server_url: https://bitfreedom.net/code/ + ref: master + path: .nyx-src + + - name: Install Rust + uses: https://github.com/actions-rust-lang/setup-rust-toolchain@v1 + with: + toolchain: stable + + - name: Build nyx from source + run: | + cd .nyx-src + cargo build --release + sudo cp target/release/nyx /usr/local/bin/nyx + + - name: Run NYX scan + run: | + nyx scan --format sarif --fail-on MEDIUM > nyx-results.sarif + + - name: Upload results + if: always() + uses: actions/upload-artifact@v4 + with: + name: nyx-sarif-report + path: nyx-results.sarif \ No newline at end of file From f4bc272e0b39a2f1dc206e643c77dd0f213a984e Mon Sep 17 00:00:00 2001 From: alpha-nerd Date: Wed, 13 May 2026 10:15:16 +0200 Subject: [PATCH 2/3] .forgejo/workflows/nyxscanner.yml aktualisiert --- .forgejo/workflows/nyxscanner.yml | 46 ++++++++++++------------------- 1 file changed, 17 insertions(+), 29 deletions(-) diff --git a/.forgejo/workflows/nyxscanner.yml b/.forgejo/workflows/nyxscanner.yml index 7c9313f..2ee672c 100644 --- a/.forgejo/workflows/nyxscanner.yml +++ b/.forgejo/workflows/nyxscanner.yml @@ -6,39 +6,27 @@ on: jobs: nyx-scan: - runs-on: docker-amd64 # eine Architektur reicht für SAST + runs-on: docker-amd64 steps: - - name: Checkout target repo - uses: actions/checkout@v4 - - - name: Checkout nyx from Forgejo mirror - uses: actions/checkout@v4 - with: - repository: apunkt/nyx - # URL deiner Forgejo-Instanz: - server_url: https://bitfreedom.net/code/ - ref: master - path: .nyx-src - - - name: Install Rust - uses: https://github.com/actions-rust-lang/setup-rust-toolchain@v1 - with: - toolchain: stable - - - name: Build nyx from source + - name: Checkout PR run: | - cd .nyx-src - cargo build --release - sudo cp target/release/nyx /usr/local/bin/nyx + git clone --depth=1 \ + "https://oauth2:${{ github.token }}@bitfreedom.net/code/${{ github.repository }}.git" \ + . + git fetch --depth=1 origin ${{ github.sha }} + git checkout ${{ github.sha }} - - name: Run NYX scan + - name: Fetch action source run: | - nyx scan --format sarif --fail-on MEDIUM > nyx-results.sarif + git clone --depth=1 --branch master \ + "https://oauth2:${{ github.token }}@bitfreedom.net/code/nomyo-ai/actions.git" \ + ./.nyx-action - - name: Upload results - if: always() - uses: actions/upload-artifact@v4 + - uses: ./.nyx-action/nyx-scan with: - name: nyx-sarif-report - path: nyx-results.sarif \ No newline at end of file + forgejo_push_token: ${{ secrets.FORGEJO_PUSH_TOKEN }} + repository: ${{ github.repository }} + pr_number: ${{ github.event.pull_request.number }} + sha: ${{ github.sha }} + fail_on: HIGH \ No newline at end of file From c8ff25f8f5ed3240b8c2290104165c642ec74f9b Mon Sep 17 00:00:00 2001 From: alpha-nerd Date: Wed, 13 May 2026 10:43:49 +0200 Subject: [PATCH 3/3] .forgejo/workflows/nyxscanner.yml aktualisiert --- .forgejo/workflows/nyxscanner.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/nyxscanner.yml b/.forgejo/workflows/nyxscanner.yml index 2ee672c..9d1a8dc 100644 --- a/.forgejo/workflows/nyxscanner.yml +++ b/.forgejo/workflows/nyxscanner.yml @@ -2,7 +2,7 @@ name: NYX Security Scan on: pull_request: - branches: [main, master] + branches: [main] jobs: nyx-scan: