Skip to content
Semantic Firewall

feat!: release v2.0.0 with malware scanner, BoltDB, and entropy engine #8

Sign in to view logs

feat!: release v2.0.0 with malware scanner, BoltDB, and entropy engine

feat!: release v2.0.0 with malware scanner, BoltDB, and entropy engine #8

Workflow file for this run

.github/workflows/semantic_analysis.yml at c95cd08
name: Semantic Firewall
on:
push:
branches: [ "main" ]
tags: [ "v*" ] # Run on release tags
pull_request:
branches: [ "main" ]
types: [opened, synchronize, reopened, labeled]
jobs:
semantic-analysis:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- name: Checkout Code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: '1.24'
check-latest: true
- name: Install sfw
run: |
go install github.com/BlackVectorOps/semantic_firewall/cmd/sfw@latest
if ! command -v sfw &> /dev/null; then
echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
fi
- name: Determine Mode
id: mode
run: |
# Only check labels if this is actually a PR event
if [[ "${{ github.event_name }}" == "pull_request" ]] && \
([[ "${{ contains(github.event.pull_request.labels.*.name, 'semantic-safe') }}" == "true" ]] || \
[[ "${{ contains(github.event.pull_request.title, 'refactor') }}" == "true" ]]); then
echo "mode=BLOCKER" >> $GITHUB_OUTPUT
echo " Mode: BLOCKER (Strict Refactor Verification)"
else
echo "mode=REPORTER" >> $GITHUB_OUTPUT
echo " Mode: REPORTER (Drift Monitoring)"
fi
- name: Run Semantic Analysis
shell: bash
run: |
MODE="${{ steps.mode.outputs.mode }}"
# Determine Base SHA logic
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
BASE_SHA="${{ github.event.pull_request.base.sha }}"
else
# For pushes/tags, compare against previous commit
BASE_SHA="HEAD^"
fi
# Initialize Summary
echo "## Semantic Analysis Report ($MODE)" >> $GITHUB_STEP_SUMMARY
echo "Comparing HEAD vs $BASE_SHA" >> $GITHUB_STEP_SUMMARY
echo "| File | Status | Match % |" >> $GITHUB_STEP_SUMMARY
echo "| :--- | :--- | :--- |" >> $GITHUB_STEP_SUMMARY
FAILED_REFACTOR=false
# Iterate over changed Go files
if git diff --name-only "$BASE_SHA" HEAD | grep -q '\.go$'; then
git diff --name-only -z "$BASE_SHA" HEAD -- '*.go' | while IFS= read -r -d '' file; do
if [ ! -f "$file" ]; then continue; fi
TEMP_OLD="old_temp.go"
git show "$BASE_SHA:$file" > "$TEMP_OLD" 2>/dev/null || touch "$TEMP_OLD"
if ! OUTPUT=$(sfw diff "$TEMP_OLD" "$file" 2>&1); then
echo "::error::sfw failed on $file: $OUTPUT"
rm "$TEMP_OLD"; continue
fi
rm "$TEMP_OLD"
# Validate JSON
if ! echo "$OUTPUT" | jq -e . >/dev/null 2>&1; then
echo "::error::Invalid JSON output for $file"; continue
fi
PCT=$(echo "$OUTPUT" | jq -r '.summary.semantic_match_pct // 0')
MODIFIED=$(echo "$OUTPUT" | jq -r '.summary.modified // 0')
if (( $(echo "$PCT < 100" | bc -l) )); then
STATUS_ICON=" Modified ($MODIFIED)"
if [ "$MODE" == "BLOCKER" ]; then
echo "true" > /tmp/failed_refactor
echo "::error file=$file::Logic change detected in safe refactor! ($PCT%)"
fi
else
STATUS_ICON=" Preserved"
fi
echo "| \`$file\` | $STATUS_ICON | **$PCT%** |" >> $GITHUB_STEP_SUMMARY
if (( $(echo "$PCT < 100" | bc -l) )); then
echo "::group::Details for $file"
echo "$OUTPUT" | jq .
echo "::endgroup::"
fi
done
else
echo "No Go files changed." >> $GITHUB_STEP_SUMMARY
fi
if [ -f /tmp/failed_refactor ] && [ "$(cat /tmp/failed_refactor)" = "true" ]; then
echo "" >> $GITHUB_STEP_SUMMARY
echo " **CI FAILED**: Logic changed in 'semantic-safe' PR." >> $GITHUB_STEP_SUMMARY
exit 1
fi
exit 0