ci: Migrate audit steps from Buildkite to GitHub Actions

oasisprotocol · Nov 13, 2020 · ffaec10 · ffaec10
1 parent dd3998d
commit ffaec10
Show file tree

Hide file tree

Showing 6 changed files with 74 additions and 52 deletions.
diff --git a/.buildkite/code.pipeline.yml b/.buildkite/code.pipeline.yml
@@ -86,20 +86,6 @@ steps:
     plugins:
       <<: *docker_plugin
 
-  - label: Audit Rust dependencies for vulnerabilities
-    command: .buildkite/rust/cargo_audit.sh
-    retry:
-      <<: *retry_agent_failure
-    plugins:
-      <<: *docker_plugin
-
-  - label: Audit Go dependencies for vulnerabilities
-    command: .buildkite/go/nancy_audit.sh
-    retry:
-      <<: *retry_agent_failure
-    plugins:
-      <<: *docker_plugin
-
   ############
   # Build jobs
   ############

diff --git a/.buildkite/go/nancy_audit.sh b/.buildkite/go/nancy_audit.sh
diff --git a/.buildkite/rust/cargo_audit.sh b/.buildkite/rust/cargo_audit.sh
diff --git a/.github/workflows/ci-audit-rust.yml b/.github/workflows/ci-audit-rust.yml
@@ -0,0 +1,48 @@
+# NOTE: This name appears in GitHub's Checks API and in workflow's status badge.
+name: ci-audit-rust
+
+# Trigger the workflow when:
+on:
+  # A push occurs to one of the matched branches.
+  push:
+    # XXX: Ideally, on the master branch we would only run this workflow if
+    # there are changes to the Cargo.toml or Cargo.local files (like for pull
+    # requests).
+    # However, this doesn't work when pushing a new 'stable/*' branch. The build
+    # on a new branch does not trigger unless there are changes compared to
+    # master on the filtered path.
+    # If this is ever fixed, or per branch filters are possible, bring back the
+    # path filter to only run this workflow if there are changes to the
+    # Cargo.toml or Cargo.local files.
+    branches:
+      - master
+      - stable/*
+  # Or when a pull request event occurs for a pull request against one of the
+  # matched branches and at least one modified file matches the configured
+  # paths.
+  pull_request:
+    branches:
+      - master
+      - stable/*
+    paths:
+      - '**/Cargo.toml'
+      - '**/Cargo.lock'
+  # Or every day at 04:00 UTC (for the default/master branch).
+  schedule:
+    - cron: "0 4 * * *"
+
+jobs:
+
+  audit-rust:
+    # NOTE: This name appears in GitHub's Checks API.
+    name: audit-rust
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      # NOTE: To run this step locally, make sure you have cargo-audit installed
+      # and run 'make audit-rust'.
+      - name: Audit Rust dependencies for vulnerabilities
+        uses: actions-rs/audit-check@v1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/ci-lint.yml b/.github/workflows/ci-lint.yml
@@ -43,11 +43,29 @@ jobs:
         uses: actions/[email protected]
         with:
           go-version: "1.15.x"
+      - name: Set up Rust
+        uses: actions-rs/toolchain@v1
       - name: Install prerequisites
         run: |
           python -m pip install \
             https://github.com/oasislabs/towncrier/archive/oasis-master.tar.gz \
             gitlint
+      - name: Install Nancy
+        run: |
+          set -eux
+          cd $(mktemp --directory /tmp/nancy.XXXXX)
+          NANCY_TARBALL=nancy-linux.amd64-v${NANCY_VERSION}.tar.gz
+          ${CURL_CMD} ${NANCY_URL_PREFIX}/v${NANCY_VERSION}/${NANCY_TARBALL} \
+            --output ${NANCY_TARBALL}
+          ${CURL_CMD} ${NANCY_URL_PREFIX}/v${NANCY_VERSION}/nancychecksums.txt \
+            --output CHECKSUMS
+          sha256sum --check --ignore-missing CHECKSUMS
+          tar -xf ${NANCY_TARBALL}
+          sudo mv nancy /usr/local/bin
+        env:
+          NANCY_URL_PREFIX: https://github.com/sonatype-nexus-community/nancy/releases/download/
+          NANCY_VERSION: 1.0.1
+          CURL_CMD: curl --proto =https --tlsv1.2 -sSL --fail
       - name: Check for presence of a Change Log fragment (only pull requests)
         run: |
           # Fetch the pull request' base branch so towncrier will be able to
@@ -81,6 +99,11 @@ jobs:
           make lint-docs
         # Always run this step so that all linting errors can be seen at once.
         if: always()
+      - name: Audit Go dependencies for vulnerabilities
+        run: |
+          make audit-go
+        # Always run this step so that all linting errors can be seen at once.
+        if: always()
       - name: Check go mod tidy
         # NOTE: go mod tidy doesn't implement a check mode yet.
         # For more details, see: https://github.com/golang/go/issues/27005.

diff --git a/README.md b/README.md
@@ -2,6 +2,7 @@
 
 [![Build status][buildkite-badge]][buildkite-link]
 [![CI lint status][github-ci-lint-badge]][github-ci-lint-link]
+[![CI audit Rust status][github-ci-audit-rust-badge]][github-ci-audit-rust-link]
 [![CI reproducibility status][github-ci-repr-badge]][github-ci-repr-link]
 [![Docker status][github-docker-badge]][github-docker-link]
 [![Release status][github-release-badge]][github-release-link]
@@ -19,6 +20,8 @@ work around that and make the second (non-header) row also bold. -->
 [buildkite-link]: https://buildkite.com/oasisprotocol/oasis-core-ci
 [github-ci-lint-badge]: https://github.com/oasisprotocol/oasis-core/workflows/ci-lint/badge.svg
 [github-ci-lint-link]: https://github.com/oasisprotocol/oasis-core/actions?query=workflow:ci-lint+branch:master
+[github-ci-audit-rust-badge]: https://github.com/oasisprotocol/oasis-core/workflows/ci-audit-rust/badge.svg
+[github-ci-audit-rust-link]: https://github.com/oasisprotocol/oasis-core/actions?query=workflow:ci-audit-rust+branch:master
 [github-ci-repr-badge]: https://github.com/oasisprotocol/oasis-core/workflows/ci-reproducibility/badge.svg
 [github-ci-repr-link]: https://github.com/oasisprotocol/oasis-core/actions?query=workflow:ci-reproducibility
 [github-docker-badge]: https://github.com/oasisprotocol/oasis-core/workflows/docker/badge.svg