From ffaec1057762fb29d3215de376185606a46460ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tadej=20Jane=C5=BE?= Date: Fri, 13 Nov 2020 13:01:21 +0100 Subject: [PATCH] ci: Migrate audit steps from Buildkite to GitHub Actions --- .buildkite/code.pipeline.yml | 14 --------- .buildkite/go/nancy_audit.sh | 20 ------------ .buildkite/rust/cargo_audit.sh | 18 ----------- .github/workflows/ci-audit-rust.yml | 48 +++++++++++++++++++++++++++++ .github/workflows/ci-lint.yml | 23 ++++++++++++++ README.md | 3 ++ 6 files changed, 74 insertions(+), 52 deletions(-) delete mode 100755 .buildkite/go/nancy_audit.sh delete mode 100755 .buildkite/rust/cargo_audit.sh create mode 100644 .github/workflows/ci-audit-rust.yml diff --git a/.buildkite/code.pipeline.yml b/.buildkite/code.pipeline.yml index c136b4d71af..a263c5bc8d8 100644 --- a/.buildkite/code.pipeline.yml +++ b/.buildkite/code.pipeline.yml @@ -86,20 +86,6 @@ steps: plugins: <<: *docker_plugin - - label: Audit Rust dependencies for vulnerabilities - command: .buildkite/rust/cargo_audit.sh - retry: - <<: *retry_agent_failure - plugins: - <<: *docker_plugin - - - label: Audit Go dependencies for vulnerabilities - command: .buildkite/go/nancy_audit.sh - retry: - <<: *retry_agent_failure - plugins: - <<: *docker_plugin - ############ # Build jobs ############ diff --git a/.buildkite/go/nancy_audit.sh b/.buildkite/go/nancy_audit.sh deleted file mode 100755 index 7d1ca503779..00000000000 --- a/.buildkite/go/nancy_audit.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash - -############################################################ -# This script checks Go.sum for dependencies with -# reported security vulnerabilities. -# -# Usage: -# nancy_audit.sh -############################################################ - -# Helpful tips on writing build scripts: -# https://buildkite.com/docs/pipelines/writing-build-scripts -set -euxo pipefail - -######################################## -# Check dependencies for vulnerabilities -######################################## -pushd go - go list -json -m all | nancy sleuth -popd diff --git a/.buildkite/rust/cargo_audit.sh b/.buildkite/rust/cargo_audit.sh deleted file mode 100755 index 25a14ada7d8..00000000000 --- a/.buildkite/rust/cargo_audit.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash - -############################################################ -# This script checks Cargo.lock for dependencies with -# reported security vulnerabilities. -# -# Usage: -# cargo_audit.sh -############################################################ - -# Helpful tips on writing build scripts: -# https://buildkite.com/docs/pipelines/writing-build-scripts -set -euxo pipefail - -######################################## -# Check dependencies for vulnerabilities -######################################## -cargo audit diff --git a/.github/workflows/ci-audit-rust.yml b/.github/workflows/ci-audit-rust.yml new file mode 100644 index 00000000000..dfd8a9096f4 --- /dev/null +++ b/.github/workflows/ci-audit-rust.yml @@ -0,0 +1,48 @@ +# NOTE: This name appears in GitHub's Checks API and in workflow's status badge. +name: ci-audit-rust + +# Trigger the workflow when: +on: + # A push occurs to one of the matched branches. + push: + # XXX: Ideally, on the master branch we would only run this workflow if + # there are changes to the Cargo.toml or Cargo.local files (like for pull + # requests). + # However, this doesn't work when pushing a new 'stable/*' branch. The build + # on a new branch does not trigger unless there are changes compared to + # master on the filtered path. + # If this is ever fixed, or per branch filters are possible, bring back the + # path filter to only run this workflow if there are changes to the + # Cargo.toml or Cargo.local files. + branches: + - master + - stable/* + # Or when a pull request event occurs for a pull request against one of the + # matched branches and at least one modified file matches the configured + # paths. + pull_request: + branches: + - master + - stable/* + paths: + - '**/Cargo.toml' + - '**/Cargo.lock' + # Or every day at 04:00 UTC (for the default/master branch). + schedule: + - cron: "0 4 * * *" + +jobs: + + audit-rust: + # NOTE: This name appears in GitHub's Checks API. + name: audit-rust + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v2 + # NOTE: To run this step locally, make sure you have cargo-audit installed + # and run 'make audit-rust'. + - name: Audit Rust dependencies for vulnerabilities + uses: actions-rs/audit-check@v1 + with: + token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/ci-lint.yml b/.github/workflows/ci-lint.yml index bef4d517947..a351a6dfd58 100644 --- a/.github/workflows/ci-lint.yml +++ b/.github/workflows/ci-lint.yml @@ -43,11 +43,29 @@ jobs: uses: actions/setup-go@v2.1.3 with: go-version: "1.15.x" + - name: Set up Rust + uses: actions-rs/toolchain@v1 - name: Install prerequisites run: | python -m pip install \ https://github.com/oasislabs/towncrier/archive/oasis-master.tar.gz \ gitlint + - name: Install Nancy + run: | + set -eux + cd $(mktemp --directory /tmp/nancy.XXXXX) + NANCY_TARBALL=nancy-linux.amd64-v${NANCY_VERSION}.tar.gz + ${CURL_CMD} ${NANCY_URL_PREFIX}/v${NANCY_VERSION}/${NANCY_TARBALL} \ + --output ${NANCY_TARBALL} + ${CURL_CMD} ${NANCY_URL_PREFIX}/v${NANCY_VERSION}/nancychecksums.txt \ + --output CHECKSUMS + sha256sum --check --ignore-missing CHECKSUMS + tar -xf ${NANCY_TARBALL} + sudo mv nancy /usr/local/bin + env: + NANCY_URL_PREFIX: https://github.com/sonatype-nexus-community/nancy/releases/download/ + NANCY_VERSION: 1.0.1 + CURL_CMD: curl --proto =https --tlsv1.2 -sSL --fail - name: Check for presence of a Change Log fragment (only pull requests) run: | # Fetch the pull request' base branch so towncrier will be able to @@ -81,6 +99,11 @@ jobs: make lint-docs # Always run this step so that all linting errors can be seen at once. if: always() + - name: Audit Go dependencies for vulnerabilities + run: | + make audit-go + # Always run this step so that all linting errors can be seen at once. + if: always() - name: Check go mod tidy # NOTE: go mod tidy doesn't implement a check mode yet. # For more details, see: https://github.com/golang/go/issues/27005. diff --git a/README.md b/README.md index 9f14da1f72f..fa3ed849062 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,7 @@ [![Build status][buildkite-badge]][buildkite-link] [![CI lint status][github-ci-lint-badge]][github-ci-lint-link] +[![CI audit Rust status][github-ci-audit-rust-badge]][github-ci-audit-rust-link] [![CI reproducibility status][github-ci-repr-badge]][github-ci-repr-link] [![Docker status][github-docker-badge]][github-docker-link] [![Release status][github-release-badge]][github-release-link] @@ -19,6 +20,8 @@ work around that and make the second (non-header) row also bold. --> [buildkite-link]: https://buildkite.com/oasisprotocol/oasis-core-ci [github-ci-lint-badge]: https://github.com/oasisprotocol/oasis-core/workflows/ci-lint/badge.svg [github-ci-lint-link]: https://github.com/oasisprotocol/oasis-core/actions?query=workflow:ci-lint+branch:master +[github-ci-audit-rust-badge]: https://github.com/oasisprotocol/oasis-core/workflows/ci-audit-rust/badge.svg +[github-ci-audit-rust-link]: https://github.com/oasisprotocol/oasis-core/actions?query=workflow:ci-audit-rust+branch:master [github-ci-repr-badge]: https://github.com/oasisprotocol/oasis-core/workflows/ci-reproducibility/badge.svg [github-ci-repr-link]: https://github.com/oasisprotocol/oasis-core/actions?query=workflow:ci-reproducibility [github-docker-badge]: https://github.com/oasisprotocol/oasis-core/workflows/docker/badge.svg