Security audit #125
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Security audit | |
permissions: | |
contents: read | |
on: | |
pull_request: | |
schedule: | |
# Runs at 00:00 UTC everyday | |
- cron: "0 0 * * *" | |
push: | |
paths: | |
- "**/Cargo.toml" | |
- "**/Cargo.lock" | |
- "crates/**/Cargo.toml" | |
- "crates/**/Cargo.lock" | |
merge_group: | |
types: [checks_requested] | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
jobs: | |
audit: | |
if: ${{ github.repository_owner == 'simonsan' }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Install Rust toolchain | |
uses: dtolnay/rust-toolchain@v1 | |
with: | |
toolchain: stable | |
- uses: Swatinem/rust-cache@v2 | |
- uses: rustsec/audit-check@v1 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
cargo-deny: | |
name: Run cargo-deny | |
if: ${{ github.repository_owner == 'simonsan' }} | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: EmbarkStudios/cargo-deny-action@v1 | |
with: | |
command: check bans licenses sources | |
# https://twitter.com/mycoliza/status/1571295690063753218 | |
nightly: | |
runs-on: ubuntu-latest | |
name: ubuntu / nightly | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: true | |
- name: Install nightly | |
uses: dtolnay/rust-toolchain@nightly | |
- name: cargo generate-lockfile | |
if: hashFiles('Cargo.lock') == '' | |
run: cargo generate-lockfile | |
- name: cargo test --locked | |
run: cargo test --locked --all-features --all-targets | |
# https://twitter.com/alcuadrado/status/1571291687837732873 | |
update: | |
# This action checks that updating the dependencies of this crate to the latest available that | |
# satisfy the versions in Cargo.toml does not break this crate. This is important as consumers | |
# of this crate will generally use the latest available crates. This is subject to the standard | |
# Cargo semver rules (i.e cargo does not update to a new major version unless explicitly told | |
# to). | |
runs-on: ubuntu-latest | |
name: ubuntu / beta / updated | |
# There's no point running this if no Cargo.lock was checked in in the first place, since we'd | |
# just redo what happened in the regular test job. Unfortunately, hashFiles only works in if on | |
# steps, so we repeat it. | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: true | |
- name: Install beta | |
if: hashFiles('Cargo.lock') != '' | |
uses: dtolnay/rust-toolchain@beta | |
- name: cargo update | |
if: hashFiles('Cargo.lock') != '' | |
run: cargo update | |
- name: cargo test | |
if: hashFiles('Cargo.lock') != '' | |
run: cargo test --locked --all-features --all-targets | |
env: | |
RUSTFLAGS: -D deprecated | |
result: | |
if: ${{ github.repository_owner == 'simonsan' }} | |
name: Result (Audit) | |
runs-on: ubuntu-latest | |
needs: | |
- audit | |
- cargo-deny | |
- nightly | |
- update | |
steps: | |
- name: Mark the job as successful | |
run: exit 0 | |
if: success() | |
- name: Mark the job as unsuccessful | |
run: exit 1 | |
if: "!success()" |