-
Notifications
You must be signed in to change notification settings - Fork 226
72 lines (68 loc) · 2.89 KB
/
dependency-check.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
name: Dependency Check
on:
push:
branches: [ main ]
paths:
- '**Cargo.toml'
- '**Cargo.lock'
- '**requirements.txt'
- '**DEPENDENCIES.md'
- '**dependency-licenses.xml'
- '**dependency_summary.py'
pull_request:
branches: [ main ]
paths:
- '**Cargo.toml'
- '**Cargo.lock'
- '**requirements.txt'
- '**DEPENDENCIES.md'
- '**dependency-licenses.xml'
- '**dependency_summary.py'
schedule:
# Runs at 7:00 UTC every day
- cron: '0 7 * * *'
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
jobs:
check-dependencies:
# Run on macos to detect iOS dependencies
runs-on: macos-latest
strategy:
matrix:
python-version: [3.11]
steps:
- uses: actions/checkout@v2
with:
token: ${{ secrets.GITHUB_TOKEN }}
submodules: 'recursive'
- name: Setup Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Install Python dependencies
run: |
python -m pip install --upgrade pip
pip install --require-hashes -r ./taskcluster/requirements.txt
pip install --require-hashes -r ./tools/requirements.txt
- name: Install Rust
run: |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
source $HOME/.cargo/env
- name: Run Cargo Audit
run: |
# cargo-audit 0.20 is giving us trouble in CI - it's failing to build the package.
# not clear what's causing this, but we work around it by pinning to 0.19
cargo install cargo-audit@^0.19
# Explanation for ignored issues:
# * RUSTSEC-2018-0006: Uncontrolled recursion in `yaml-rust`, which is included by `clap` v2. `clap` itself already updated to a safe
# version of `yaml-rust`, which will be released in `v3` and additionally,
# reading https://github.com/rustsec/advisory-db/issues/288, this is a false
# positive for clap and based on our dependency tree, we only use `yaml-rust` in `clap`.
cargo audit --ignore RUSTSEC-2018-0006
- name: Check for any unrecorded changes in our dependency trees
run: |
cargo metadata --locked > /dev/null
python ./tools/dependency_summary.py --check ./DEPENDENCIES.md
python ./tools/dependency_summary.py --all-ios-targets --package megazord_ios --check megazords/ios-rust/DEPENDENCIES.md
python ./tools/dependency_summary.py --all-android-targets --package megazord --check megazords/full/DEPENDENCIES.md
python ./tools/dependency_summary.py --all-android-targets --package megazord --format pom --check megazords/full/android/dependency-licenses.xml