-
Notifications
You must be signed in to change notification settings - Fork 101
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* add deps scan workflow * Create codeql.yml * remove codeql * add upload feature * add output file * update ci jobs * update deps * minor ci tweaks * remove build test * combine ci jobs * require security scan * more ci concurrency * add SBOM to release flow
- Loading branch information
Showing
12 changed files
with
1,487 additions
and
835 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,122 @@ | ||
name: Scan & Test | ||
|
||
on: | ||
push: | ||
branches: | ||
- master | ||
pull_request: | ||
branches: | ||
- master | ||
|
||
env: | ||
CARGO_TERM_COLOR: always | ||
|
||
jobs: | ||
trivy: | ||
name: Dependency security scan | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@v3 | ||
|
||
# Report all vulnerabilities in security tab | ||
- name: Report on all vulnerabilities | ||
uses: aquasecurity/trivy-action@master | ||
with: | ||
scan-type: 'fs' | ||
ignore-unfixed: true | ||
hide-progress: true | ||
format: 'sarif' | ||
output: 'trivy-results.sarif' | ||
|
||
# Fail the job on critical vulnerabiliies with fix available | ||
- name: Fail on critical vulnerabilities | ||
uses: aquasecurity/trivy-action@master | ||
with: | ||
scan-type: 'fs' | ||
ignore-unfixed: true | ||
hide-progress: true | ||
format: 'table' | ||
severity: 'CRITICAL' | ||
exit-code: '1' | ||
|
||
- name: Upload scan results | ||
uses: github/codeql-action/upload-sarif@v2 | ||
if: always() | ||
with: | ||
sarif_file: 'trivy-results.sarif' | ||
|
||
format: | ||
name: Format | ||
needs: ['trivy'] | ||
if: ${{ always() }} | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout sources | ||
uses: actions/checkout@v3 | ||
|
||
- name: Run cargo fmt | ||
run: cargo fmt --all -- --check | ||
|
||
clippy: | ||
name: Clippy | ||
needs: ['trivy'] | ||
if: ${{ always() }} | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout sources | ||
uses: actions/checkout@v3 | ||
|
||
- name: Cache binaries | ||
uses: actions/cache@v3 | ||
with: | ||
path: | | ||
~/.cargo/bin/ | ||
~/.cargo/registry/index/ | ||
~/.cargo/registry/cache/ | ||
~/.cargo/git/db/ | ||
target/ | ||
dex/target/ | ||
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} | ||
|
||
- name: Run cargo clippy | ||
run: cargo clippy -- -D warnings | ||
|
||
test: | ||
name: Cargo test | ||
needs: ['trivy'] | ||
if: ${{ always() }} | ||
runs-on: ubuntu-latest | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
path: ['Cargo.toml', | ||
'dex/Cargo.toml'] | ||
env: | ||
PROGRAM_PATH: ${{ matrix.path }} | ||
steps: | ||
- name: Checkout sources | ||
uses: actions/checkout@v3 | ||
|
||
- name: Cache binaries | ||
uses: actions/cache@v3 | ||
with: | ||
path: | | ||
~/.cargo/bin/ | ||
~/.cargo/registry/index/ | ||
~/.cargo/registry/cache/ | ||
~/.cargo/git/db/ | ||
target/ | ||
dex/target/ | ||
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} | ||
|
||
- name: Run tests | ||
run: | | ||
cargo test --manifest-path ${{ matrix.path }} --workspace | ||
pass: | ||
name: All tests pass | ||
needs: ['trivy', 'format', 'clippy', 'test'] | ||
runs-on: ubuntu-latest | ||
steps: | ||
- run: echo ok |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.