[pull] main from surrealdb:main #484
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Supply chain security | |
| run-name: "Supply chain security run '${{ github.head_ref || github.ref_name }}'" | |
| on: | |
| workflow_dispatch: | |
| push: | |
| paths: | |
| - Cargo.lock | |
| - Cargo.toml | |
| - crates/core/Cargo.toml | |
| - crates/sdk/Cargo.toml | |
| - build.rs | |
| - crates/sdk/build.rs | |
| - supply-chain/audits.toml | |
| - supply-chain/config.toml | |
| - supply-chain/imports.lock | |
| - cackle.toml | |
| - .github/workflows/supply-chain.yml | |
| branches: | |
| - main | |
| pull_request: | |
| paths: | |
| - Cargo.lock | |
| - Cargo.toml | |
| - crates/core/Cargo.toml | |
| - crates/sdk/Cargo.toml | |
| - build.rs | |
| - crates/sdk/build.rs | |
| - supply-chain/audits.toml | |
| - supply-chain/config.toml | |
| - supply-chain/imports.lock | |
| - cackle.toml | |
| - .github/workflows/supply-chain.yml | |
| merge_group: | |
| concurrency: | |
| # Use github.run_id on main branch | |
| # Use github.event.pull_request.number on pull requests, so it's unique per pull request | |
| # Use github.ref on other branches, so it's unique per branch | |
| group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/main' && github.run_id || github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| defaults: | |
| run: | |
| shell: bash | |
| jobs: | |
| cargo-deny: | |
| name: Check dependencies for known issues | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Install stable toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: rustfmt | |
| - name: Checkout sources | |
| uses: actions/checkout@v4 | |
| - name: Install cargo-deny | |
| run: cargo install --debug --locked [email protected] | |
| - name: Check dependencies for known issues | |
| run: cargo deny check | |
| - name: Dependency check failure | |
| if: failure() | |
| run: | | |
| echo "## :warning: Supply chain security check failed" >> $GITHUB_STEP_SUMMARY | |
| echo "See instructions in the [supply chain security process](https://github.com/surrealdb/surrealdb/blob/main/supply-chain/README.md#Process)." >> $GITHUB_STEP_SUMMARY | |
| cargo-vet: | |
| name: Check dependencies for untrusted sources | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Install stable toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: rustfmt | |
| - name: Checkout sources | |
| uses: actions/checkout@v4 | |
| - name: Install cargo-vet | |
| run: cargo install --debug --locked cargo-vet | |
| - name: Check dependencies for untrusted sources | |
| run: cargo vet check | |
| - name: Dependency check failure | |
| if: failure() | |
| run: | | |
| echo "## :warning: Supply chain security check failed" >> $GITHUB_STEP_SUMMARY | |
| echo "See instructions in the [supply chain security process](https://github.com/surrealdb/surrealdb/blob/main/supply-chain/README.md#Process)." >> $GITHUB_STEP_SUMMARY | |
| cargo-acl: | |
| name: Check dependencies for unauthorized access | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Install stable toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: rustfmt | |
| - name: Checkout sources | |
| uses: actions/checkout@v4 | |
| - name: Install cargo-acl | |
| run: | | |
| cargo install --debug --locked cargo-acl | |
| sudo apt-get install -y bubblewrap | |
| # See https://etbe.coker.com.au/2024/04/24/ubuntu-24-04-bubblewrap/ | |
| - name: Configure bubblewrap | |
| run: | | |
| cat << EOF > bwrap | |
| abi <abi/4.0>, | |
| include <tunables/global> | |
| profile bwrap /usr/bin/bwrap flags=(unconfined) { | |
| userns, | |
| # Site-specific additions and overrides. See local/README for details. | |
| include if exists <local/bwrap> | |
| } | |
| EOF | |
| sudo mv bwrap /etc/apparmor.d/ | |
| sudo systemctl reload apparmor | |
| - name: Check dependencies for unauthorized access | |
| env: | |
| RUSTFLAGS: "--cfg surrealdb_unstable" | |
| run: cargo acl -n | |
| - name: Dependency check failure | |
| if: failure() | |
| run: | | |
| echo "## :warning: Supply chain security check failed" >> $GITHUB_STEP_SUMMARY | |
| echo "See instructions in the [supply chain security process](https://github.com/surrealdb/surrealdb/blob/main/supply-chain/README.md#Process)." >> $GITHUB_STEP_SUMMARY |