pezkuwichain
c55a371edb
- build-linux-stable: disable forklift GCS cache (RUSTC_WRAPPER="") that panics without GCP credentials on VPS runners - prepare-bridges-zombienet-artifacts: fix bridges/testing path to pezbridges/testing (rebrand path was not updated in workflow) - build-rustdoc: use CARGO_TARGET_DIR instead of ./target for doc output path (docs generated at /cache/target/doc, not ./target/doc) - build-push-image-*: add workspace permission fix step before checkout to handle root-owned files left by Docker container jobs - All build jobs: increase timeout from 120 to 180 minutes for VPS - Add cargo-deny + cargo-audit security audit workflow (weekly + on PR) - Add deny.toml with license, advisory, and source checks
72 lines
2.1 KiB
YAML
72 lines
2.1 KiB
YAML
name: Security Audit
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
pull_request:
|
|
types: [opened, synchronize, reopened, ready_for_review]
|
|
# Run weekly on Monday at 06:00 UTC
|
|
schedule:
|
|
- cron: "0 6 * * 1"
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
isdraft:
|
|
# Skip draft PRs but always run on schedule/push
|
|
if: github.event_name != 'pull_request' || !github.event.pull_request.draft
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- run: echo "Not a draft"
|
|
|
|
cargo-deny:
|
|
needs: isdraft
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 30
|
|
strategy:
|
|
matrix:
|
|
checks:
|
|
- advisories
|
|
- licenses
|
|
- sources
|
|
# Continue on advisory warnings so we see all results
|
|
continue-on-error: ${{ matrix.checks == 'advisories' }}
|
|
steps:
|
|
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
- uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2.0.15
|
|
with:
|
|
command: check ${{ matrix.checks }}
|
|
arguments: --workspace
|
|
|
|
cargo-audit:
|
|
needs: isdraft
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 30
|
|
steps:
|
|
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
- name: Install cargo-audit
|
|
run: cargo install cargo-audit --locked
|
|
- name: Run cargo audit
|
|
run: cargo audit --deny warnings 2>&1 || true
|
|
- name: Run cargo audit (deny vulnerabilities only)
|
|
run: cargo audit
|
|
|
|
confirm-security-audit-passed:
|
|
runs-on: ubuntu-latest
|
|
name: All security audits passed
|
|
needs: [cargo-deny, cargo-audit]
|
|
if: always() && !cancelled()
|
|
steps:
|
|
- run: |
|
|
tee resultfile <<< '${{ toJSON(needs) }}'
|
|
FAILURES=$(cat resultfile | grep '"result": "failure"' | wc -l)
|
|
if [ $FAILURES -gt 0 ]; then
|
|
echo "### At least one security audit failed" >> $GITHUB_STEP_SUMMARY
|
|
exit 1
|
|
else
|
|
echo '### All security audits passed' >> $GITHUB_STEP_SUMMARY
|
|
fi
|