pezkuwichain
f8c4bca688
- build-publish-images: replace silent sudo chown failure (2>/dev/null || true) with proper error handling and fallback cleanup for all 7 push jobs. Root cause: container build jobs create root-owned files, non-container push jobs on runner2 couldn't sudo chown without sudoers config. - tests-misc: add disk cleanup step to cargo-check-all-crate-macos job to free space before cargo check (remove Android SDK, old CLT SDKs, etc.) - security-audit: truncate cargo-audit output to 500 lines before writing to GITHUB_STEP_SUMMARY to avoid the 1MB size limit crash.
90 lines
3.1 KiB
YAML
90 lines
3.1 KiB
YAML
name: Security Audit
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
pull_request:
|
|
types: [opened, synchronize, reopened, ready_for_review]
|
|
# Run weekly on Monday at 06:00 UTC
|
|
schedule:
|
|
- cron: "0 6 * * 1"
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
isdraft:
|
|
# Skip draft PRs but always run on schedule/push
|
|
if: github.event_name != 'pull_request' || !github.event.pull_request.draft
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- run: echo "Not a draft"
|
|
|
|
cargo-deny:
|
|
needs: isdraft
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 30
|
|
# Informational: surfaces issues without blocking CI.
|
|
# Remove continue-on-error once all findings are addressed.
|
|
continue-on-error: true
|
|
strategy:
|
|
matrix:
|
|
checks:
|
|
- advisories
|
|
- licenses
|
|
- sources
|
|
steps:
|
|
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
- uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2.0.15
|
|
with:
|
|
command: check ${{ matrix.checks }}
|
|
|
|
cargo-audit:
|
|
needs: isdraft
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 30
|
|
# Informational: surfaces vulnerabilities without blocking CI.
|
|
# Remove continue-on-error once all advisories are resolved or ignored.
|
|
continue-on-error: true
|
|
steps:
|
|
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
- name: Install cargo-audit
|
|
run: cargo install cargo-audit --locked
|
|
- name: Run cargo audit
|
|
run: |
|
|
echo "## Cargo Audit Results" >> $GITHUB_STEP_SUMMARY
|
|
cargo audit 2>&1 | tee audit-output.txt
|
|
RESULT=${PIPESTATUS[0]}
|
|
if [ $RESULT -ne 0 ]; then
|
|
echo "### Vulnerabilities found" >> $GITHUB_STEP_SUMMARY
|
|
echo '```' >> $GITHUB_STEP_SUMMARY
|
|
# Truncate output to avoid GITHUB_STEP_SUMMARY 1MB limit
|
|
head -500 audit-output.txt >> $GITHUB_STEP_SUMMARY
|
|
if [ "$(wc -l < audit-output.txt)" -gt 500 ]; then
|
|
echo "... (truncated, see full output in job logs)" >> $GITHUB_STEP_SUMMARY
|
|
fi
|
|
echo '```' >> $GITHUB_STEP_SUMMARY
|
|
exit $RESULT
|
|
else
|
|
echo "### No vulnerabilities found" >> $GITHUB_STEP_SUMMARY
|
|
fi
|
|
|
|
confirm-security-audit-passed:
|
|
runs-on: ubuntu-latest
|
|
name: Security audit summary
|
|
needs: [cargo-deny, cargo-audit]
|
|
if: always() && !cancelled()
|
|
steps:
|
|
- run: |
|
|
tee resultfile <<< '${{ toJSON(needs) }}'
|
|
FAILURES=$(cat resultfile | grep '"result": "failure"' | wc -l)
|
|
if [ $FAILURES -gt 0 ]; then
|
|
echo "### Security audit found issues - review needed" >> $GITHUB_STEP_SUMMARY
|
|
echo "Note: Security audit is currently informational (continue-on-error)." >> $GITHUB_STEP_SUMMARY
|
|
echo "Review the cargo-deny and cargo-audit job outputs for details." >> $GITHUB_STEP_SUMMARY
|
|
else
|
|
echo '### All security audits passed' >> $GITHUB_STEP_SUMMARY
|
|
fi
|