Security audit #714
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Security audit | |
on: | |
schedule: | |
- cron: '0 0 * * *' | |
push: | |
paths: | |
- '**/Cargo.toml' | |
- '**/Cargo.lock' | |
jobs: | |
security_audit: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: Swatinem/rust-cache@v1 | |
with: | |
sharedKey: jira_cli-check-security-audit | |
cache-on-failure: true | |
- uses: actions/checkout@v1 | |
- uses: actions-rs/audit-check@v1 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Install stable toolchain | |
uses: actions-rs/toolchain@v1 | |
with: | |
profile: minimal | |
toolchain: stable | |
override: true | |
- name: Install nightly toolchain | |
uses: actions-rs/toolchain@v1 | |
with: | |
profile: minimal | |
toolchain: nightly | |
override: false | |
- name: Update Rustup (temporary workaround) | |
run: | | |
rm /home/runner/.cargo/bin/cargo-fmt | |
rm /home/runner/.cargo/bin/rustfmt | |
rustup self update | |
rustup update --no-self-update | |
curl -L --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh | bash | |
cargo binstall -y --force cargo-quickinstall | |
- name: Deny check | |
run: | | |
cargo binstall -y --force cargo-deny | |
cargo deny --format json check bans licenses sources advisories > $HOME/deny.json || exit 0 | |
- name: Audit check | |
run: | | |
cargo binstall -y --force cargo-audit | |
cargo audit --json > $HOME/audit.json || exit 0 | |
- name: Check a local package and all of its dependencies for errors | |
uses: actions-rs/cargo@v1 | |
with: | |
command: check | |
args: --all | |
- name: Lint check | |
uses: actions-rs/cargo@v1 | |
with: | |
command: fmt | |
args: --all --check | |
- name: Outdated check | |
run: | | |
cargo binstall -y --force cargo-outdated | |
cargo outdated --depth 1 --format json > $HOME/outdated.json | |
- name: Udeps check | |
run: | | |
cargo binstall -y --force cargo-udeps | |
cargo +nightly udeps --quiet --workspace --all-features --all-targets --output json > $HOME/udeps.json || exit 0 | |
- name: Clippy check | |
run: | | |
rustup component add clippy | |
cargo clippy --all-features --all-targets --message-format=json -- -Dclippy::all -Dclippy::nursery -Dclippy::pedantic > $HOME/clippy.json || exit 0 | |
- name: Sonar converter | |
run: | | |
cargo binstall -y --force cargo-sonar | |
cargo sonar --audit --audit-path $HOME/audit.json --clippy --clippy-path $HOME/clippy.json --deny --deny-path $HOME/deny.json --outdated --outdated-path $HOME/outdated.json --udeps --udeps-path $HOME/udeps.json --sonar-path $HOME/sonar.json | |
- uses: actions/setup-java@v3 | |
with: | |
distribution: 'temurin' # See 'Supported distributions' for available options | |
java-version: '17' | |
- name: Setup sonarqube | |
uses: warchant/setup-sonar-scanner@v7 | |
- name: Run sonarqube | |
run: sonar-scanner -Dsonar.organization=${{ secrets.SONAR_ORGANIZATION }} -Dsonar.projectKey=${{ secrets.SONAR_PROJECT_KEY }} -Dsonar.sources=$GITHUB_WORKSPACE -Dsonar.host.url=${{ secrets.SONAR_URL }} -Dsonar.login=${{ secrets.SONAR_TOKEN }} -Dsonar.externalIssuesReportPaths=$HOME/sonar.json | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |