Security audit #482
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Security audit | |
on: | |
schedule: | |
- cron: '0 0 * * *' | |
jobs: | |
security_audit: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: Swatinem/rust-cache@v1 | |
with: | |
sharedKey: jira_cli-check-security-audit | |
cache-on-failure: true | |
- uses: actions/checkout@v1 | |
- uses: actions-rs/audit-check@v1 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Install stable toolchain | |
uses: actions-rs/toolchain@v1 | |
with: | |
profile: minimal | |
toolchain: stable | |
override: true | |
- name: Install nightly toolchain | |
uses: actions-rs/toolchain@v1 | |
with: | |
profile: minimal | |
toolchain: nightly | |
override: false | |
- name: Update Rustup (temporary workaround) | |
run: | | |
rm /home/runner/.cargo/bin/cargo-fmt | |
rm /home/runner/.cargo/bin/rustfmt | |
rustup self update | |
rustup update --no-self-update | |
curl -L --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh | bash | |
cargo binstall -y cargo-quickinstall | |
- name: Audit check | |
run: | | |
cargo binstall -y cargo-audit | |
cargo audit --json > $HOME/audit.json || exit 0 | |
- name: Check a local package and all of its dependencies for errors | |
uses: actions-rs/cargo@v1 | |
with: | |
command: check | |
args: --all | |
- name: Lint check | |
uses: actions-rs/cargo@v1 | |
with: | |
command: fmt | |
args: --all --check | |
- name: Outdated check | |
run: | | |
cargo binstall -y cargo-outdated | |
cargo outdated --depth 1 --format json > $HOME/outdated.json | |
- name: Udeps check | |
run: | | |
cargo binstall -y cargo-udeps | |
cargo +nightly udeps --quiet --workspace --all-features --all-targets --output json > $HOME/udeps.json || exit 0 | |
- name: Clippy check | |
run: | | |
rustup component add clippy | |
cargo clippy --all-features --all-targets --message-format=json -- -Dclippy::all -Dclippy::nursery -Dclippy::pedantic > $HOME/clippy.json || exit 0 | |
- name: Sonar converter | |
run: | | |
cargo binstall -y cargo-sonar | |
cargo sonar --issues audit,clippy,outdated,udeps --audit-path $HOME/audit.json --clippy-path $HOME/clippy.json --outdated-path $HOME/outdated.json --udeps-path $HOME/udeps.json --issues-path $HOME/sonar.json | |
- name: Setup sonarqube | |
uses: warchant/setup-sonar-scanner@v3 | |
- name: Run sonarqube | |
run: sonar-scanner -Dsonar.organization=${{ secrets.SONAR_ORGANIZATION }} -Dsonar.projectKey=${{ secrets.SONAR_PROJECT_KEY }} -Dsonar.sources=$GITHUB_WORKSPACE -Dsonar.host.url=${{ secrets.SONAR_URL }} -Dsonar.login=${{ secrets.SONAR_TOKEN }} -Dsonar.externalIssuesReportPaths=$HOME/sonar.json | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |