Security audit #487
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Security audit | |
on: | |
schedule: | |
- cron: '0 0 * * *' | |
jobs: | |
security_audit: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: Swatinem/rust-cache@v1 | |
with: | |
sharedKey: jira_cli-check-security-audit | |
cache-on-failure: true | |
- uses: actions/checkout@v1 | |
- uses: actions-rs/audit-check@v1 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Install stable toolchain | |
uses: actions-rs/toolchain@v1 | |
with: | |
profile: minimal | |
toolchain: stable | |
override: true | |
- name: Install nightly toolchain | |
uses: actions-rs/toolchain@v1 | |
with: | |
profile: minimal | |
toolchain: nightly | |
override: false | |
- name: Update Rustup (temporary workaround) | |
run: | | |
rm /home/runner/.cargo/bin/cargo-fmt | |
rm /home/runner/.cargo/bin/rustfmt | |
rustup self update | |
rustup update --no-self-update | |
curl -L --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh | bash | |
cargo binstall -y --force cargo-quickinstall | |
- name: Audit check | |
run: | | |
cargo binstall -y --force cargo-audit | |
cargo audit --json > $HOME/audit.json || exit 0 | |
- name: Check a local package and all of its dependencies for errors | |
uses: actions-rs/cargo@v1 | |
with: | |
command: check | |
args: --all | |
- name: Lint check | |
uses: actions-rs/cargo@v1 | |
with: | |
command: fmt | |
args: --all --check | |
- name: Outdated check | |
run: | | |
cargo binstall -y --force cargo-outdated | |
cargo outdated --depth 1 --format json > $HOME/outdated.json | |
- name: Udeps check | |
run: | | |
cargo binstall -y --force cargo-udeps | |
cargo +nightly udeps --quiet --workspace --all-features --all-targets --output json > $HOME/udeps.json || exit 0 | |
- name: Clippy check | |
run: | | |
rustup component add clippy | |
cargo clippy --all-features --all-targets --message-format=json -- -Dclippy::all -Dclippy::nursery -Dclippy::pedantic > $HOME/clippy.json || exit 0 | |
- name: Sonar converter | |
run: | | |
cargo binstall -y --force cargo-sonar | |
cargo sonar --issues audit,clippy,outdated,udeps --audit-path $HOME/audit.json --clippy-path $HOME/clippy.json --outdated-path $HOME/outdated.json --udeps-path $HOME/udeps.json --issues-path $HOME/sonar.json | |
- name: Setup sonarqube | |
uses: warchant/setup-sonar-scanner@v3 | |
- name: Run sonarqube | |
run: sonar-scanner -Dsonar.organization=${{ secrets.SONAR_ORGANIZATION }} -Dsonar.projectKey=${{ secrets.SONAR_PROJECT_KEY }} -Dsonar.sources=$GITHUB_WORKSPACE -Dsonar.host.url=${{ secrets.SONAR_URL }} -Dsonar.login=${{ secrets.SONAR_TOKEN }} -Dsonar.externalIssuesReportPaths=$HOME/sonar.json | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |