-
-
Notifications
You must be signed in to change notification settings - Fork 2
90 lines (76 loc) · 3.17 KB
/
security_audit_cron.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
name: Security audit
on:
schedule:
- cron: '0 0 * * *'
jobs:
security_audit:
runs-on: ubuntu-latest
steps:
- uses: Swatinem/rust-cache@v1
with:
sharedKey: jira_cli-check-security-audit
cache-on-failure: true
- uses: actions/checkout@v1
- uses: actions-rs/audit-check@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Install stable toolchain
uses: actions-rs/toolchain@v1
with:
profile: minimal
toolchain: stable
override: true
- name: Install nightly toolchain
uses: actions-rs/toolchain@v1
with:
profile: minimal
toolchain: nightly
override: false
- name: Update Rustup (temporary workaround)
run: |
rm /home/runner/.cargo/bin/cargo-fmt
rm /home/runner/.cargo/bin/rustfmt
rustup self update
rustup update --no-self-update
curl -L --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh | bash
cargo binstall -y --force cargo-quickinstall
- name: Deny check
run: |
cargo binstall -y --force cargo-deny
cargo deny --format json check bans licenses sources advisories > $HOME/deny.json || exit 0
- name: Audit check
run: |
cargo binstall -y --force cargo-audit
cargo audit --json > $HOME/audit.json || exit 0
- name: Check a local package and all of its dependencies for errors
uses: actions-rs/cargo@v1
with:
command: check
args: --all
- name: Lint check
uses: actions-rs/cargo@v1
with:
command: fmt
args: --all --check
- name: Outdated check
run: |
cargo binstall -y --force cargo-outdated
cargo outdated --depth 1 --format json > $HOME/outdated.json
- name: Udeps check
run: |
cargo binstall -y --force cargo-udeps
cargo +nightly udeps --quiet --workspace --all-features --all-targets --output json > $HOME/udeps.json || exit 0
- name: Clippy check
run: |
rustup component add clippy
cargo clippy --all-features --all-targets --message-format=json -- -Dclippy::all -Dclippy::nursery -Dclippy::pedantic > $HOME/clippy.json || exit 0
- name: Sonar converter
run: |
cargo binstall -y --force cargo-sonar
cargo sonar --issues audit,clippy,deny,outdated,udeps --audit-path $HOME/audit.json --clippy-path $HOME/clippy.json --deny-path $HOME/deny.json --outdated-path $HOME/outdated.json --udeps-path $HOME/udeps.json --issues-path $HOME/sonar.json
- name: Setup sonarqube
uses: warchant/setup-sonar-scanner@v3
- name: Run sonarqube
run: sonar-scanner -Dsonar.organization=${{ secrets.SONAR_ORGANIZATION }} -Dsonar.projectKey=${{ secrets.SONAR_PROJECT_KEY }} -Dsonar.sources=$GITHUB_WORKSPACE -Dsonar.host.url=${{ secrets.SONAR_URL }} -Dsonar.login=${{ secrets.SONAR_TOKEN }} -Dsonar.externalIssuesReportPaths=$HOME/sonar.json
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}