2024-07-29 15:39:38 +00:00
name : Supply chain security
2024-07-11 20:54:38 +00:00
run-name : "Supply chain security run '${{ github.head_ref || github.ref_name }}'"
on :
workflow_dispatch :
push :
paths :
- Cargo.lock
- Cargo.toml
- core/Cargo.toml
- lib/Cargo.toml
2024-08-12 18:15:18 +00:00
- build.rs
- lib/build.rs
2024-07-11 20:54:38 +00:00
- supply-chain/audits.toml
- supply-chain/config.toml
- supply-chain/imports.lock
- cackle.toml
- .github/workflows/supply-chain.yml
branches :
- main
pull_request :
paths :
- Cargo.lock
- Cargo.toml
- core/Cargo.toml
- lib/Cargo.toml
2024-08-12 18:15:18 +00:00
- build.rs
- lib/build.rs
2024-07-11 20:54:38 +00:00
- supply-chain/audits.toml
- supply-chain/config.toml
- supply-chain/imports.lock
- cackle.toml
- .github/workflows/supply-chain.yml
merge_group :
defaults :
run :
shell : bash
jobs :
cargo-deny :
name : Check dependencies for known issues
runs-on : ubuntu-latest
steps :
- name : Install stable toolchain
uses : dtolnay/rust-toolchain@stable
with :
toolchain : stable
components : rustfmt
- name : Checkout sources
uses : actions/checkout@v4
- name : Install cargo-deny
2024-07-29 15:39:38 +00:00
run : cargo install --debug --locked cargo-deny@0.15.1
2024-07-11 20:54:38 +00:00
- name : Check dependencies for known issues
run : cargo deny check
- name : Dependency check failure
if : failure()
run : |
echo "## :warning: Supply chain security check failed" >> $GITHUB_STEP_SUMMARY
echo "See instructions in the [supply chain security process](https://github.com/surrealdb/surrealdb/blob/main/supply-chain/README.md#Process)." >> $GITHUB_STEP_SUMMARY
cargo-vet :
2024-07-29 15:39:38 +00:00
name : Check dependencies for untrusted sources
2024-07-11 20:54:38 +00:00
runs-on : ubuntu-latest
steps :
- name : Install stable toolchain
uses : dtolnay/rust-toolchain@stable
with :
toolchain : stable
components : rustfmt
- name : Checkout sources
uses : actions/checkout@v4
- name : Install cargo-vet
run : cargo install --debug --locked cargo-vet
- name : Check dependencies for untrusted sources
run : cargo vet
- name : Dependency check failure
if : failure()
run : |
echo "## :warning: Supply chain security check failed" >> $GITHUB_STEP_SUMMARY
echo "See instructions in the [supply chain security process](https://github.com/surrealdb/surrealdb/blob/main/supply-chain/README.md#Process)." >> $GITHUB_STEP_SUMMARY
cargo-acl :
name : Check dependencies for unauthorized access
runs-on : ubuntu-latest
steps :
- name : Install stable toolchain
uses : dtolnay/rust-toolchain@stable
with :
toolchain : stable
components : rustfmt
- name : Checkout sources
uses : actions/checkout@v4
- name : Install cargo-acl
run : |
cargo install --debug --locked cargo-acl
sudo apt-get install -y bubblewrap
- name : Check dependencies for unauthorized access
env :
RUSTFLAGS : "--cfg surrealdb_unstable"
run : cargo acl -n
- name : Dependency check failure
if : failure()
run : |
echo "## :warning: Supply chain security check failed" >> $GITHUB_STEP_SUMMARY
echo "See instructions in the [supply chain security process](https://github.com/surrealdb/surrealdb/blob/main/supply-chain/README.md#Process)." >> $GITHUB_STEP_SUMMARY