Separate supply chain actions on its own workflow (#4349)
This commit is contained in:
parent
a7c4fa5d14
commit
7d0e45be00
2 changed files with 113 additions and 41 deletions
41
.github/workflows/ci.yml
vendored
41
.github/workflows/ci.yml
vendored
|
@ -66,47 +66,6 @@ jobs:
|
|||
- name: Check workspace
|
||||
run: cargo make ci-check
|
||||
|
||||
check-dependencies:
|
||||
name: Check dependencies
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Install stable toolchain
|
||||
uses: dtolnay/rust-toolchain@stable
|
||||
with:
|
||||
toolchain: stable
|
||||
components: rustfmt
|
||||
|
||||
- name: Checkout sources
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Install cargo-deny
|
||||
run: cargo install --debug --locked cargo-deny@0.14.11
|
||||
|
||||
- name: Install cargo-vet
|
||||
run: cargo install --debug --locked cargo-vet
|
||||
|
||||
- name: Install cargo-acl
|
||||
run: |
|
||||
cargo install --debug --locked cargo-acl
|
||||
sudo apt-get install -y bubblewrap
|
||||
|
||||
- name: Check dependencies for known issues
|
||||
run: cargo deny check
|
||||
|
||||
- name: Check dependencies for untrusted sources
|
||||
run: cargo vet
|
||||
|
||||
- name: Check dependencies for unauthorized access
|
||||
env:
|
||||
RUSTFLAGS: "--cfg surrealdb_unstable"
|
||||
run: cargo acl -n
|
||||
|
||||
- name: Dependency check failure
|
||||
if: failure()
|
||||
run: |
|
||||
echo "## :warning: Dependency check failed" >> $GITHUB_STEP_SUMMARY
|
||||
echo "See instructions in the [supply chain security process](https://github.com/surrealdb/surrealdb/blob/main/supply-chain/README.md#Process)." >> $GITHUB_STEP_SUMMARY
|
||||
|
||||
check-fuzzing:
|
||||
name: Check fuzzing
|
||||
runs-on: ubuntu-latest
|
||||
|
|
113
.github/workflows/supply-chain.yml
vendored
Normal file
113
.github/workflows/supply-chain.yml
vendored
Normal file
|
@ -0,0 +1,113 @@
|
|||
name: Supply chain security
|
||||
|
||||
run-name: "Supply chain security run '${{ github.head_ref || github.ref_name }}'"
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
paths:
|
||||
- Cargo.lock
|
||||
- Cargo.toml
|
||||
- core/Cargo.toml
|
||||
- lib/Cargo.toml
|
||||
- supply-chain/audits.toml
|
||||
- supply-chain/config.toml
|
||||
- supply-chain/imports.lock
|
||||
- cackle.toml
|
||||
- .github/workflows/supply-chain.yml
|
||||
branches:
|
||||
- main
|
||||
pull_request:
|
||||
paths:
|
||||
- Cargo.lock
|
||||
- Cargo.toml
|
||||
- core/Cargo.toml
|
||||
- lib/Cargo.toml
|
||||
- supply-chain/audits.toml
|
||||
- supply-chain/config.toml
|
||||
- supply-chain/imports.lock
|
||||
- cackle.toml
|
||||
- .github/workflows/supply-chain.yml
|
||||
merge_group:
|
||||
|
||||
defaults:
|
||||
run:
|
||||
shell: bash
|
||||
|
||||
jobs:
|
||||
cargo-deny:
|
||||
name: Check dependencies for known issues
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Install stable toolchain
|
||||
uses: dtolnay/rust-toolchain@stable
|
||||
with:
|
||||
toolchain: stable
|
||||
components: rustfmt
|
||||
|
||||
- name: Checkout sources
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Install cargo-deny
|
||||
run: cargo install --debug --locked cargo-deny@0.14.11
|
||||
|
||||
- name: Check dependencies for known issues
|
||||
run: cargo deny check
|
||||
|
||||
- name: Dependency check failure
|
||||
if: failure()
|
||||
run: |
|
||||
echo "## :warning: Supply chain security check failed" >> $GITHUB_STEP_SUMMARY
|
||||
echo "See instructions in the [supply chain security process](https://github.com/surrealdb/surrealdb/blob/main/supply-chain/README.md#Process)." >> $GITHUB_STEP_SUMMARY
|
||||
cargo-vet:
|
||||
name: Check dependencies for untrusted sources
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Install stable toolchain
|
||||
uses: dtolnay/rust-toolchain@stable
|
||||
with:
|
||||
toolchain: stable
|
||||
components: rustfmt
|
||||
|
||||
- name: Checkout sources
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Install cargo-vet
|
||||
run: cargo install --debug --locked cargo-vet
|
||||
|
||||
- name: Check dependencies for untrusted sources
|
||||
run: cargo vet
|
||||
|
||||
- name: Dependency check failure
|
||||
if: failure()
|
||||
run: |
|
||||
echo "## :warning: Supply chain security check failed" >> $GITHUB_STEP_SUMMARY
|
||||
echo "See instructions in the [supply chain security process](https://github.com/surrealdb/surrealdb/blob/main/supply-chain/README.md#Process)." >> $GITHUB_STEP_SUMMARY
|
||||
cargo-acl:
|
||||
name: Check dependencies for unauthorized access
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Install stable toolchain
|
||||
uses: dtolnay/rust-toolchain@stable
|
||||
with:
|
||||
toolchain: stable
|
||||
components: rustfmt
|
||||
|
||||
- name: Checkout sources
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Install cargo-acl
|
||||
run: |
|
||||
cargo install --debug --locked cargo-acl
|
||||
sudo apt-get install -y bubblewrap
|
||||
|
||||
- name: Check dependencies for unauthorized access
|
||||
env:
|
||||
RUSTFLAGS: "--cfg surrealdb_unstable"
|
||||
run: cargo acl -n
|
||||
|
||||
- name: Dependency check failure
|
||||
if: failure()
|
||||
run: |
|
||||
echo "## :warning: Supply chain security check failed" >> $GITHUB_STEP_SUMMARY
|
||||
echo "See instructions in the [supply chain security process](https://github.com/surrealdb/surrealdb/blob/main/supply-chain/README.md#Process)." >> $GITHUB_STEP_SUMMARY
|
Loading…
Reference in a new issue