name: Supply chain security

run-name: "Supply chain security run '${{ github.head_ref || github.ref_name }}'"

on:
  workflow_dispatch:
  push:
    paths:
      - Cargo.lock
      - Cargo.toml
      - core/Cargo.toml
      - sdk/Cargo.toml
      - build.rs
      - sdk/build.rs
      - supply-chain/audits.toml
      - supply-chain/config.toml
      - supply-chain/imports.lock
      - cackle.toml
      - .github/workflows/supply-chain.yml
    branches:
      - main
  pull_request:
    paths:
      - Cargo.lock
      - Cargo.toml
      - core/Cargo.toml
      - sdk/Cargo.toml
      - build.rs
      - sdk/build.rs
      - supply-chain/audits.toml
      - supply-chain/config.toml
      - supply-chain/imports.lock
      - cackle.toml
      - .github/workflows/supply-chain.yml
  merge_group:

concurrency:
  # Use github.run_id on main branch
  # Use github.event.pull_request.number on pull requests, so it's unique per pull request
  # Use github.ref on other branches, so it's unique per branch
  group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/main' && github.run_id || github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

defaults:
  run:
    shell: bash

jobs:
  cargo-deny:
    name: Check dependencies for known issues
    runs-on: ubuntu-latest
    steps:
      - name: Install stable toolchain
        uses: dtolnay/rust-toolchain@stable
        with:
          components: rustfmt

      - name: Checkout sources
        uses: actions/checkout@v4

      - name: Install cargo-deny
        run: cargo install --debug --locked cargo-deny@0.15.1

      - name: Check dependencies for known issues
        run: cargo deny check

      - name: Dependency check failure
        if: failure()
        run: |
          echo "## :warning: Supply chain security check failed" >> $GITHUB_STEP_SUMMARY
          echo "See instructions in the [supply chain security process](https://github.com/surrealdb/surrealdb/blob/main/supply-chain/README.md#Process)." >> $GITHUB_STEP_SUMMARY
  cargo-vet:
    name: Check dependencies for untrusted sources
    runs-on: ubuntu-latest
    steps:
      - name: Install stable toolchain
        uses: dtolnay/rust-toolchain@stable
        with:
          components: rustfmt

      - name: Checkout sources
        uses: actions/checkout@v4

      - name: Install cargo-vet
        run: cargo install --debug --locked cargo-vet

      - name: Check dependencies for untrusted sources
        run: cargo vet

      - name: Dependency check failure
        if: failure()
        run: |
          echo "## :warning: Supply chain security check failed" >> $GITHUB_STEP_SUMMARY
          echo "See instructions in the [supply chain security process](https://github.com/surrealdb/surrealdb/blob/main/supply-chain/README.md#Process)." >> $GITHUB_STEP_SUMMARY
  cargo-acl:
    name: Check dependencies for unauthorized access
    runs-on: ubuntu-latest
    steps:
      - name: Install stable toolchain
        uses: dtolnay/rust-toolchain@stable
        with:
          components: rustfmt

      - name: Checkout sources
        uses: actions/checkout@v4

      - name: Install cargo-acl
        run: |
          cargo install --debug --locked cargo-acl
          sudo apt-get install -y bubblewrap

      - name: Check dependencies for unauthorized access
        env:
          RUSTFLAGS: "--cfg surrealdb_unstable"
        run: cargo acl -n

      - name: Dependency check failure
        if: failure()
        run: |
          echo "## :warning: Supply chain security check failed" >> $GITHUB_STEP_SUMMARY
          echo "See instructions in the [supply chain security process](https://github.com/surrealdb/surrealdb/blob/main/supply-chain/README.md#Process)." >> $GITHUB_STEP_SUMMARY