| name: Security audit | |
| on: | |
| push: | |
| paths: | |
| - '**/Cargo.toml' | |
| - '**/Cargo.lock' | |
| jobs: | |
| security_audit: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v1 | |
| - uses: actions-rs/audit-check@v1 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} |
| name: Rust | |
| on: [push, pull_request] | |
| env: | |
| CARGO_TERM_COLOR: always | |
| jobs: | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - uses: actions-rs/toolchain@v1 | |
| with: | |
| profile: minimal | |
| toolchain: stable | |
| override: true | |
| - uses: actions-rs/cargo@v1 | |
| with: | |
| command: test | |
| fmt: | |
| name: Rustfmt | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - uses: actions-rs/toolchain@v1 | |
| with: | |
| toolchain: stable | |
| override: true | |
| components: rustfmt | |
| - uses: actions-rs/cargo@v1 | |
| with: | |
| command: fmt | |
| args: --all -- --check | |
| clippy: | |
| name: Clippy | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - uses: actions-rs/toolchain@v1 | |
| with: | |
| toolchain: stable | |
| override: true | |
| components: clippy | |
| - uses: actions-rs/clippy-check@v1 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| args: -- -D warnings | |
| coverage: | |
| name: Code coverage | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v2 | |
| - name: Install stable toolchain | |
| uses: actions-rs/toolchain@v1 | |
| with: | |
| toolchain: stable | |
| override: true | |
| - name: Run cargo-tarpaulin | |
| uses: actions-rs/tarpaulin@v0.1 | |
| with: | |
| args: '--ignore-tests' |
| name: Security audit | |
| on: | |
| schedule: | |
| - cron: '0 0 * * *' | |
| jobs: | |
| audit: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v1 | |
| - uses: actions-rs/audit-check@v1 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} |
This is mine, can you review please -> https://gist.github.com/steelx/3d863ceff5ebe0a147b632ff93069991
Deployment is out of scope for this pipeline.
Any reason not to use:
- uses: actions-rs/toolchain@v1
with:
profile: minimal
toolchain: stable
override: true
components: rustfmt
``` vs the separate call to install rustfmt?
Not really! I'll amend it in the next release
Instead of running clippy manually, you can use actions-rs/clippy-check, it can annotate the commit or pull request like this:
The job would look something like this:
jobs:
clippy:
name: Clippy
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1
- uses: actions-rs/toolchain@v1
with:
toolchain: stable
components: clippy
override: true
- uses: actions-rs/clippy-check@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
Updated both, thank you!
Two audit configs can be easily combined:
name: Security audit
on:
push:
paths:
- '**/Cargo.toml'
- '**/Cargo.lock'
schedule:
- cron: '0 0 * * *'
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1
- uses: actions-rs/audit-check@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
Coming across this error, verified that the secrets are referenced correctly. Only clippy is failing consistently.
@mattjperez Which token are you using? GitHub Actions will create secrets.GITHUB_TOKEN for you at the start of each run (and expire it at the end), it should work fine for all of the actions here.
@00-matt Works now, thanks for that. I didn't know about GITHUB_TOKEN being generated on each run. I had made a secret directly with repo permissions and was using that at the time of this error.
It looks as if https://github.com/actions-rs/audit-check/pulls has a lot of automated security pull requests from GitHub, dating back to september 10th 2020
It looks as if https://github.com/actions-rs/audit-check/pulls has a lot of automated security pull requests from GitHub, dating back to september 10th 2020 eyeseyes... I wonder if the packages are still maintained?
https://github.com/EmbarkStudios/cargo-deny-action looks pretty good. It uses cargo deny rather than cargo audit, of course.
I took a Clippy error that said "Resource not accessible by integration". If you get this error, you need to change "Workflow permissions" into "Read and write permissions" instead of "Read repository contents permission". It's in the "Actions" section under the repository settings.
Terrific job @LukeMathWalker . Does anybody know how to generate code coverage badge for README.md based on the tarpaulin's job?
Thanks for including this in your book
What about including udeps(allows to find unused dependenscies), it can be useful in some cases?
It looks as if https://github.com/actions-rs/audit-check/pulls has a lot of automated security pull requests from GitHub, dating back to september 10th 2020 eyeseyes... I wonder if the packages are still maintained?
https://github.com/EmbarkStudios/cargo-deny-action looks pretty good. It uses cargo deny rather than cargo audit, of course.
This is true for everything in actions-rs as far as I can tell! This seems ... bad
can you also add build step with GCP