Skip to content

Instantly share code, notes, and snippets.

@LukeMathWalker

LukeMathWalker/audit-on-push.yml

Last active Jul 2, 2022
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
GitHub Actions - Rust setup
Raw
audit-on-push.yml
name: Security audit
on:
push:
paths:
- '**/Cargo.toml'
- '**/Cargo.lock'
jobs:
security_audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1
- uses: actions-rs/audit-check@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
Raw
general.yml
name: Rust
on: [push, pull_request]
env:
CARGO_TERM_COLOR: always
jobs:
test:
name: Test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions-rs/toolchain@v1
with:
profile: minimal
toolchain: stable
override: true
- uses: actions-rs/cargo@v1
with:
command: test
fmt:
name: Rustfmt
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions-rs/toolchain@v1
with:
toolchain: stable
override: true
components: rustfmt
- uses: actions-rs/cargo@v1
with:
command: fmt
args: --all -- --check
clippy:
name: Clippy
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions-rs/toolchain@v1
with:
toolchain: stable
override: true
components: clippy
- uses: actions-rs/clippy-check@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
args: -- -D warnings
coverage:
name: Code coverage
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Install stable toolchain
uses: actions-rs/toolchain@v1
with:
toolchain: stable
override: true
- name: Run cargo-tarpaulin
uses: actions-rs/tarpaulin@v0.1
with:
args: '--ignore-tests'
Raw
scheduled-audit.yml
name: Security audit
on:
schedule:
- cron: '0 0 * * *'
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1
- uses: actions-rs/audit-check@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
@steelx
Copy link

steelx commented Sep 25, 2020

can you also add build step with GCP

@steelx
Copy link

steelx commented Sep 25, 2020

This is mine, can you review please -> https://gist.github.com/steelx/3d863ceff5ebe0a147b632ff93069991

@LukeMathWalker
Copy link
Author

LukeMathWalker commented Sep 25, 2020

Deployment is out of scope for this pipeline.

@cardoe
Copy link

cardoe commented Jan 9, 2021

Any reason not to use:

      - uses: actions-rs/toolchain@v1
        with:
          profile: minimal
          toolchain: stable
          override: true
          components: rustfmt
``` vs the separate call to install rustfmt?

@LukeMathWalker
Copy link
Author

LukeMathWalker commented Jan 10, 2021

Not really! I'll amend it in the next release 😁

@00-matt
Copy link

00-matt commented Jan 22, 2021

Instead of running clippy manually, you can use actions-rs/clippy-check, it can annotate the commit or pull request like this:

Screenshot of clippy-check

The job would look something like this:

jobs:
  clippy:
    name: Clippy
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v1
      - uses: actions-rs/toolchain@v1
        with:
            toolchain: stable
            components: clippy
            override: true
      - uses: actions-rs/clippy-check@v1
        with:
          token: ${{ secrets.GITHUB_TOKEN }}

@LukeMathWalker
Copy link
Author

LukeMathWalker commented Jan 23, 2021

Updated both, thank you!

@kumekay
Copy link

kumekay commented Mar 6, 2021

Two audit configs can be easily combined:

name: Security audit
on:
  push:
    paths:
      - '**/Cargo.toml'
      - '**/Cargo.lock'
  schedule:
    - cron: '0 0 * * *'
jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v1
      - uses: actions-rs/audit-check@v1
        with:
          token: ${{ secrets.GITHUB_TOKEN }}

@mattjperez
Copy link

mattjperez commented Mar 28, 2021

Coming across this error, verified that the secrets are referenced correctly. Only clippy is failing consistently.

image

@00-matt
Copy link

00-matt commented Mar 29, 2021

@mattjperez Which token are you using? GitHub Actions will create secrets.GITHUB_TOKEN for you at the start of each run (and expire it at the end), it should work fine for all of the actions here.

@mattjperez
Copy link

mattjperez commented Mar 29, 2021
edited

@00-matt Works now, thanks for that. I didn't know about GITHUB_TOKEN being generated on each run. I had made a secret directly with repo permissions and was using that at the time of this error.

@skovmand
Copy link

skovmand commented May 9, 2021

It looks as if https://github.com/actions-rs/audit-check/pulls has a lot of automated security pull requests from GitHub, dating back to september 10th 2020 👀👀... I wonder if the packages are still maintained?

@dhl
Copy link

dhl commented Apr 9, 2022

It looks as if https://github.com/actions-rs/audit-check/pulls has a lot of automated security pull requests from GitHub, dating back to september 10th 2020 eyeseyes... I wonder if the packages are still maintained?

https://github.com/EmbarkStudios/cargo-deny-action looks pretty good. It uses cargo deny rather than cargo audit, of course.

@merdemkoc
Copy link

merdemkoc commented May 1, 2022
edited

I took a Clippy error that said "Resource not accessible by integration". If you get this error, you need to change "Workflow permissions" into "Read and write permissions" instead of "Read repository contents permission". It's in the "Actions" section under the repository settings.

@mihsamusev
Copy link

mihsamusev commented May 13, 2022

Terrific job @LukeMathWalker . Does anybody know how to generate code coverage badge for README.md based on the tarpaulin's job?

@epipheus
Copy link

epipheus commented May 17, 2022

Thanks for including this in your book

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment