Security audit #6830
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security audit | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - release-* | |
| tags: | |
| # YYYYMMDD | |
| - "20[0-9][0-9][0-1][0-9][0-3][0-9]*" | |
| pull_request: | |
| # For PRs we only want to fail if dependencies were changed. | |
| paths: | |
| - "**/Cargo.toml" | |
| - "**/Cargo.lock" | |
| workflow_dispatch: | |
| # Run the audit job once a day on main. | |
| schedule: | |
| - cron: "0 0 * * *" | |
| env: | |
| CARGO_INCREMENTAL: "0" | |
| jobs: | |
| security_audit: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: rustsec/audit-check@v2 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| audit_fix: | |
| needs: security_audit | |
| runs-on: ubuntu-latest | |
| # Run audit fix only if `cargo audit` failed and if we're not building a | |
| # tag. For a tag it's unclear what branch to target with the PR. | |
| if: ( failure() && github.ref_type != 'tag' ) || github.event_name == 'workflow_dispatch' | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| if: github.event_name != 'pull_request' | |
| - uses: actions/checkout@v4 | |
| if: github.event_name == 'pull_request' | |
| with: | |
| # By default github will checkout a ref of the HEAD merged into the | |
| # base branch but we would like to make a PR with the fix to the base | |
| # branch directly to fix cargo audit in the base branch. | |
| ref: ${{ github.base_ref }} | |
| - name: install cargo audit fix | |
| run: cargo install cargo-audit --locked --features=fix | |
| - name: Run cargo audit fix | |
| run: cargo audit fix | |
| - name: Create Pull Request | |
| id: create-pull-request | |
| uses: peter-evans/create-pull-request@v7 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| branch: bot/cargo-audit | |
| title: "[Bot] Audit fixes" | |
| commit-message: Cargo audit fixes | |
| body: > | |
| Updates to Cargo.toml and/or Cargo.lock with security fixes. | |
| - name: Comment about audit fix PR on original PR | |
| if: github.event_name == 'pull_request' && steps.create-pull-request.outputs.pull-request-number | |
| uses: actions/github-script@v7 | |
| with: | |
| github-token: ${{secrets.GITHUB_TOKEN}} | |
| script: | | |
| const issue_number = context.issue.number; | |
| const owner = context.repo.owner; | |
| const repo = context.repo.repo; | |
| const commentTitle = "Created new PR to fix cargo audit" | |
| const commentBody = `${commentTitle}. | |
| PR: ${{ steps.create-pull-request.outputs.pull-request-url }} | |
| Please merge that PR first to fix cargo-audit. | |
| `; | |
| // Fetch existing comments | |
| const { data: comments } = await github.rest.issues.listComments({ | |
| owner, | |
| repo, | |
| issue_number, | |
| }); | |
| // Find existing comment | |
| const existingComment = comments.find(c => c.body.startsWith(commentTitle)); | |
| if (!existingComment) { | |
| await github.rest.issues.createComment({ | |
| owner, | |
| repo, | |
| issue_number, | |
| body: commentBody | |
| }); | |
| } else { | |
| console.log("Already commented.") | |
| } |