dnp3/.github/workflows/security-audit.yml at 5d83f2c585060d1a7ac18c23ea98c7d96d81920d · stepfunc/dnp3 · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
name: Security Audit

on:
  schedule:
    # Run daily at 2 AM UTC
    - cron: '0 2 * * *'
  # Allow manual trigger for testing
  workflow_dispatch:
  # Also run on push to main to catch issues early
  push:
    branches:
      - main
    paths:
      - '**/Cargo.toml'
      - '**/Cargo.lock'
      - '.github/workflows/security-audit.yml'
      - '.cargo/audit.toml'
  # Run on PRs to test before merging
  pull_request:
    paths:
      - '**/Cargo.toml'
      - '**/Cargo.lock'
      - '.github/workflows/security-audit.yml'
      - '.cargo/audit.toml'

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install cargo-binstall
        uses: cargo-bins/cargo-binstall@main

      - name: Install cargo-audit binary (fast)
        run: cargo binstall cargo-audit@0.22.1 --no-confirm

      - name: Run security audit
        id: audit
        run: |
          if cargo audit --json > audit.json 2>&1; then
            echo "audit_failed=false" >> $GITHUB_OUTPUT
          else
            echo "audit_failed=true" >> $GITHUB_OUTPUT
          fi

          # Always show the human-readable output
          cargo audit || true

      # Create a job summary that's visible in the Actions tab
      - name: Create job summary
        if: steps.audit.outputs.audit_failed == 'true'
        run: |
          echo "## 🚨 Security Vulnerabilities Detected" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "The security audit has detected vulnerabilities in the dependencies." >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "### Required Actions:" >> $GITHUB_STEP_SUMMARY
          echo "1. Review the audit output above for details" >> $GITHUB_STEP_SUMMARY
          echo "2. Run \`cargo audit\` locally to see the full report" >> $GITHUB_STEP_SUMMARY
          echo "3. Update affected dependencies using \`cargo update\`" >> $GITHUB_STEP_SUMMARY
          echo "4. Review if these vulnerabilities affect your production deployments" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "**Workflow run:** [#${{ github.run_number }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})" >> $GITHUB_STEP_SUMMARY

      # Fail the workflow if vulnerabilities were found
      - name: Check audit results
        if: steps.audit.outputs.audit_failed == 'true'
        run: |
          echo "::error::Security vulnerabilities detected in dependencies"
          exit 1