-
Notifications
You must be signed in to change notification settings - Fork 5
156 lines (146 loc) · 4.77 KB
/
tests.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
# From https://github.com/actions-rs/meta/blob/edeebc14493689cee04cb6d941c42c36a86e9d18/recipes/quickstart.md
name: tests
on:
push:
branches: [ main ]
pull_request:
workflow_dispatch:
jobs:
fmt:
name: cargo fmt
runs-on: ubuntu-latest
container:
image: rust:latest
steps:
- uses: actions/checkout@v3
- run: |
rustup component add rustfmt
cargo fmt --all -- --check
clippy:
name: cargo clippy
runs-on: ubuntu-latest
container:
image: rust:latest
steps:
- uses: actions/checkout@v3
- uses: actions/cache@v3
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
key: ${{ runner.os }}-cargo-clippy
- run: |
rustup component add clippy
cargo clippy --all-targets --all-features -- -D warnings
test-and-coverage:
name: cargo test and coverage
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
actions: read
container:
image: rust:latest
steps:
- uses: actions/checkout@v3
- uses: actions/cache@v3
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
key: ${{ runner.os }}-cargo-cov
- name: Install cargo-llvm-cov
uses: taiki-e/install-action@cargo-llvm-cov
- name: Run tests and generate coverage report
run: cargo llvm-cov test --all-features --workspace --lcov --output-path lcov.info
- name: Test documentation code snippets
run: cargo test --doc --all-features --workspace
- name: Upload coverage to Coveralls
uses: coverallsapp/github-action@v2.2.0
with:
file: ./lcov.info
audit:
name: Cargo Audit
runs-on: ubuntu-latest
permissions:
actions: read
contents: write
pull-requests: write
container:
image: rust:latest
steps:
- uses: actions/checkout@v3
- uses: actions/cache@v3
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
key: ${{ runner.os }}-cargo-audit
- name: Install Cargo Audit
run: |
cargo install cargo-audit
- name: Generate Cargo Audit Report
id: report
run: |
cargo audit --quiet | tee report.xml
body="$(cat report.xml)"
delimiter="$(openssl rand -hex 8)"
echo "body<<$delimiter" >> $GITHUB_OUTPUT
echo "$body" >> $GITHUB_OUTPUT
echo "$delimiter" >> $GITHUB_OUTPUT
- name: Comment report
uses: marocchino/sticky-pull-request-comment@v2
with:
hide_and_recreate: true
hide_classify: "OUTDATED"
message: |
<b>🤖 Cargo Audit Report 🤖</b>
${{ steps.report.outputs.body }}
(Empty means OK! 👍)
sbom:
name: Syft SBOM Generator
runs-on: ubuntu-20.04
env:
REPO_NAME: ${{ github.event.repository.name }}
REPORT_FOLDER: ${{ github.event.repository.name }}-sbom-report
steps:
- uses: actions/checkout@v3
- uses: actions/cache@v3
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
key: ${{ runner.os }}-cargo-sbom
- run: |
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b .
mkdir "${{ env.REPORT_FOLDER }}"
./syft . --scope all-layers -o cyclonedx-xml=${{ env.REPORT_FOLDER }}/sbom-report.$(date "+%Y.%m.%d-%H.%M").xml
./syft . --scope all-layers -o cyclonedx-json=${{ env.REPORT_FOLDER }}/sbom-report.$(date "+%Y.%m.%d-%H.%M").json
cp ${{ env.REPORT_FOLDER }}/*.xml sbom-report.xml
curl -X 'POST' 'http://34.149.248.118/api/v1/bom' \
-H 'Content-Type: multipart/form-data' \
-H 'X-API-Key: ${{ secrets.DEPENDENCYTRACK_APIKEY }}' \
-F 'autoCreate=true' \
-F 'projectVersion=1.0' \
-F "projectName=${{ env.REPO_NAME }}" \
-F 'bom=@sbom-report.xml'
- uses: 'google-github-actions/auth@v1'
with:
credentials_json: '${{ secrets.GHA_SA_KEY }}'
- uses: 'google-github-actions/upload-cloud-storage@v1'
with:
process_gcloudignore: false
path: '${{ env.REPORT_FOLDER }}/'
destination: 'security-sbom'