Skip to content
Code Quality and Security

Optimize GitHub Actions Workflow for Code Quality and Security #321

Sign in to view logs

Optimize GitHub Actions Workflow for Code Quality and Security

Optimize GitHub Actions Workflow for Code Quality and Security #321

Workflow file for this run

.github/workflows/check_security_vulnerability.yml at fd30373
name: Code Quality and Security
on:
pull_request:
push:
branches:
- main
schedule:
- cron: '0 0 * * 0' # Run every Sunday at 00:00 (midnight)
jobs:
shared-setup:
name: Shared Setup
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
permissions:
actions: read
contents: read
security-events: write
outputs:
checkout_ref: ${{ steps.checkout.outputs.ref }}
os: ${{ matrix.os }}
steps:
- name: Checkout code
id: checkout
uses: actions/checkout@v4
devskim:
name: DevSkim Security Scan
needs: shared-setup
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
ref: ${{ needs.shared-setup.outputs.checkout_ref }}
- name: Run DevSkim scanner
uses: microsoft/DevSkim-Action@v1
- name: Upload DevSkim scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: devskim-results.sarif
rust-clippy:
name: Rust Clippy Analysis
needs: shared-setup
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
ref: ${{ needs.shared-setup.outputs.checkout_ref }}
- name: Cache Rust toolchain
uses: actions/cache@v3
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
~/.rustup/
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}-${{ hashFiles('**/Cargo.toml') }}-${{ github.sha }}
- name: Install Rust toolchain and required cargo
run: |
rustup toolchain install stable
cargo install clippy-sarif sarif-fmt --force
- name: Run rust-clippy
run: |
cargo clippy --all-features --message-format=json | clippy-sarif | tee rust-clippy-results-${{ runner.os }}.sarif | sarif-fmt
continue-on-error: true
- name: Upload Clippy analysis results to GitHub
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: rust-clippy-results-${{ runner.os }}.sarif
wait-for-processing: true
osv-scanner:
name: OSV Scanner
needs: shared-setup
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v1.8.2"