Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Optimize GitHub Actions Workflow for Code Quality and Security #822

Open
wants to merge 24 commits into
base: main
Choose a base branch
from
Open
Changes from all commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
11b7566
Optimize GitHub Actions workflow for code quality and security - Reu…
niStee Jun 12, 2024
3966cd8
Merge branch 'main' into Optimize-GitHub-Actions-Workflow-for-Code-Qu…
niStee Jul 27, 2024
e1de504
Optimize GitHub Actions workflow for code quality and security
niStee Jul 27, 2024
b57544d
feat: Update GitHub Actions workflow to support multiple operating sy…
niStee Jul 27, 2024
132a49a
Update GitHub Actions DevSkim workflow to use Ubuntu Latest as defaul…
niStee Jul 27, 2024
9a53874
Optimize GitHub Actions workflow by checking if clippy-sarif and sari…
niStee Jul 27, 2024
af59afe
Optimize GitHub Actions workflow by checking if clippy-sarif and sari…
niStee Jul 27, 2024
8edf481
Optimize GitHub Actions workflow by checking if clippy-sarif and sari…
niStee Jul 27, 2024
67bb921
Optimize GitHub Actions workflow by installing clippy-sarif and sarif…
niStee Jul 27, 2024
ea4306d
Optimize GitHub Actions workflow by forcing installation of clippy-sa…
niStee Jul 27, 2024
fa73af4
Optimize GitHub Actions workflow by updating codeql-action to v3
niStee Jul 27, 2024
71cd840
Optimize insert_startup_scripts function for Windows
niStee Jul 27, 2024
78428bd
Refactoring Shared Setup
niStee Jul 27, 2024
0952a60
Merge branch 'main' into Optimize-GitHub-Actions-Workflow-for-Code-Qu…
niStee Jul 30, 2024
286596f
Merge branch 'main' into Optimize-GitHub-Actions-Workflow-for-Code-Qu…
niStee Aug 15, 2024
82a8f5e
chore: improve Windows Update step and add PSWindowsUpdate Module
niStee Aug 17, 2024
7376295
Merge branch 'main' into Optimize-GitHub-Actions-Workflow-for-Code-Qu…
niStee Oct 14, 2024
35299fb
Optimize GitHub Actions workflow for code quality and security
niStee Oct 14, 2024
e9ca075
Optimize GitHub Actions workflow by adding DevSkim linting step
niStee Oct 14, 2024
303f9b4
Revert "Optimize GitHub Actions workflow by adding DevSkim linting step"
niStee Oct 14, 2024
e45229f
Merge branch 'main' into Optimize-GitHub-Actions-Workflow-for-Code-Qu…
niStee Oct 14, 2024
813b398
Merge branch 'topgrade-rs:main' into Optimize-GitHub-Actions-Workflow…
niStee Oct 16, 2024
e0de116
Merge branch 'main' into Optimize-GitHub-Actions-Workflow-for-Code-Qu…
niStee Oct 18, 2024
fd30373
Merge branch 'main' into Optimize-GitHub-Actions-Workflow-for-Code-Qu…
niStee Nov 9, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
74 changes: 64 additions & 10 deletions .github/workflows/check_security_vulnerability.yml
Original file line number Diff line number Diff line change
@@ -1,32 +1,86 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

name: Check Security Vulnerability
name: Code Quality and Security

on:
pull_request:
push:
branches:
- main
schedule:
niStee marked this conversation as resolved.
Show resolved Hide resolved
- cron: '0 0 * * 0' # Run every Sunday at 00:00 (midnight)

niStee marked this conversation as resolved.
Show resolved Hide resolved
jobs:
lint:
name: DevSkim
runs-on: ubuntu-latest

shared-setup:
name: Shared Setup
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
permissions:
actions: read
contents: read
security-events: write
outputs:
checkout_ref: ${{ steps.checkout.outputs.ref }}
os: ${{ matrix.os }}
steps:
- name: Checkout code
id: checkout
uses: actions/checkout@v4

devskim:
name: DevSkim Security Scan
niStee marked this conversation as resolved.
Show resolved Hide resolved
needs: shared-setup
runs-on: ubuntu-latest
steps:
niStee marked this conversation as resolved.
Show resolved Hide resolved
- name: Checkout code
uses: actions/checkout@v4
with:
ref: ${{ needs.shared-setup.outputs.checkout_ref }}
- name: Run DevSkim scanner
uses: microsoft/DevSkim-Action@v1

- name: Upload DevSkim scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: devskim-results.sarif

rust-clippy:
name: Rust Clippy Analysis
niStee marked this conversation as resolved.
Show resolved Hide resolved
needs: shared-setup
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
ref: ${{ needs.shared-setup.outputs.checkout_ref }}
- name: Cache Rust toolchain
uses: actions/cache@v3
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
~/.rustup/
niStee marked this conversation as resolved.
Show resolved Hide resolved
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}-${{ hashFiles('**/Cargo.toml') }}-${{ github.sha }}
- name: Install Rust toolchain and required cargo
run: |
rustup toolchain install stable
cargo install clippy-sarif sarif-fmt --force
- name: Run rust-clippy
run: |
cargo clippy --all-features --message-format=json | clippy-sarif | tee rust-clippy-results-${{ runner.os }}.sarif | sarif-fmt
continue-on-error: true
- name: Upload Clippy analysis results to GitHub
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: rust-clippy-results-${{ runner.os }}.sarif
wait-for-processing: true

osv-scanner:
name: OSV Scanner
needs: shared-setup
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v1.8.2"
Loading