diff --git a/.github/workflows/supply-chain-audit-registered.yml b/.github/workflows/supply-chain-audit-registered.yml new file mode 100644 index 00000000..9fdd7534 --- /dev/null +++ b/.github/workflows/supply-chain-audit-registered.yml @@ -0,0 +1,59 @@ +name: Supply Chain Audit (registered) + +on: + workflow_dispatch: {} + +jobs: + audit: + name: cargo-audit & cargo-deny + runs-on: ubuntu-24.04 + timeout-minutes: 30 + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Install Rust toolchain + run: | + if [ -f rust-toolchain.toml ]; then + TOOLCHAIN=$(grep -m1 -oP 'channel.*"(\K.*?)(?=")' rust-toolchain.toml || true) + fi + if [ -z "${TOOLCHAIN:-}" ]; then + TOOLCHAIN=stable + fi + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${TOOLCHAIN} + source $HOME/.cargo/env + + - name: Install cargo-audit and cargo-deny + run: | + source $HOME/.cargo/env + cargo install cargo-audit --version 0.17.0 || true + cargo install cargo-deny --version 0.12.0 || true + + - name: Run cargo audit + run: | + source $HOME/.cargo/env + cargo audit --version || true + cargo audit || true + continue-on-error: true + + - name: Run cargo deny (advisories) + run: | + source $HOME/.cargo/env + cargo deny check advisories --manifest-path Cargo.toml || true + continue-on-error: true + + - name: Run cargo deny (licenses) + run: | + source $HOME/.cargo/env + cargo deny check licenses --manifest-path Cargo.toml || true + continue-on-error: true + + - name: Upload audit results + uses: actions/upload-artifact@v4 + with: + name: supply-chain-reports + path: | + audit.txt + deny-advisories.txt + deny-licenses.txt + if-no-files-found: ignore diff --git a/.github/workflows/supply-chain-audit.yml b/.github/workflows/supply-chain-audit.yml new file mode 100644 index 00000000..87de0c0b --- /dev/null +++ b/.github/workflows/supply-chain-audit.yml @@ -0,0 +1,70 @@ +name: Supply Chain Audit + +on: + workflow_dispatch: {} + pull_request: + paths: + - 'Cargo.toml' + - 'Cargo.lock' + +jobs: + audit: + name: cargo-audit & cargo-deny + runs-on: ubuntu-24.04 + timeout-minutes: 30 + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Install Rust toolchain + run: | + # Use the repository's rust-toolchain if present + if [ -f rust-toolchain.toml ]; then + TOOLCHAIN=$(grep -m1 -oP 'channel.*"(\K.*?)(?=")' rust-toolchain.toml || true) + fi + if [ -z "${TOOLCHAIN:-}" ]; then + TOOLCHAIN=stable + fi + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${TOOLCHAIN} + source $HOME/.cargo/env + + - name: Install cargo-audit and cargo-deny + run: | + source $HOME/.cargo/env + cargo install cargo-audit --version 0.17.0 || true + cargo install cargo-deny --version 0.12.0 || true + + - name: Run cargo audit + working-directory: ${{ github.workspace }} + run: | + source $HOME/.cargo/env + cargo audit --version || true + cargo audit || true + continue-on-error: true + id: audit + + - name: Run cargo deny (advisories) + working-directory: ${{ github.workspace }} + run: | + source $HOME/.cargo/env + cargo deny check advisories --manifest-path Cargo.toml || true + continue-on-error: true + id: deny-advisories + + - name: Run cargo deny (licenses) + working-directory: ${{ github.workspace }} + run: | + source $HOME/.cargo/env + cargo deny check licenses --manifest-path Cargo.toml || true + continue-on-error: true + id: deny-licenses + + - name: Upload audit results + uses: actions/upload-artifact@v4 + with: + name: supply-chain-reports + path: | + audit.txt + deny-advisories.txt + deny-licenses.txt + if-no-files-found: ignore