topaLE
/
vaultwarden
mirror of https://github.com/dani-garcia/vaultwarden
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Add supply chain audit workflow with cargo-audit and cargo-deny steps

pull/6721/head
kalvinparker 3 months ago
parent
9017ca265a
commit
0951c8d220
2 changed files with 129 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 59
      .github/workflows/supply-chain-audit-registered.yml
  2. 70
      .github/workflows/supply-chain-audit.yml

59
.github/workflows/supply-chain-audit-registered.yml
View File

@ -0,0 +1,59 @@
name: Supply Chain Audit (registered)
on:
workflow_dispatch: {}
jobs:
audit:
name: cargo-audit & cargo-deny
runs-on: ubuntu-24.04
timeout-minutes: 30
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install Rust toolchain
run: |
if [ -f rust-toolchain.toml ]; then
TOOLCHAIN=$(grep -m1 -oP 'channel.*"(\K.*?)(?=")' rust-toolchain.toml || true)
fi
if [ -z "${TOOLCHAIN:-}" ]; then
TOOLCHAIN=stable
fi
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${TOOLCHAIN}
source $HOME/.cargo/env
- name: Install cargo-audit and cargo-deny
run: |
source $HOME/.cargo/env
cargo install cargo-audit --version 0.17.0 || true
cargo install cargo-deny --version 0.12.0 || true
- name: Run cargo audit
run: |
source $HOME/.cargo/env
cargo audit --version || true
cargo audit || true
continue-on-error: true
- name: Run cargo deny (advisories)
run: |
source $HOME/.cargo/env
cargo deny check advisories --manifest-path Cargo.toml || true
continue-on-error: true
- name: Run cargo deny (licenses)
run: |
source $HOME/.cargo/env
cargo deny check licenses --manifest-path Cargo.toml || true
continue-on-error: true
- name: Upload audit results
uses: actions/upload-artifact@v4
with:
name: supply-chain-reports
path: |
audit.txt
deny-advisories.txt
deny-licenses.txt
if-no-files-found: ignore

70
.github/workflows/supply-chain-audit.yml
View File

@ -0,0 +1,70 @@
name: Supply Chain Audit
on:
workflow_dispatch: {}
pull_request:
paths:
- 'Cargo.toml'
- 'Cargo.lock'
jobs:
audit:
name: cargo-audit & cargo-deny
runs-on: ubuntu-24.04
timeout-minutes: 30
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install Rust toolchain
run: |
# Use the repository's rust-toolchain if present
if [ -f rust-toolchain.toml ]; then
TOOLCHAIN=$(grep -m1 -oP 'channel.*"(\K.*?)(?=")' rust-toolchain.toml || true)
fi
if [ -z "${TOOLCHAIN:-}" ]; then
TOOLCHAIN=stable
fi
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${TOOLCHAIN}
source $HOME/.cargo/env
- name: Install cargo-audit and cargo-deny
run: |
source $HOME/.cargo/env
cargo install cargo-audit --version 0.17.0 || true
cargo install cargo-deny --version 0.12.0 || true
- name: Run cargo audit
working-directory: ${{ github.workspace }}
run: |
source $HOME/.cargo/env
cargo audit --version || true
cargo audit || true
continue-on-error: true
id: audit
- name: Run cargo deny (advisories)
working-directory: ${{ github.workspace }}
run: |
source $HOME/.cargo/env
cargo deny check advisories --manifest-path Cargo.toml || true
continue-on-error: true
id: deny-advisories
- name: Run cargo deny (licenses)
working-directory: ${{ github.workspace }}
run: |
source $HOME/.cargo/env
cargo deny check licenses --manifest-path Cargo.toml || true
continue-on-error: true
id: deny-licenses
- name: Upload audit results
uses: actions/upload-artifact@v4
with:
name: supply-chain-reports
path: |
audit.txt
deny-advisories.txt
deny-licenses.txt
if-no-files-found: ignore
Write Preview
Loading…
Cancel
Save