gitea-mirror/rosenpass
1
0
Fork 0
mirror of https://github.com/rosenpass/rosenpass.git synced 2025-12-12 07:40:30 -08:00
Code Issues Packages Projects Releases Wiki Activity

Revert "Make the CI restart once cargo-vet exemptions for dependabot have been pushed (#658)"

Browse Source 
This reverts commit e021b9f11d, reversing
changes made to d98815fa7f.
This commit is contained in:
Karolin Varner
2025-06-18 19:42:30 +02:00
parent e021b9f11d
commit 6c49f38e29
2 changed files with 16 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
.github/workflows/supply-chain.yml vendored
View File

@@ -28,10 +28,6 @@ jobs:
~/.cargo/registry/cache/
~/.cache/cargo-supply-chain/
key: cargo-supply-chain-cache
- name: Install nightly toolchain # Since we are running/compiling cargo-vet, we should rely on the stable toolchain.
run: |
rustup toolchain install nightly
rustup override set nightly
- uses: actions/cache@v4
with:
path: ${{ runner.tool_cache }}/cargo-supply-chain
@@ -54,8 +50,6 @@ jobs:
contents: write
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.CI_BOT_PAT }}
- uses: actions/cache@v4
with:
path: |
@@ -63,10 +57,10 @@ jobs:
~/.cargo/registry/index/
~/.cargo/registry/cache/
key: cargo-vet-cache
- name: Install nightly toolchain # Since we are running/compiling cargo-vet, we should rely on the stable toolchain.
- name: Install stable toolchain # Since we are running/compiling cargo-vet, we should rely on the stable toolchain.
run: |
rustup toolchain install nightly
rustup override set nightly
rustup toolchain install stable
rustup default stable
- uses: actions/cache@v4
with:
path: ${{ runner.tool_cache }}/cargo-vet
@@ -75,48 +69,23 @@ jobs:
run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH
- name: Ensure that the tool cache is populated with the cargo-vet binary
run: cargo install --root ${{ runner.tool_cache }}/cargo-vet cargo-vet
- name: Check if last commit was by Dependabot
- name: Regenerate vet exemptions for dependabot PRs
if: github.actor == 'dependabot[bot]' # Run only for Dependabot PRs
run: cargo vet regenerate exemptions
- name: Check for changes in case of dependabot PR
if: github.actor == 'dependabot[bot]' # Run only for Dependabot PRs
run: git diff --exit-code || echo "Changes detected, committing..."
- name: Commit and push changes for dependabot PRs
if: success() && github.actor == 'dependabot[bot]'
run: |
git fetch origin ${{ github.head_ref }}
git switch ${{ github.head_ref }}
COMMIT_AUTHOR=$(gh api repos/${{ github.repository }}/commits/${{ github.sha }} --jq .author.login)
if [[ "$COMMIT_AUTHOR" == "dependabot[bot]" ]]; then
echo "The last commit was made by dependabot"
IS_DEPENDABOT=true
else
echo "The last commit was not made by dependabot"
IS_DEPENDABOT=false
fi
echo "IS_DEPENDABOT=$IS_DEPENDABOT" >> $GITHUB_ENV
git config --global user.name "github-actions[bot]"
git config --global user.email "github-actions@github.com"
git add supply-chain/*
git commit -m "Regenerate cargo vet exemptions"
git push origin ${{ github.head_ref }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Check if the last commit's message ends in "--regenerate-exemptions"
run: |
# Get commit message
COMMIT_MESSAGE=$(git log -1 --pretty=format:"%s")
if [[ "$COMMIT_MESSAGE" == *"--regenerate-exemptions" ]]; then
echo "The last commit message ends in --regenerate-exemptions"
REGEN_EXEMP=true
else
echo "The last commit message does not end in --regenerate-exemptions"
REGEN_EXEMP=false
fi
echo "REGEN_EXEMP=$REGEN_EXEMP" >> $GITHUB_ENV
- name: Regenerate vet exemptions for dependabot PRs
if: github.actor == 'dependabot[bot]' && (env.IS_DEPENDABOT == 'true' || env.REGEN_EXEMP=='true') # Run only for Dependabot PRs or if specifically requested
run: cargo vet regenerate exemptions
- name: Check for changes in case of dependabot PR
if: github.actor == 'dependabot[bot]' && (env.IS_DEPENDABOT == 'true' || env.REGEN_EXEMP=='true') # Run only for Dependabot PRs or if specifically requested
run: git diff --exit-code || echo "Changes detected, committing..."
- name: Commit and push changes for dependabot PRs
if: success() && github.actor == 'dependabot[bot]' && (env.IS_DEPENDABOT == 'true' || env.REGEN_EXEMP=='true')
uses: stefanzweifel/git-auto-commit-action@v5
with:
commit_message: Regenerate cargo vet exemptions
commit_user_name: rosenpass-ci-bot[bot]
commit_user_email: noreply@rosenpass.eu
commit_author: Rosenpass CI Bot <noreply@rosenpass.eu>
env:
GITHUB_TOKEN: ${{ secrets.CI_BOT_PAT }}
- name: Invoke cargo-vet
run: cargo vet --locked

20
CI.md
View File

@@ -1,20 +0,0 @@
# Continuous Integration
This repository's CI uses non-standard mechanisms to harmonize the usage of `dependabot` together with [`cargo vet`](https://mozilla.github.io/cargo-vet/). Since cargo-vet audits for new versions of crates are rarely immediately available once dependabots bumps the version,
the exemptions for `cargo vet` have to be regenerated for each push request opened by dependabot. To make this work, some setup is neccessary to setup the CI. The required steps are as follows:
1. Create a mew user on github. For the purpose of these instructions, we will assume that its mail address is `ci@example.com` and that its username is `ci-bot`. Protect this user account as you would any other user account that you intend to gve write permissions to. For example, setup MFA or protect the emal address of the user. Make sure to verify your e-mail.
2. Grant `ci-bot` write access to the repository.
3. Create a new personal access token for `ci-bot`. That is, in the settings for `ci-bot`, select "Developer settings" -> "Personal Access tokens" -> "Fine-grained tokens". Then click on "Generate new token". Enter a name of your choosing and choose an expiration date that you feel comfortable with. A shorter expiration period will requrie more manual management by you but is more secure than a longer one. Under "Repository permissions", grant "Read and write"-access to the "Contens" premission for the token. Grant no other permissions to the token, except for the read-only access to the "Metadata" permission, which is mandatory. Then generate the token and copy it for the next step.
4. Now, with your account that has administrative permissions for the repository, open the settings page for the repository and select "Secrets and variables" -> "Actions" and click "New repository secret". In the name field enter "CI_BOT_PAT". This name is mandatory, since it is explicitly referenced in the supply-chain workflow. Below, enter the token that was generated in the previous step.
## What this does
For the `cargo vet` check in the CI for dependabot, the `cargo vet`-exemptions have to automatically be regenerated, because otherwise this CI job will always fail for dependabot PRs. After the exemptions have been regenerated, they need to be commited and pushed to the PR. This invalidates the CI run that pushed the commit so that it does not show up in the PR anymore but does not trigger a new CI run. This is a [protection by Github](https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow) to prevent infinite loops. However, in this case it prevents us from having a proper CI run for dependabot PRs. The solution to this is to execute `push` operation with a personal access token.
## Preventing infinite loops
The CI is configured to avoid infinite loops by only regenerating and pushing the `cargo vet` exemptions if at least one of the following conditions is met:
- The last commit was performed by dependabot
- The last commit message ends in `--regenerate-exemptions`