gitea-mirror/rosenpass
1
0
Fork 0
mirror of https://github.com/rosenpass/rosenpass.git synced 2025-12-12 07:40:30 -08:00
Code Issues Packages Projects Releases Wiki Activity

Revert "fix: make CI workflows run after pushing excemptions for cargo-vet (#652)"

Browse Source 
This reverts commit bbd7e7bb72, reversing
changes made to db9d0b642b.
This commit is contained in:
Karolin Varner
2025-05-30 13:15:37 +02:00
parent 64ff326e14
commit dd105a4491
9 changed files with 26 additions and 178 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
.github/workflows/dependent-issues.yml vendored
View File

@@ -17,10 +17,6 @@ on:
# this action is required to pass before merging. Otherwise, it
# can be removed.
- synchronize
workflow_run:
workflows: [Regenerate cargo-vet exemptions for dependabot-PRs]
types:
- completed
# Schedule a daily check. Useful if you reference cross-repository
# issues or pull requests. Otherwise, it can be removed.
@@ -29,8 +25,6 @@ on:
jobs:
check:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
permissions:
issues: write
pull-requests: write

21
.github/workflows/docker.yaml vendored
View File

@@ -14,15 +14,6 @@ on:
- ".github/workflows/docker.yaml"
branches:
- "main"
workflow_run:
workflows: [Regenerate cargo-vet exemptions for dependabot-PRs]
types:
- completed
paths:
- "docker/Dockerfile"
- ".github/workflows/docker.yaml"
branches:
- "main"
permissions:
contents: read
@@ -33,8 +24,6 @@ jobs:
# 1. BUILD & TEST
# --------------------------------
build-and-test-rp:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
strategy:
matrix:
arch: [amd64, arm64]
@@ -129,8 +118,8 @@ jobs:
docker-image-rp:
needs:
- build-and-test-rp
# Only run this job if it s triggered by by a push to the main branch or a version tag.
if: ${{ github.event_name != 'pull_request' && github.event_name != 'workflow_run' }}
# Skip if this is not a PR. Then we want to push this image.
if: ${{ github.event_name != 'pull_request' }}
# Use a matrix to build for both AMD64 and ARM64
strategy:
matrix:
@@ -194,8 +183,8 @@ jobs:
docker-image-rosenpass:
needs:
- build-and-test-rp
# Only run this job if it s triggered by by a push to the main branch or a version tag.
if: ${{ github.event_name != 'pull_request' && github.event_name != 'workflow_run' }}
# Skip if this is not a PR. Then we want to push this image.
if: ${{ github.event_name != 'pull_request' }}
# Use a matrix to build for both AMD64 and ARM64
strategy:
matrix:
@@ -260,7 +249,7 @@ jobs:
needs:
- docker-image-rosenpass
- docker-image-rp
if: ${{ github.event_name != 'pull_request' && github.event_name != 'workflow_run' }}
if: ${{ github.event_name != 'pull_request' }}
strategy:
matrix:
target: [rp, rosenpass]

12
.github/workflows/nix-mac.yaml vendored
View File

@@ -13,8 +13,6 @@ concurrency:
jobs:
aarch64-darwin---default:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions or explicitly called
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' || github.event_name == 'workflow_call'}}
name: Build aarch64-darwin.default
runs-on:
- warp-macos-13-arm64-6x
@@ -32,8 +30,6 @@ jobs:
- name: Build
run: nix build .#packages.aarch64-darwin.default --print-build-logs
aarch64-darwin---release-package:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions or explicitly called
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' || github.event_name == 'workflow_call'}}
name: Build aarch64-darwin.release-package
runs-on:
- warp-macos-13-arm64-6x
@@ -53,8 +49,6 @@ jobs:
- name: Build
run: nix build .#packages.aarch64-darwin.release-package --print-build-logs
aarch64-darwin---rosenpass:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions or explicitly called
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' || github.event_name == 'workflow_call'}}
name: Build aarch64-darwin.rosenpass
runs-on:
- warp-macos-13-arm64-6x
@@ -71,8 +65,6 @@ jobs:
- name: Build
run: nix build .#packages.aarch64-darwin.rosenpass --print-build-logs
aarch64-darwin---rp:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions or explicitly called
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' || github.event_name == 'workflow_call'}}
name: Build aarch64-darwin.rp
runs-on:
- warp-macos-13-arm64-6x
@@ -89,8 +81,6 @@ jobs:
- name: Build
run: nix build .#packages.aarch64-darwin.rp --print-build-logs
aarch64-darwin---rosenpass-oci-image:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions or explicitly called
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' || github.event_name == 'workflow_call'}}
name: Build aarch64-darwin.rosenpass-oci-image
runs-on:
- warp-macos-13-arm64-6x
@@ -108,8 +98,6 @@ jobs:
- name: Build
run: nix build .#packages.aarch64-darwin.rosenpass-oci-image --print-build-logs
aarch64-darwin---check:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions or explicitly called
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' || github.event_name == 'workflow_call'}}
name: Run Nix checks on aarch64-darwin
runs-on:
- warp-macos-13-arm64-6x

43
.github/workflows/nix.yaml vendored
View File

@@ -6,10 +6,6 @@ on:
push:
branches:
- main
workflow_run:
workflows: [Regenerate cargo-vet exemptions for dependabot-PRs]
types:
- completed
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
@@ -17,8 +13,6 @@ concurrency:
jobs:
i686-linux---default:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Build i686-linux.default
runs-on:
- ubicloud-standard-2-ubuntu-2204
@@ -36,8 +30,6 @@ jobs:
- name: Build
run: nix build .#packages.i686-linux.default --print-build-logs
i686-linux---rosenpass:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Build i686-linux.rosenpass
runs-on:
- ubicloud-standard-2-ubuntu-2204
@@ -54,8 +46,6 @@ jobs:
- name: Build
run: nix build .#packages.i686-linux.rosenpass --print-build-logs
i686-linux---rosenpass-oci-image:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Build i686-linux.rosenpass-oci-image
runs-on:
- ubicloud-standard-2-ubuntu-2204
@@ -73,8 +63,6 @@ jobs:
- name: Build
run: nix build .#packages.i686-linux.rosenpass-oci-image --print-build-logs
i686-linux---check:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Run Nix checks on i686-linux
runs-on:
- ubicloud-standard-2-ubuntu-2204
@@ -90,8 +78,6 @@ jobs:
- name: Check
run: nix flake check . --print-build-logs
x86_64-linux---default:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Build x86_64-linux.default
runs-on:
- ubicloud-standard-2-ubuntu-2204
@@ -109,8 +95,6 @@ jobs:
- name: Build
run: nix build .#packages.x86_64-linux.default --print-build-logs
x86_64-linux---proof-proverif:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Build x86_64-linux.proof-proverif
runs-on:
- ubicloud-standard-2-ubuntu-2204
@@ -128,8 +112,6 @@ jobs:
- name: Build
run: nix build .#packages.x86_64-linux.proof-proverif --print-build-logs
x86_64-linux---proverif-patched:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Build x86_64-linux.proverif-patched
runs-on:
- ubicloud-standard-2-ubuntu-2204
@@ -146,8 +128,6 @@ jobs:
- name: Build
run: nix build .#packages.x86_64-linux.proverif-patched --print-build-logs
x86_64-linux---release-package:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Build x86_64-linux.release-package
runs-on:
- ubicloud-standard-2-ubuntu-2204
@@ -191,8 +171,6 @@ jobs:
# - name: Build
# run: nix build .#packages.aarch64-linux.release-package --print-build-logs
x86_64-linux---rosenpass:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Build x86_64-linux.rosenpass
runs-on:
- ubicloud-standard-2-ubuntu-2204
@@ -209,8 +187,6 @@ jobs:
- name: Build
run: nix build .#packages.x86_64-linux.rosenpass --print-build-logs
aarch64-linux---rosenpass:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Build aarch64-linux.rosenpass
runs-on:
- ubicloud-standard-2-arm-ubuntu-2204
@@ -232,8 +208,6 @@ jobs:
- name: Build
run: nix build .#packages.aarch64-linux.rosenpass --print-build-logs
aarch64-linux---rp:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Build aarch64-linux.rp
runs-on:
- ubicloud-standard-2-arm-ubuntu-2204
@@ -255,8 +229,6 @@ jobs:
- name: Build
run: nix build .#packages.aarch64-linux.rp --print-build-logs
x86_64-linux---rosenpass-oci-image:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Build x86_64-linux.rosenpass-oci-image
runs-on:
- ubicloud-standard-2-ubuntu-2204
@@ -274,8 +246,6 @@ jobs:
- name: Build
run: nix build .#packages.x86_64-linux.rosenpass-oci-image --print-build-logs
aarch64-linux---rosenpass-oci-image:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Build aarch64-linux.rosenpass-oci-image
runs-on:
- ubicloud-standard-2-arm-ubuntu-2204
@@ -298,8 +268,6 @@ jobs:
- name: Build
run: nix build .#packages.aarch64-linux.rosenpass-oci-image --print-build-logs
x86_64-linux---rosenpass-static:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Build x86_64-linux.rosenpass-static
runs-on:
- ubicloud-standard-2-ubuntu-2204
@@ -316,8 +284,6 @@ jobs:
- name: Build
run: nix build .#packages.x86_64-linux.rosenpass-static --print-build-logs
x86_64-linux---rp-static:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Build x86_64-linux.rp-static
runs-on:
- ubicloud-standard-2-ubuntu-2204
@@ -334,8 +300,6 @@ jobs:
- name: Build
run: nix build .#packages.x86_64-linux.rp-static --print-build-logs
x86_64-linux---rosenpass-static-oci-image:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Build x86_64-linux.rosenpass-static-oci-image
runs-on:
- ubicloud-standard-2-ubuntu-2204
@@ -353,8 +317,6 @@ jobs:
- name: Build
run: nix build .#packages.x86_64-linux.rosenpass-static-oci-image --print-build-logs
x86_64-linux---whitepaper:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Build x86_64-linux.whitepaper
runs-on:
- ubicloud-standard-2-ubuntu-2204
@@ -371,8 +333,6 @@ jobs:
- name: Build
run: nix build .#packages.x86_64-linux.whitepaper --print-build-logs
x86_64-linux---check:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Run Nix checks on x86_64-linux
runs-on:
- ubicloud-standard-2-ubuntu-2204
@@ -390,8 +350,7 @@ jobs:
x86_64-linux---whitepaper-upload:
name: Upload whitepaper x86_64-linux
runs-on: ubicloud-standard-2-ubuntu-2204
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ (github.ref == 'refs/heads/main') && (github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run') }}
if: ${{ github.ref == 'refs/heads/main' }}
steps:
- uses: actions/checkout@v4
- uses: cachix/install-nix-action@v30

2
.github/workflows/qc-mac.yaml vendored
View File

@@ -14,8 +14,6 @@ permissions:
jobs:
cargo-test-mac:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions or explicitly called
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' || github.event_name == 'workflow_call'}}
runs-on: warp-macos-13-arm64-6x
steps:
- uses: actions/checkout@v4

28
.github/workflows/qc.yaml vendored
View File

@@ -3,10 +3,6 @@ on:
pull_request:
push:
branches: [main]
workflow_run:
workflows: [Regenerate cargo-vet exemptions for dependabot-PRs]
types:
- completed
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
@@ -18,8 +14,6 @@ permissions:
jobs:
prettier:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
runs-on: ubicloud-standard-2-ubuntu-2204
steps:
- uses: actions/checkout@v4
@@ -28,8 +22,6 @@ jobs:
args: --check .
shellcheck:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Shellcheck
runs-on: ubicloud-standard-2-ubuntu-2204
steps:
@@ -38,8 +30,6 @@ jobs:
uses: ludeeus/action-shellcheck@master
rustfmt:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Rust Format
runs-on: ubicloud-standard-2-ubuntu-2204
steps:
@@ -48,8 +38,6 @@ jobs:
run: bash format_rust_code.sh --mode check
cargo-bench:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
runs-on: ubicloud-standard-2-ubuntu-2204
steps:
- uses: actions/checkout@v4
@@ -68,8 +56,6 @@ jobs:
- run: RUST_MIN_STACK=8388608 cargo bench --workspace --exclude rosenpass-fuzzing
mandoc:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: mandoc
runs-on: ubicloud-standard-2-ubuntu-2204
steps:
@@ -80,8 +66,6 @@ jobs:
run: doc/check.sh doc/rp.1
cargo-audit:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
runs-on: ubicloud-standard-2-ubuntu-2204
steps:
- uses: actions/checkout@v4
@@ -90,8 +74,6 @@ jobs:
token: ${{ secrets.GITHUB_TOKEN }}
cargo-clippy:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
runs-on: ubicloud-standard-2-ubuntu-2204
steps:
- uses: actions/checkout@v4
@@ -111,8 +93,6 @@ jobs:
args: --all-features
cargo-doc:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
runs-on: ubicloud-standard-2-ubuntu-2204
steps:
- uses: actions/checkout@v4
@@ -132,8 +112,6 @@ jobs:
- run: RUSTDOCFLAGS="-D warnings" cargo doc --no-deps --document-private-items
cargo-test:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
runs-on: ${{ matrix.os }}
strategy:
matrix:
@@ -157,8 +135,6 @@ jobs:
- run: RUST_MIN_STACK=8388608 cargo test --workspace --all-features
cargo-test-nix-devshell-x86_64-linux:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
runs-on:
- ubicloud-standard-2-ubuntu-2204
steps:
@@ -182,8 +158,6 @@ jobs:
- run: nix develop --command cargo test --workspace --all-features
cargo-fuzz:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
runs-on: ubicloud-standard-2-ubuntu-2204
env:
steps:
@@ -218,8 +192,6 @@ jobs:
cargo fuzz run fuzz_vec_secret_alloc_memfdsec_mallocfb -- -max_total_time=5
codecov:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
runs-on: ubicloud-standard-2-ubuntu-2204
steps:
- uses: actions/checkout@v4

54
.github/workflows/regenerate-cargo-vet-exemptions.yml vendored
View File

@@ -1,54 +0,0 @@
name: Regenerate cargo-vet exemptions for dependabot-PRs
on:
pull_request:
push:
branches: [main]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
regen-cargo-vet-exemptions:
if: ${{ github.actor == 'dependabot[bot]' }}
name: Regenerate exemptions for cargo-vet for dependabot-PRs
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/checkout@v4
- uses: actions/cache@v4
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
key: cargo-vet-cache
- name: Install stable toolchain # Since we are running/compiling cargo-vet, we should rely on the stable toolchain.
run: |
rustup toolchain install stable
rustup default stable
- uses: actions/cache@v4
with:
path: ${{ runner.tool_cache }}/cargo-vet
key: cargo-vet-bin
- name: Add the tool cache directory to the search path
run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH
- name: Ensure that the tool cache is populated with the cargo-vet binary
run: cargo install --root ${{ runner.tool_cache }}/cargo-vet cargo-vet
- name: Regenerate vet exemptions for dependabot PRs
run: cargo vet regenerate exemptions
- name: Check for changes in case of dependabot PR
run: git diff --exit-code || echo "Changes detected, committing..."
- name: Commit and push changes for dependabot PRs
if: ${{ success() }}
run: |
git fetch origin ${{ github.head_ref }}
git switch ${{ github.head_ref }}
git config --global user.name "github-actions[bot]"
git config --global user.email "github-actions@github.com"
git add supply-chain/*
git commit -m "Regenerate cargo vet exemptions"
git push origin ${{ github.head_ref }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

8
.github/workflows/regressions.yml vendored
View File

@@ -3,10 +3,6 @@ on:
pull_request:
push:
branches: [main]
workflow_run:
workflows: [Regenerate cargo-vet exemptions for dependabot-PRs]
types:
- completed
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
@@ -18,8 +14,6 @@ permissions:
jobs:
multi-peer:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
runs-on: ubicloud-standard-2-ubuntu-2204
steps:
- uses: actions/checkout@v4
@@ -31,8 +25,6 @@ jobs:
[ $(ls -1 output/ate/out | wc -l) -eq 100 ]
boot-race:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
runs-on: ubicloud-standard-2-ubuntu-2204
steps:
- uses: actions/checkout@v4

30
.github/workflows/supply-chain.yml vendored
View File

@@ -3,10 +3,6 @@ on:
pull_request:
push:
branches: [main]
workflow_run:
workflows: [Regenerate cargo-vet exemptions for dependabot-PRs]
types:
- completed
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
@@ -14,16 +10,12 @@ concurrency:
jobs:
cargo-deny:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Deny dependencies with vulnerabilities or incompatible licenses
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: EmbarkStudios/cargo-deny-action@v2
cargo-supply-chain:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Supply Chain Report
runs-on: ubuntu-latest
steps:
@@ -52,10 +44,10 @@ jobs:
run: cargo supply-chain crates
# The setup for cargo-vet follows the recommendations in the cargo-vet documentation: https://mozilla.github.io/cargo-vet/configuring-ci.html
cargo-vet:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Vet Dependencies
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/checkout@v4
- uses: actions/cache@v4
@@ -77,5 +69,23 @@ jobs:
run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH
- name: Ensure that the tool cache is populated with the cargo-vet binary
run: cargo install --root ${{ runner.tool_cache }}/cargo-vet cargo-vet
- name: Regenerate vet exemptions for dependabot PRs
if: github.actor == 'dependabot[bot]' # Run only for Dependabot PRs
run: cargo vet regenerate exemptions
- name: Check for changes in case of dependabot PR
if: github.actor == 'dependabot[bot]' # Run only for Dependabot PRs
run: git diff --exit-code || echo "Changes detected, committing..."
- name: Commit and push changes for dependabot PRs
if: success() && github.actor == 'dependabot[bot]'
run: |
git fetch origin ${{ github.head_ref }}
git switch ${{ github.head_ref }}
git config --global user.name "github-actions[bot]"
git config --global user.email "github-actions@github.com"
git add supply-chain/*
git commit -m "Regenerate cargo vet exemptions"
git push origin ${{ github.head_ref }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Invoke cargo-vet
run: cargo vet --locked