gitea-mirror/rosenpass
1
0
Fork 0
mirror of https://github.com/rosenpass/rosenpass.git synced 2025-12-12 15:49:22 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
bbd7e7bb729af55040684ba0a998c9523a7fa898
rosenpass/.github/workflows/supply-chain.yml
David Niehues 3d724f04d4 fix: make CI workflows run after pushing excemptions for cargo-vet 
This commits changes the CI for dependabot PRs such that initially, only the exemptions for cargo vet are regenerated and pushed to the PR.
Only after that, all other workflows are triggered. This ensures that the CI result for dependabot PRs is properly presented on github.
2025-05-15 16:14:12 +02:00

82 lines
3.3 KiB
YAML
Raw Blame History

name: Supply-Chain
on:
pull_request:
push:
branches: [main]
workflow_run:
workflows: [Regenerate cargo-vet exemptions for dependabot-PRs]
types:
- completed
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
cargo-deny:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Deny dependencies with vulnerabilities or incompatible licenses
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: EmbarkStudios/cargo-deny-action@v2
cargo-supply-chain:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Supply Chain Report
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/cache@v4
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cache/cargo-supply-chain/
key: cargo-supply-chain-cache
- uses: actions/cache@v4
with:
path: ${{ runner.tool_cache }}/cargo-supply-chain
key: cargo-supply-chain-bin
- name: Add the tool cache directory to the search path
run: echo "${{ runner.tool_cache }}/cargo-supply-chain/bin" >> $GITHUB_PATH
- name: Ensure that the tool cache is populated with the cargo-supply-chain binary
run: cargo install --root ${{ runner.tool_cache }}/cargo-supply-chain cargo-supply-chain
- name: Update data for cargo-supply-chain
run: cargo supply-chain update
- name: Generate cargo-supply-chain report about publishers
run: cargo supply-chain publishers
- name: Generate cargo-supply-chain report about crates
run: cargo supply-chain crates
# The setup for cargo-vet follows the recommendations in the cargo-vet documentation: https://mozilla.github.io/cargo-vet/configuring-ci.html
cargo-vet:
# Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
name: Vet Dependencies
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/cache@v4
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
key: cargo-vet-cache
- name: Install stable toolchain # Since we are running/compiling cargo-vet, we should rely on the stable toolchain.
run: |
rustup toolchain install stable
rustup default stable
- uses: actions/cache@v4
with:
path: ${{ runner.tool_cache }}/cargo-vet
key: cargo-vet-bin
- name: Add the tool cache directory to the search path
run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH
- name: Ensure that the tool cache is populated with the cargo-vet binary
run: cargo install --root ${{ runner.tool_cache }}/cargo-vet cargo-vet
- name: Invoke cargo-vet
run: cargo vet --locked
Reference in New Issue View Git Blame Copy Permalink