From 6092fe63e400b83a2779a30d1000e28772864929 Mon Sep 17 00:00:00 2001 From: Jesse Szwedko Date: Fri, 6 Oct 2023 13:11:11 -0700 Subject: [PATCH 1/2] chore(ci): Run deny check nightly instead of on every PR With the goal of not blocking PRs due to a new security vulnerability being reported on `master`. There is a risk that this allows PRs to introduce vulnerabilities that won't be flagged until after merge but we see this risk as small and easily remedied after the fact. We will also run these checks before releases, when it is most important to resolve any extant CVEs. Signed-off-by: Jesse Szwedko --- .github/workflows/comment-trigger.yml | 8 ++++ .github/workflows/deny.yml | 65 +++++++++++++++++++++++++++ .github/workflows/test.yml | 4 -- 3 files changed, 73 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/deny.yml diff --git a/.github/workflows/comment-trigger.yml b/.github/workflows/comment-trigger.yml index 59ec98530a7ba..5f3c7b0cce843 100644 --- a/.github/workflows/comment-trigger.yml +++ b/.github/workflows/comment-trigger.yml @@ -9,6 +9,7 @@ # /ci-run-all : runs all of the below # /ci-run-cli : runs CLI - Linux # /ci-run-misc : runs Miscellaneous - Linux +# /ci-run-deny : runs Deny - Linux # /ci-run-component-features : runs Component Features - Linux # /ci-run-cross : runs Cross # /ci-run-unit-mac : runs Unit - Mac @@ -50,6 +51,7 @@ jobs: github.event.issue.pull_request && ( contains(github.event.comment.body, '/ci-run-all') || contains(github.event.comment.body, '/ci-run-cli') || contains(github.event.comment.body, '/ci-run-misc') + || contains(github.event.comment.body, '/ci-run-deny') || contains(github.event.comment.body, '/ci-run-component-features') || contains(github.event.comment.body, '/ci-run-cross') || contains(github.event.comment.body, '/ci-run-unit-mac') @@ -89,6 +91,12 @@ jobs: uses: ./.github/workflows/misc.yml secrets: inherit + deny: + needs: validate + if: contains(github.event.comment.body, '/ci-run-all') || contains(github.event.comment.body, '/ci-run-deny') + uses: ./.github/workflows/deny.yml + secrets: inherit + component-features: needs: validate if: contains(github.event.comment.body, '/ci-run-all') || contains(github.event.comment.body, '/ci-run-component-features') diff --git a/.github/workflows/deny.yml b/.github/workflows/deny.yml new file mode 100644 index 0000000000000..c2fd26c17c319 --- /dev/null +++ b/.github/workflows/deny.yml @@ -0,0 +1,65 @@ +name: Deny - Linux + +on: + workflow_call: + workflow_dispatch: + schedule: + # At midnight UTC + - cron: '0 0 * * *' + +jobs: + test-misc: + runs-on: [linux, ubuntu-20.04-4core] + env: + CARGO_INCREMENTAL: 0 + steps: + - name: (PR comment) Get PR branch + if: ${{ github.event_name == 'issue_comment' }} + uses: xt0rted/pull-request-comment-branch@v2 + id: comment-branch + + - name: (PR comment) Set latest commit status as pending + if: ${{ github.event_name == 'issue_comment' }} + uses: myrotvorets/set-commit-status-action@v2.0.0 + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + context: Deny - Linux + status: pending + + - name: (PR comment) Checkout PR branch + if: ${{ github.event_name == 'issue_comment' }} + uses: actions/checkout@v3 + with: + ref: ${{ steps.comment-branch.outputs.head_ref }} + + - name: Checkout branch + if: ${{ github.event_name != 'issue_comment' }} + uses: actions/checkout@v3 + + - uses: actions/cache@v3 + name: Cache Cargo registry + index + with: + path: | + ~/.cargo/bin/ + ~/.cargo/registry/index/ + ~/.cargo/registry/cache/ + ~/.cargo/git/db/ + key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} + restore-keys: | + ${{ runner.os }}-cargo- + + - run: sudo -E bash scripts/environment/bootstrap-ubuntu-20.04.sh + - run: bash scripts/environment/prepare.sh + - run: echo "::add-matcher::.github/matchers/rust.json" + - name: Check cargo deny advisories/licenses + run: make check-deny + + - name: (PR comment) Set latest commit status as ${{ job.status }} + uses: myrotvorets/set-commit-status-action@v2.0.0 + if: always() && github.event_name == 'issue_comment' + with: + sha: ${{ steps.comment-branch.outputs.head_sha }} + token: ${{ secrets.GITHUB_TOKEN }} + context: Deny - Linux + status: ${{ job.status }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index dda403b3b6030..30a430fd1348b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -94,10 +94,6 @@ jobs: if: needs.changes.outputs.source == 'true' run: make check-events - - name: Check cargo deny advisories/licenses - if: needs.changes.outputs.dependencies == 'true' || needs.changes.outputs.deny == 'true' - run: make check-deny - - name: Check that the 3rd-party license file is up to date if: needs.changes.outputs.dependencies == 'true' run: make check-licenses From fa76d4807eafefc512e317610bb3614cb4962af3 Mon Sep 17 00:00:00 2001 From: Jesse Szwedko Date: Fri, 6 Oct 2023 13:38:19 -0700 Subject: [PATCH 2/2] PR feedback Signed-off-by: Jesse Szwedko --- .github/workflows/changes.yml | 3 --- .github/workflows/deny.yml | 13 +++++++++++-- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/.github/workflows/changes.yml b/.github/workflows/changes.yml index f480bac6265e4..7bf03d0c2a8a0 100644 --- a/.github/workflows/changes.yml +++ b/.github/workflows/changes.yml @@ -149,9 +149,6 @@ jobs: - "Makefile" - "rust-toolchain.toml" - "vdev/**" - deny: - - 'deny.toml' - - "vdev/**" dependencies: - ".cargo/**" - 'Cargo.toml' diff --git a/.github/workflows/deny.yml b/.github/workflows/deny.yml index c2fd26c17c319..f0040b68fb639 100644 --- a/.github/workflows/deny.yml +++ b/.github/workflows/deny.yml @@ -1,3 +1,12 @@ +# Deny - Linux +# +# Checks for security vulnerabilities or license incompatibilities +# +# Runs on: +# - scheduled UTC midnight +# - on PR comment (see comment-trigger.yml) +# - on demand from github actions UI + name: Deny - Linux on: @@ -8,8 +17,8 @@ on: - cron: '0 0 * * *' jobs: - test-misc: - runs-on: [linux, ubuntu-20.04-4core] + test-deny: + runs-on: ubuntu-latest env: CARGO_INCREMENTAL: 0 steps: