ci: replace `audit` with `deny` action (#4856)

This commit is contained in:
David Knaack 2023-02-28 19:22:02 +01:00 committed by GitHub
parent b55774d3a6
commit 5e5ccc4ebe
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 70 additions and 18 deletions

View File

@ -8,22 +8,22 @@ on:
paths: paths:
- "**/Cargo.toml" - "**/Cargo.toml"
- "**/Cargo.lock" - "**/Cargo.lock"
schedule:
- cron: "0 0 * * *"
jobs: jobs:
security_audit: security_audit:
if: (github.event_name == 'schedule' && github.repository == 'starship/starship') || (github.event_name != 'schedule')
runs-on: ubuntu-latest runs-on: ubuntu-latest
strategy:
matrix:
checks:
- advisories
- bans licenses sources
# Prevent sudden announcement of a new advisory from failing ci:
continue-on-error: ${{ matrix.checks == 'advisories' }}
steps: steps:
- name: Setup | Checkout - name: Setup | Checkout
uses: actions/checkout@v3 uses: actions/checkout@v3
- name: Setup | Rust
uses: actions-rs/toolchain@v1.0.7
with:
toolchain: stable
override: true
profile: minimal
- name: Test | Security Audit - name: Test | Security Audit
uses: actions-rs/audit-check@v1.2.0 uses: EmbarkStudios/cargo-deny-action@v1.4.0
with: with:
token: ${{ secrets.GITHUB_TOKEN }} command: check ${{ matrix.checks }}

23
Cargo.lock generated
View File

@ -224,9 +224,9 @@ dependencies = [
[[package]] [[package]]
name = "bumpalo" name = "bumpalo"
version = "3.11.0" version = "3.12.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c1ad822118d20d2c234f427000d5acc36eabe1e29a348c89b63dd60b13f28e5d" checksum = "0d261e256854913907f67ed06efbc3338dfe6179796deefc1ff763fc1aee5535"
[[package]] [[package]]
name = "byteorder" name = "byteorder"
@ -408,9 +408,9 @@ checksum = "5827cebf4670468b8772dd191856768aedcb1b0278a04f989f7766351917b9dc"
[[package]] [[package]]
name = "cpufeatures" name = "cpufeatures"
version = "0.2.4" version = "0.2.5"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "dc948ebb96241bb40ab73effeb80d9f93afaad49359d159a5e61be51619fe813" checksum = "28d997bd5e24a5928dd43e46dc529867e207907fe0b239c3477d924f7f2ca320"
dependencies = [ dependencies = [
"libc", "libc",
] ]
@ -765,9 +765,18 @@ dependencies = [
[[package]] [[package]]
name = "fragile" name = "fragile"
version = "1.2.1" version = "1.2.2"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "85dcb89d2b10c5f6133de2efd8c11959ce9dbb46a2f7a4cab208c4eeda6ce1ab" checksum = "b7464c5c4a3f014d9b2ec4073650e5c06596f385060af740fc45ad5a19f959e8"
dependencies = [
"fragile 2.0.0",
]
[[package]]
name = "fragile"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6c2141d6d6c8512188a7891b4b01590a45f6dac67afb4f255c4124dbb86d4eaa"
[[package]] [[package]]
name = "futures-core" name = "futures-core"
@ -1743,7 +1752,7 @@ checksum = "e2be9a9090bc1cac2930688fa9478092a64c6a92ddc6ae0692d46b37d9cab709"
dependencies = [ dependencies = [
"cfg-if 1.0.0", "cfg-if 1.0.0",
"downcast", "downcast",
"fragile", "fragile 1.2.2",
"lazy_static", "lazy_static",
"mockall_derive", "mockall_derive",
"predicates", "predicates",

43
deny.toml Normal file
View File

@ -0,0 +1,43 @@
[advisories]
vulnerability = "deny"
unmaintained = "warn"
yanked = "warn"
notice = "warn"
# A list of advisory IDs to ignore. Note that ignored advisories will still
# output a note when they are encountered.
ignore = [
# "RUSTSEC-0000-0000",
]
[licenses]
# The lint level for crates which do not have a detectable license
unlicensed = "deny"
# List of explicitly allowed licenses
allow = [
"Apache-2.0 WITH LLVM-exception",
"Apache-2.0",
"BSD-2-Clause",
"BSD-3-Clause",
"ISC",
"MIT-0",
"MIT",
"MPL-2.0",
"Unicode-DFS-2016",
"Unlicense",
"WTFPL",
"Zlib",
]
confidence-threshold = 0.8
[bans]
multiple-versions = "allow"
wildcards = "warn"
[sources]
unknown-registry = "warn"
unknown-git = "warn"
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
allow-git = []