Skip to content

feat(ci): add Docker Scout vulnerabilities scanning #2493

feat(ci): add Docker Scout vulnerabilities scanning

feat(ci): add Docker Scout vulnerabilities scanning #2493

Workflow file for this run

# This workflow conducts various linting checks for a Rust-based project.
# 1. Determines if Rust or workflow files have been modified.
# 2. Runs the Clippy linter on Rust files, producing annotations and failing on warnings.
# 3. Ensures Rust code formatting complies with 'rustfmt' standards.
# 4. Lints GitHub Actions workflow files for common issues.
# 5. Checks for common spelling errors in the codebase.
# The workflow is designed to maintain code quality and consistency, running checks conditionally based on the changed files.
name: Lint
# Ensures that only one workflow task will run at a time. Previous builds, if
# already in process, will get cancelled. Only the latest commit will be allowed
# to run, cancelling any workflows in between
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
on:
# we build Rust caches on main, so they can be shared by all branches:
# https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache
push:
branches:
- main
pull_request:
env:
CARGO_INCREMENTAL: ${{ vars.CARGO_INCREMENTAL }}
RUST_LOG: ${{ vars.RUST_LOG }}
RUST_BACKTRACE: ${{ vars.RUST_BACKTRACE }}
RUST_LIB_BACKTRACE: ${{ vars.RUST_LIB_BACKTRACE }}
COLORBT_SHOW_HIDDEN: ${{ vars.COLORBT_SHOW_HIDDEN }}
jobs:
changed-files:
runs-on: ubuntu-latest
name: Checks changed-files
outputs:
rust: ${{ steps.changed-files-rust.outputs.any_changed == 'true' }}
workflows: ${{ steps.changed-files-workflows.outputs.any_changed == 'true' }}
steps:
- uses: actions/[email protected]
with:
persist-credentials: false
fetch-depth: 0
- name: Rust files
id: changed-files-rust
uses: tj-actions/[email protected]
with:
files: |
**/*.rs
**/Cargo.toml
**/Cargo.lock
clippy.toml
.cargo/config.toml
.github/workflows/ci-lint.yml
- name: Workflow files
id: changed-files-workflows
uses: tj-actions/[email protected]
with:
files: |
.github/workflows/*.yml
clippy:
name: Clippy
timeout-minutes: 45
runs-on: ubuntu-latest
needs: changed-files
if: ${{ needs.changed-files.outputs.rust == 'true' }}
steps:
- uses: actions/[email protected]
with:
persist-credentials: false
- name: Install last version of Protoc
uses: arduino/[email protected]
with:
# TODO: increase to latest version after https://github.com/arduino/setup-protoc/issues/33 is fixed
version: '23.x'
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: Check workflow permissions
id: check_permissions
uses: scherermichael-oss/[email protected]
with:
required-permission: write
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Setup Rust with stable toolchain and default profile
- name: Setup Rust
run: |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain=stable --profile=default
- uses: Swatinem/[email protected]
with:
shared-key: "clippy-cargo-lock"
# TODO: keep this action until we find a better solution
- name: Run clippy action to produce annotations
uses: actions-rs/[email protected]
if: ${{ steps.check_permissions.outputs.has-permission }}
with:
# GitHub displays the clippy job and its results as separate entries
name: Clippy (stable) Results
token: ${{ secrets.GITHUB_TOKEN }}
args: --workspace --all-features --all-targets -- -D warnings
- name: Run clippy manually without annotations
if: ${{ !steps.check_permissions.outputs.has-permission }}
run: cargo clippy --workspace --all-features --all-targets -- -D warnings
fmt:
name: Rustfmt
timeout-minutes: 30
runs-on: ubuntu-latest
needs: changed-files
if: ${{ needs.changed-files.outputs.rust == 'true' }}
steps:
- uses: actions/[email protected]
with:
persist-credentials: false
- uses: r7kamura/[email protected]
- name: Install last version of Protoc
uses: arduino/[email protected]
with:
# TODO: increase to latest version after https://github.com/arduino/setup-protoc/issues/33 is fixed
version: '23.x'
repo-token: ${{ secrets.GITHUB_TOKEN }}
# Setup Rust with stable toolchain and default profile
- name: Setup Rust
run: |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain=stable --profile=default
# We don't cache `fmt` outputs because the job is quick,
# and we want to use the limited GitHub actions cache space for slower jobs.
#- uses: Swatinem/[email protected]
- run: |
cargo fmt --all -- --check
actionlint:
runs-on: ubuntu-latest
continue-on-error: true
needs: changed-files
if: ${{ needs.changed-files.outputs.workflows == 'true' }}
steps:
- uses: actions/[email protected]
- name: actionlint
uses: reviewdog/[email protected]
with:
level: warning
fail_on_error: false
# This is failing with a JSON schema error, see #8028 for details.
#- name: validate-dependabot
# # This gives an error when run on PRs from external repositories, so we skip it.
# # If this is a PR, check that the PR source is a local branch. Always runs on non-PRs.
# if: ${{ !startsWith(github.event_name, 'pull') || !github.event.pull_request.head.repo.fork }}
# uses: marocchino/[email protected]
codespell:
runs-on: ubuntu-latest
needs: changed-files
steps:
- uses: actions/[email protected]
- uses: codespell-project/[email protected]
with:
only_warn: 1