feat(ci): add Docker Scout vulnerabilities scanning #2493
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This workflow conducts various linting checks for a Rust-based project. | |
# 1. Determines if Rust or workflow files have been modified. | |
# 2. Runs the Clippy linter on Rust files, producing annotations and failing on warnings. | |
# 3. Ensures Rust code formatting complies with 'rustfmt' standards. | |
# 4. Lints GitHub Actions workflow files for common issues. | |
# 5. Checks for common spelling errors in the codebase. | |
# The workflow is designed to maintain code quality and consistency, running checks conditionally based on the changed files. | |
name: Lint | |
# Ensures that only one workflow task will run at a time. Previous builds, if | |
# already in process, will get cancelled. Only the latest commit will be allowed | |
# to run, cancelling any workflows in between | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
on: | |
# we build Rust caches on main, so they can be shared by all branches: | |
# https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache | |
push: | |
branches: | |
- main | |
pull_request: | |
env: | |
CARGO_INCREMENTAL: ${{ vars.CARGO_INCREMENTAL }} | |
RUST_LOG: ${{ vars.RUST_LOG }} | |
RUST_BACKTRACE: ${{ vars.RUST_BACKTRACE }} | |
RUST_LIB_BACKTRACE: ${{ vars.RUST_LIB_BACKTRACE }} | |
COLORBT_SHOW_HIDDEN: ${{ vars.COLORBT_SHOW_HIDDEN }} | |
jobs: | |
changed-files: | |
runs-on: ubuntu-latest | |
name: Checks changed-files | |
outputs: | |
rust: ${{ steps.changed-files-rust.outputs.any_changed == 'true' }} | |
workflows: ${{ steps.changed-files-workflows.outputs.any_changed == 'true' }} | |
steps: | |
- uses: actions/[email protected] | |
with: | |
persist-credentials: false | |
fetch-depth: 0 | |
- name: Rust files | |
id: changed-files-rust | |
uses: tj-actions/[email protected] | |
with: | |
files: | | |
**/*.rs | |
**/Cargo.toml | |
**/Cargo.lock | |
clippy.toml | |
.cargo/config.toml | |
.github/workflows/ci-lint.yml | |
- name: Workflow files | |
id: changed-files-workflows | |
uses: tj-actions/[email protected] | |
with: | |
files: | | |
.github/workflows/*.yml | |
clippy: | |
name: Clippy | |
timeout-minutes: 45 | |
runs-on: ubuntu-latest | |
needs: changed-files | |
if: ${{ needs.changed-files.outputs.rust == 'true' }} | |
steps: | |
- uses: actions/[email protected] | |
with: | |
persist-credentials: false | |
- name: Install last version of Protoc | |
uses: arduino/[email protected] | |
with: | |
# TODO: increase to latest version after https://github.com/arduino/setup-protoc/issues/33 is fixed | |
version: '23.x' | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Check workflow permissions | |
id: check_permissions | |
uses: scherermichael-oss/[email protected] | |
with: | |
required-permission: write | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
# Setup Rust with stable toolchain and default profile | |
- name: Setup Rust | |
run: | | |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain=stable --profile=default | |
- uses: Swatinem/[email protected] | |
with: | |
shared-key: "clippy-cargo-lock" | |
# TODO: keep this action until we find a better solution | |
- name: Run clippy action to produce annotations | |
uses: actions-rs/[email protected] | |
if: ${{ steps.check_permissions.outputs.has-permission }} | |
with: | |
# GitHub displays the clippy job and its results as separate entries | |
name: Clippy (stable) Results | |
token: ${{ secrets.GITHUB_TOKEN }} | |
args: --workspace --all-features --all-targets -- -D warnings | |
- name: Run clippy manually without annotations | |
if: ${{ !steps.check_permissions.outputs.has-permission }} | |
run: cargo clippy --workspace --all-features --all-targets -- -D warnings | |
fmt: | |
name: Rustfmt | |
timeout-minutes: 30 | |
runs-on: ubuntu-latest | |
needs: changed-files | |
if: ${{ needs.changed-files.outputs.rust == 'true' }} | |
steps: | |
- uses: actions/[email protected] | |
with: | |
persist-credentials: false | |
- uses: r7kamura/[email protected] | |
- name: Install last version of Protoc | |
uses: arduino/[email protected] | |
with: | |
# TODO: increase to latest version after https://github.com/arduino/setup-protoc/issues/33 is fixed | |
version: '23.x' | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
# Setup Rust with stable toolchain and default profile | |
- name: Setup Rust | |
run: | | |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain=stable --profile=default | |
# We don't cache `fmt` outputs because the job is quick, | |
# and we want to use the limited GitHub actions cache space for slower jobs. | |
#- uses: Swatinem/[email protected] | |
- run: | | |
cargo fmt --all -- --check | |
actionlint: | |
runs-on: ubuntu-latest | |
continue-on-error: true | |
needs: changed-files | |
if: ${{ needs.changed-files.outputs.workflows == 'true' }} | |
steps: | |
- uses: actions/[email protected] | |
- name: actionlint | |
uses: reviewdog/[email protected] | |
with: | |
level: warning | |
fail_on_error: false | |
# This is failing with a JSON schema error, see #8028 for details. | |
#- name: validate-dependabot | |
# # This gives an error when run on PRs from external repositories, so we skip it. | |
# # If this is a PR, check that the PR source is a local branch. Always runs on non-PRs. | |
# if: ${{ !startsWith(github.event_name, 'pull') || !github.event.pull_request.head.repo.fork }} | |
# uses: marocchino/[email protected] | |
codespell: | |
runs-on: ubuntu-latest | |
needs: changed-files | |
steps: | |
- uses: actions/[email protected] | |
- uses: codespell-project/[email protected] | |
with: | |
only_warn: 1 | |