Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Harden security of GitHub Actions CI/CD #202

Merged
merged 4 commits into from
Oct 23, 2021
Merged

Harden security of GitHub Actions CI/CD #202

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
7a17d85
restrict permissions for GitHub actions
May 17, 2021
78ac7fb
pin action versions by SHA1 instead of git tag
May 17, 2021
4e4a584
remove codecov token
May 17, 2021
1423d6c
update git tags for GitHub actions
Oct 23, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 8 additions & 5 deletions .github/workflows/code_coverage.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,30 +4,33 @@ on:
- master

name: Code coverage
permissions:
contents: read

jobs:
check:
name: Code coverage
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
with:
persist-credentials: false

- name: Install stable toolchain
uses: actions-rs/toolchain@v1
uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
with:
toolchain: stable
override: true

- name: Run cargo-tarpaulin
uses: actions-rs/tarpaulin@v0.1
uses: actions-rs/tarpaulin@60f0b12e5beec09ccca51758913f82d01889151c
with:
timeout: '120'
out-type: 'Xml'
args: '-- --test-threads 1'

- name: Upload to codecov.io
uses: codecov/codecov-action@v1
uses: codecov/codecov-action@f32b3a3741e1053eb607407145bc9619351dc93b
with:
token: ${{secrets.CODECOV_TOKEN}}
fail_ci_if_error: true
11 changes: 8 additions & 3 deletions .github/workflows/daily_tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,7 @@
name: Daily tests
permissions:
contents: read

on:
schedule:
- cron: '0 0 * * *' # Midnight of each day
Expand All @@ -14,16 +17,18 @@ jobs:
- nightly
steps:
- name: Checkout sources
uses: actions/checkout@v2
uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
with:
persist-credentials: false

- name: Install toolchain
uses: actions-rs/toolchain@v1
uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
with:
profile: minimal
toolchain: ${{ matrix.rust }}
override: true
- name: Run cargo test - release
uses: actions-rs/cargo@v1
uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
with:
command: test
args: --release --all-features
13 changes: 9 additions & 4 deletions .github/workflows/lints.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,31 +1,36 @@
on: [push, pull_request]

name: Lints
permissions:
contents: read

jobs:
lints:
name: rustfmt and clippy
runs-on: ubuntu-latest
steps:
with:
persist-credentials: false

- name: Checkout sources
uses: actions/checkout@v2
uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97

- name: Install stable toolchain
uses: actions-rs/toolchain@v1
uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
with:
profile: minimal
toolchain: stable
override: true
components: rustfmt, clippy

- name: Run cargo fmt
uses: actions-rs/cargo@v1
uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
with:
command: fmt
args: --all -- --check

- name: Run cargo clippy
uses: actions-rs/cargo@v1
uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
with:
command: clippy
args: -- -D warnings
11 changes: 8 additions & 3 deletions .github/workflows/security_audit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,7 @@
name: Security Audit
permissions:
contents: read

on:
push:
# Check immediately if dependencies are altered
Expand All @@ -14,9 +17,11 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout sources
uses: actions/checkout@v2
uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
with:
persist-credentials: false
- name: Install stable toolchain
uses: actions-rs/toolchain@v1
uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
with:
toolchain: stable
override: true
Expand All @@ -25,7 +30,7 @@ jobs:
run: cargo install cargo-audit

- name: Run cargo audit
uses: actions-rs/cargo@v1
uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
with:
command: audit
args: --deny warnings
64 changes: 40 additions & 24 deletions .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ on:
# NOTE: Should we use fail-fast: false?

name: Tests
permissions:
contents: read

jobs:
test:
Expand All @@ -29,17 +31,19 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
- name: Checkout sources
uses: actions/checkout@v2
uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
with:
persist-credentials: false

- name: Install toolchain
uses: actions-rs/toolchain@v1
uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
with:
profile: minimal
toolchain: ${{ matrix.rust }}
override: true

- name: Test debug-mode, default features
uses: actions-rs/cargo@v1
uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
with:
command: test

Expand All @@ -50,19 +54,19 @@ jobs:
args: --features serde

- name: Test debug-mode, no default features
uses: actions-rs/cargo@v1
uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
with:
command: test
args: --no-default-features --tests

- name: Test debug-mode, alloc feature
uses: actions-rs/cargo@v1
uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
with:
command: test
args: --no-default-features --features alloc --tests

- name: Test release-mode, default features
uses: actions-rs/cargo@v1
uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
with:
command: test
args: --release
Expand All @@ -74,13 +78,13 @@ jobs:
args: --release --features serde

- name: Test release-mode, no default features
uses: actions-rs/cargo@v1
uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
with:
command: test
args: --release --no-default-features --tests

- name: Test release-mode, alloc feature
uses: actions-rs/cargo@v1
uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
with:
command: test
args: --release --no-default-features --features alloc --tests
Expand All @@ -91,10 +95,12 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout sources
uses: actions/checkout@v2
uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
with:
persist-credentials: false

- name: Install toolchain
uses: actions-rs/toolchain@v1
uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
with:
toolchain: nightly
target: x86_64-unknown-linux-gnu
Expand All @@ -114,14 +120,16 @@ jobs:
- stable
- nightly
steps:
- uses: actions/checkout@v2
- uses: actions-rs/toolchain@v1
- uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
with:
persist-credentials: false
- uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
with:
profile: minimal
toolchain: ${{ matrix.rust }}
target: thumbv7em-none-eabi
override: true
- uses: actions-rs/cargo@v1
- uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
with:
use-cross: true
command: build
Expand All @@ -137,13 +145,15 @@ jobs:
- armv7-unknown-linux-gnueabihf
- mips64-unknown-linux-gnuabi64
steps:
- uses: actions/checkout@v2
- uses: actions-rs/toolchain@v1
- uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
with:
persist-credentials: false
- uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
with:
toolchain: stable
target: ${{ matrix.arch }}
override: true
- uses: actions-rs/cargo@v1
- uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
with:
use-cross: true
command: test
Expand All @@ -159,13 +169,15 @@ jobs:
arch:
- wasm32-unknown-unknown
steps:
- uses: actions/checkout@v2
- uses: actions-rs/toolchain@v1
- uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
with:
persist-credentials: false
- uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
with:
toolchain: stable
target: ${{ matrix.arch }}
override: true
- uses: actions-rs/cargo@v1
- uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
with:
command: check
args: --no-default-features --target ${{ matrix.arch }}
Expand All @@ -174,12 +186,14 @@ jobs:
name: Build documentation
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions-rs/toolchain@v1
- uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
with:
persist-credentials: false
- uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
with:
toolchain: stable
override: true
- uses: actions-rs/cargo@v1
- uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
with:
command: doc
args: --no-deps --all-features
Expand All @@ -196,7 +210,9 @@ jobs:
continue-on-error: ${{ matrix.checks == 'advisories' }}

steps:
- uses: actions/checkout@v2
- uses: EmbarkStudios/cargo-deny-action@v1
- uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
with:
persist-credentials: false
- uses: EmbarkStudios/cargo-deny-action@0ca727bbae7b7b578b9a5f98186caac35aa2a00d
with:
command: check ${{ matrix.checks }}