Backup_Repos/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-05-09 05:21:23 +02:00
Code Issues Projects Releases Wiki Activity

Add supply chain audit workflow with cargo-audit and cargo-deny steps

Browse source
This commit is contained in:
kalvinparker 2025-11-08 23:20:44 +00:00
parent 9017ca265a
commit 0951c8d220
2 changed files with 129 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

59
.github/workflows/supply-chain-audit-registered.yml vendored Normal file
View file

@ -0,0 +1,59 @@
name: Supply Chain Audit (registered)
on:
workflow_dispatch: {}
jobs:
audit:
name: cargo-audit & cargo-deny
runs-on: ubuntu-24.04
timeout-minutes: 30
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install Rust toolchain
run: |
if [ -f rust-toolchain.toml ]; then
TOOLCHAIN=$(grep -m1 -oP 'channel.*"(\K.*?)(?=")' rust-toolchain.toml || true)
fi
if [ -z "${TOOLCHAIN:-}" ]; then
TOOLCHAIN=stable
fi
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${TOOLCHAIN}
source $HOME/.cargo/env
- name: Install cargo-audit and cargo-deny
run: |
source $HOME/.cargo/env
cargo install cargo-audit --version 0.17.0 || true
cargo install cargo-deny --version 0.12.0 || true
- name: Run cargo audit
run: |
source $HOME/.cargo/env
cargo audit --version || true
cargo audit || true
continue-on-error: true
- name: Run cargo deny (advisories)
run: |
source $HOME/.cargo/env
cargo deny check advisories --manifest-path Cargo.toml || true
continue-on-error: true
- name: Run cargo deny (licenses)
run: |
source $HOME/.cargo/env
cargo deny check licenses --manifest-path Cargo.toml || true
continue-on-error: true
- name: Upload audit results
uses: actions/upload-artifact@v4
with:
name: supply-chain-reports
path: |
audit.txt
deny-advisories.txt
deny-licenses.txt
if-no-files-found: ignore

70
.github/workflows/supply-chain-audit.yml vendored Normal file
View file

@ -0,0 +1,70 @@
name: Supply Chain Audit
on:
workflow_dispatch: {}
pull_request:
paths:
- 'Cargo.toml'
- 'Cargo.lock'
jobs:
audit:
name: cargo-audit & cargo-deny
runs-on: ubuntu-24.04
timeout-minutes: 30
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install Rust toolchain
run: |
# Use the repository's rust-toolchain if present
if [ -f rust-toolchain.toml ]; then
TOOLCHAIN=$(grep -m1 -oP 'channel.*"(\K.*?)(?=")' rust-toolchain.toml || true)
fi
if [ -z "${TOOLCHAIN:-}" ]; then
TOOLCHAIN=stable
fi
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${TOOLCHAIN}
source $HOME/.cargo/env
- name: Install cargo-audit and cargo-deny
run: |
source $HOME/.cargo/env
cargo install cargo-audit --version 0.17.0 || true
cargo install cargo-deny --version 0.12.0 || true
- name: Run cargo audit
working-directory: ${{ github.workspace }}
run: |
source $HOME/.cargo/env
cargo audit --version || true
cargo audit || true
continue-on-error: true
id: audit
- name: Run cargo deny (advisories)
working-directory: ${{ github.workspace }}
run: |
source $HOME/.cargo/env
cargo deny check advisories --manifest-path Cargo.toml || true
continue-on-error: true
id: deny-advisories
- name: Run cargo deny (licenses)
working-directory: ${{ github.workspace }}
run: |
source $HOME/.cargo/env
cargo deny check licenses --manifest-path Cargo.toml || true
continue-on-error: true
id: deny-licenses
- name: Upload audit results
uses: actions/upload-artifact@v4
with:
name: supply-chain-reports
path: |
audit.txt
deny-advisories.txt
deny-licenses.txt
if-no-files-found: ignore