roff-rs/.github/workflows/audit.yml at master · rust-cli/roff-rs · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
name: Audit

permissions:
  contents: read

on:
  pull_request:
    paths:
      - '**/Cargo.toml'
      - '**/Cargo.lock'
  push:
    branches:
    - master

env:
  RUST_BACKTRACE: 1
  CARGO_TERM_COLOR: always
  CLICOLOR: 1

concurrency:
  group: "${{ github.workflow }}-${{ github.ref }}"
  cancel-in-progress: true

jobs:
  audit:
    permissions:
      contents: none
    name: Audit
    needs: [advisories, cargo_deny, actions]
    runs-on: ubuntu-latest
    if: "always()"
    steps:
      - name: Failed
        run: exit 1
        if: "contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') || contains(needs.*.result, 'skipped')"
  advisories:
    permissions:
      issues: write # to create issues (actions-rs/audit-check)
      checks: write # to create check (actions-rs/audit-check)
    runs-on: ubuntu-latest
    # Prevent sudden announcement of a new advisory from failing ci:
    continue-on-error: true
    strategy:
      matrix:
        checks:
          - advisories
    steps:
    - name: Checkout repository
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      with:
        persist-credentials: false
    - uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2
      with:
        command: check ${{ matrix.checks }}
        rust-version: stable

  cargo_deny:
    permissions:
      issues: write # to create issues (actions-rs/audit-check)
      checks: write # to create check (actions-rs/audit-check)
    runs-on: ubuntu-latest
    strategy:
      matrix:
        checks:
          - bans licenses sources
    steps:
    - name: Checkout repository
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      with:
        persist-credentials: false
    - uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2
      with:
        command: check ${{ matrix.checks }}
        rust-version: stable

  actions:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
      contents: read # only needed for private or internal repos
      actions: read # only needed for private or internal repos
    steps:
    - name: Checkout repository
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      with:
        persist-credentials: false
    - name: Run zizmor
      uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2