audit-check 0.2.0

Github Action to run 'cargo audit' on your Rust project
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219

on:
  push:
    tags:
      - "v[0-9]*"
      - "v[0-9]*-rc*"

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

name: 🚀 Release 🚀

jobs:
  build-binaries:
    name: 📦 Build (${{ matrix.target }}) 📦
    runs-on: ${{ matrix.os }}
    permissions:
      contents: read
    strategy:
      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
            target: x86_64-unknown-linux-gnu
            use-cross: false
          - os: ubuntu-latest
            target: x86_64-unknown-linux-musl
            use-cross: true
          - os: ubuntu-latest
            target: aarch64-unknown-linux-gnu
            use-cross: true
          - os: macos-latest
            target: x86_64-apple-darwin
            use-cross: false
          - os: macos-latest
            target: aarch64-apple-darwin
            use-cross: false
          - os: windows-latest
            target: x86_64-pc-windows-msvc
            use-cross: false
    steps:
      - name: ✅ Checkout ✅
        # v6.0.2
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

      - name: 🦀 Install Rust toolchain 🦀
        # stable
        uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9
        with:
          toolchain: stable
          targets: ${{ matrix.target }}

      - name: 📦 Install cargo-binstall 📦
        # v1.19.1
        uses: cargo-bins/cargo-binstall@aaa84a43aec4955a42c5ffc65d258961e39f276e

      - name: 🔧 Install cross 🔧
        if: matrix.use-cross
        run: cargo binstall --no-confirm --maximum-resolution-timeout 20 cross

      - name: 🏗️ Build 🏗️
        run: |
          if [ "${{ matrix.use-cross }}" = "true" ]; then
            cross build --release --target ${{ matrix.target }}
          else
            cargo build --release --target ${{ matrix.target }}
          fi
        shell: bash

      - name: 📁 Package (Unix) 📁
        if: runner.os != 'Windows'
        run: |
          VERSION="${GITHUB_REF_NAME#v}"
          ARCHIVE="audit-check-${{ matrix.target }}-v${VERSION}.tar.gz"
          cp "target/${{ matrix.target }}/release/audit-check" ./audit-check
          tar czf "$ARCHIVE" audit-check
          echo "ASSET=$ARCHIVE" >> "$GITHUB_ENV"
        shell: bash

      - name: 📁 Package (Windows) 📁
        if: runner.os == 'Windows'
        run: |
          $VERSION = $env:GITHUB_REF_NAME -replace '^v', ''
          $ARCHIVE = "audit-check-${{ matrix.target }}-v${VERSION}.zip"
          Copy-Item "target\${{ matrix.target }}\release\audit-check.exe" "audit-check.exe"
          Compress-Archive -Path audit-check.exe -DestinationPath $ARCHIVE
          "ASSET=$ARCHIVE" | Out-File -FilePath $env:GITHUB_ENV -Append
        shell: pwsh

      - name: ⬆️ Upload artifact ⬆️
        # v7.0.1
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
        with:
          name: binary-${{ matrix.target }}
          path: ${{ env.ASSET }}
          if-no-files-found: error

  release:
    name: 📝 Create GitHub Release 📝
    needs: build-binaries
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - name: ✅ Checkout ✅
        # v6.0.2
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

      - name: ⬇️ Download artifacts ⬇️
        # v8.0.1
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
        with:
          pattern: binary-*
          path: dist
          merge-multiple: true

      - name: 🚀 Create GitHub Release 🚀
        # v3
        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda
        with:
          tag_name: ${{ github.ref_name }}
          generate_release_notes: true
          prerelease: ${{ contains(github.ref_name, '-rc') }}
          files: dist/*

  publish-docker:
    name: 🐳 Publish Docker Image 🐳
    needs: release
    runs-on: ubuntu-latest
    permissions:
      packages: write
      contents: read
    steps:
      - name: ✅ Checkout ✅
        # v6.0.2
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

      - name: ⬇️ Download audit-check musl artifact ⬇️
        # v8.0.1
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
        with:
          name: binary-x86_64-unknown-linux-musl
          path: dist/

      - name: 📦 Extract audit-check binary 📦
        run: |
          mkdir -p binary
          tar xzf dist/audit-check-x86_64-unknown-linux-musl-*.tar.gz -C dist/
          mv dist/audit-check binary/audit-check
        shell: bash

      - name: ⬇️ Download cargo-audit musl binary ⬇️
        run: |
          RELEASE=$(curl -s \
            -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
            "https://api.github.com/repos/rustsec/rustsec/releases" \
            | jq -r '[.[] | select(.tag_name | startswith("cargo-audit/"))][0].tag_name')
          VERSION="${RELEASE#cargo-audit/v}"
          URL="https://github.com/rustsec/rustsec/releases/download/cargo-audit%2Fv${VERSION}/cargo-audit-x86_64-unknown-linux-musl-v${VERSION}.tgz"
          curl -fL "$URL" -o cargo-audit.tgz
          mkdir -p cargo-audit-extract
          tar xzf cargo-audit.tgz -C cargo-audit-extract
          find cargo-audit-extract -type f -name 'cargo-audit' -exec mv {} binary/cargo-audit \;
        shell: bash

      - name: 🐳 Set up Docker Buildx 🐳
        # v4.0.0
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd

      - name: 🔑 Log in to GHCR 🔑
        # v4.1.0
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: 🏷️ Extract Docker metadata 🏷️
        id: meta
        # v6.0.0
        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf
        with:
          images: ghcr.io/${{ github.repository }}
          tags: |
            type=semver,pattern={{version}}
            type=semver,pattern=v{{major}}
            type=raw,value=latest,enable=${{ !contains(github.ref_name, '-rc') }}

      - name: 🐳 Build and push Docker image 🐳
        # v7.2.0
        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf
        with:
          context: .
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}

  update-major-tag:
    name: 🏷️ Update Major Version Tag 🏷️
    needs: release
    runs-on: ubuntu-latest
    if: ${{ !contains(github.ref_name, '-rc') }}
    permissions:
      contents: write
    steps:
      - name: ✅ Checkout ✅
        # v6.0.2
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

      - name: 🏷️ Move major version tag 🏷️
        run: |
          major="v$(echo '${{ github.ref_name }}' | sed 's/^v//' | cut -d. -f1)"
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"
          git tag -f "$major" ${{ github.sha }}
          git push origin -f "refs/tags/$major"