deslop 0.2.0 - Docs.rs

name: Rust Security Checks

on:
  push:
    branches:
      - main
  pull_request:

jobs:
  rust-security:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install Rust
        uses: dtolnay/rust-toolchain@stable

      - name: Cache cargo registry
        uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/registry
            ~/.cargo/git
          key: ${{ runner.os }}-cargo-audit-${{ hashFiles('**/Cargo.lock') }}

      - name: Cargo audit
        run: |
          cargo install cargo-audit --locked
          cargo audit

      - name: Security grep report
        run: bash scripts/check-rust-security.sh

      - name: Security baseline drift
        run: git diff --exit-code -- reports/rust-security-baseline/latest.txt

  rust-unsafe-soundness:
    if: ${{ vars.DESLOP_RUN_MIRI == '1' }}
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install nightly with Miri
        uses: dtolnay/rust-toolchain@nightly
        with:
          components: miri

      - name: Unsafe soundness regression test
        run: cargo test --test integration_scan test_rust_unsafe_soundness_rules

      - name: Miri bounded I/O subset
        run: cargo miri test --lib reads_small_file

      - name: Miri oversized-input subset
        run: cargo miri test --lib rejects_oversized_file