name: Audit
on:
push:
branches: [ master ]
pull_request:
schedule:
- cron: '0 12 * * *' workflow_dispatch:
permissions: {}
env:
CARGO_TERM_COLOR: always
jobs:
cargo-audit:
name: Cargo Audit - ${{ matrix.name }}
runs-on: ubuntu-latest
permissions:
contents: read
checks: write
issues: write
strategy:
fail-fast: false
matrix:
include:
- name: Fresh Lockfile
lockfile: Cargo.lock
- name: Recent Lockfile
lockfile: Cargo-recent.lock
- name: Minimal Lockfile
lockfile: Cargo-minimal.lock
steps:
- name: Checkout Repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 with:
persist-credentials: false
- name: Setup Rust Cache
uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4
- name: Setup cargo-rbmt
uses: ./.github/actions/setup-rbmt
- name: Install cargo-rbmt Tools
shell: bash
run: cargo rbmt tools
- name: Generate Fresh Lockfile
if: ${{ matrix.lockfile == 'Cargo.lock' }}
shell: bash
run: cargo generate-lockfile
- name: Select Lockfile
if: ${{ matrix.lockfile != 'Cargo.lock' }}
shell: bash
run: cp ${{ matrix.lockfile }} Cargo.lock
- uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 with:
token: ${{ secrets.GITHUB_TOKEN }}
shellcheck:
name: ShellCheck
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 with:
persist-credentials: false
- name: Run ShellCheck
shell: bash
run: find . -name '*.sh' -print -exec shellcheck {} +
zizmor:
name: Zizmor
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 with:
persist-credentials: false
- name: Setup Rust Cache
uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4
- name: Setup cargo-rbmt
uses: ./.github/actions/setup-rbmt
- name: Install cargo-rbmt Tools
shell: bash
run: cargo rbmt tools
- name: Run Zizmor
shell: bash
run: zizmor .