Bump github/codeql-action from 4.31.7 to 4.31.8 #2613
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci | |
| on: | |
| pull_request: | |
| push: | |
| branches: | |
| - master | |
| schedule: | |
| - cron: '00 01 * * *' | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: ${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| test: | |
| name: test | |
| env: | |
| # For some builds, we use cross to test on 32-bit and big-endian | |
| # systems. | |
| CARGO: cargo | |
| # When CARGO is set to CROSS, this is set to `--target matrix.target`. | |
| TARGET_FLAGS: | |
| # When CARGO is set to CROSS, TARGET_DIR includes matrix.target. | |
| TARGET_DIR: ./target | |
| # Bump this as appropriate. We pin to a version to make sure CI | |
| # continues to work as cross releases in the past have broken things | |
| # in subtle ways. | |
| CROSS_VERSION: v0.2.5 | |
| # Emit backtraces on panics. | |
| RUST_BACKTRACE: 1 | |
| runs-on: ${{ matrix.os }} | |
| needs: dependency-scan | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - build: pinned | |
| os: ubuntu-latest | |
| rust: 1.85.0 | |
| - build: stable | |
| os: ubuntu-latest | |
| rust: stable | |
| - build: beta | |
| os: ubuntu-latest | |
| rust: beta | |
| - build: nightly | |
| os: ubuntu-latest | |
| rust: nightly | |
| - build: stable-musl | |
| os: ubuntu-latest | |
| rust: stable | |
| target: x86_64-unknown-linux-musl | |
| - build: stable-x86 | |
| os: ubuntu-latest | |
| rust: stable | |
| target: i686-unknown-linux-gnu | |
| - build: stable-aarch64 | |
| os: ubuntu-latest | |
| rust: stable | |
| target: aarch64-unknown-linux-gnu | |
| - build: stable-arm-gnueabihf | |
| os: ubuntu-latest | |
| rust: stable | |
| target: armv7-unknown-linux-gnueabihf | |
| - build: stable-arm-musleabihf | |
| os: ubuntu-latest | |
| rust: stable | |
| target: armv7-unknown-linux-musleabihf | |
| - build: stable-arm-musleabi | |
| os: ubuntu-latest | |
| rust: stable | |
| target: armv7-unknown-linux-musleabi | |
| - build: stable-s390x | |
| os: ubuntu-latest | |
| rust: stable | |
| target: s390x-unknown-linux-gnu | |
| - build: macos | |
| os: macos-latest | |
| rust: nightly | |
| - build: win-msvc | |
| os: windows-2022 | |
| rust: nightly | |
| - build: win-gnu | |
| os: windows-2022 | |
| rust: nightly-x86_64-gnu | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 | |
| with: | |
| egress-policy: block | |
| allowed-endpoints: > | |
| github.com:443 | |
| ppa.launchpad.net:443 | |
| ppa.launchpad.net:80 | |
| packages.microsoft.com:443 | |
| azure.archive.ubuntu.com:80 | |
| azure.archive.ubuntu.com:443 | |
| api.snapcraft.io:80 | |
| api.snapcraft.io:443 | |
| static.rust-lang.org:443 | |
| crates.io:443 | |
| static.crates.io:443 | |
| registry-1.docker.io:443 | |
| auth.docker.io:443 | |
| production.cloudflare.docker.com:443 | |
| ghcr.io:443 | |
| index.crates.io:443 | |
| objects.githubusercontent.com:443 | |
| pkg-containers.githubusercontent.com:443 | |
| static.rust-lang.org:443 | |
| bestpractices.dev:443 | |
| release-assets.githubusercontent.com:443 | |
| - name: Checkout repository | |
| uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v2 | |
| - name: Install packages (Ubuntu) | |
| if: matrix.os == 'ubuntu-22.04' | |
| run: | | |
| ci/ubuntu-install-packages | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@master | |
| with: | |
| toolchain: ${{ matrix.rust }} | |
| - name: Use Cross | |
| if: matrix.os == 'ubuntu-latest' && matrix.target != '' | |
| run: | | |
| # In the past, new releases of 'cross' have broken CI. So for now, we | |
| # pin it. We also use their pre-compiled binary releases because cross | |
| # has over 100 dependencies and takes a bit to compile. | |
| dir="$RUNNER_TEMP/cross-download" | |
| mkdir "$dir" | |
| echo "$dir" >> $GITHUB_PATH | |
| cd "$dir" | |
| curl -LO "https://github.com/cross-rs/cross/releases/download/$CROSS_VERSION/cross-x86_64-unknown-linux-musl.tar.gz" | |
| tar xf cross-x86_64-unknown-linux-musl.tar.gz | |
| echo "CARGO=cross" >> $GITHUB_ENV | |
| echo "TARGET_FLAGS=--target ${{ matrix.target }}" >> $GITHUB_ENV | |
| echo "TARGET_DIR=./target/${{ matrix.target }}" >> $GITHUB_ENV | |
| - name: Show command used for Cargo | |
| run: | | |
| echo "cargo command is: ${{ env.CARGO }}" | |
| echo "target flag is: ${{ env.TARGET_FLAGS }}" | |
| - name: Build lifter and all crates | |
| run: ${{ env.CARGO }} build --verbose --workspace ${{ env.TARGET_FLAGS }} | |
| # This is useful for debugging problems when the expected build artifacts | |
| # (like shell completions and man pages) aren't generated. | |
| - name: Show build.rs stderr | |
| shell: bash | |
| run: | | |
| set +x | |
| stderr="$(find "${{ env.TARGET_DIR }}/debug" -name stderr -print0 | xargs -0 ls -t | head -n1)" | |
| if [ -s "$stderr" ]; then | |
| echo "===== $stderr ===== " | |
| cat "$stderr" | |
| echo "=====" | |
| fi | |
| set -x | |
| - name: Run tests | |
| if: matrix.target != '' | |
| run: ${{ env.CARGO }} test --verbose --workspace ${{ env.TARGET_FLAGS }} | |
| # - name: Test for existence of build artifacts (Windows) | |
| # if: matrix.os == 'windows-2019' | |
| # shell: bash | |
| # run: | | |
| # outdir="$(ci/cargo-out-dir "${{ env.TARGET_DIR }}")" | |
| # ls "$outdir/_rg.ps1" && file "$outdir/_rg.ps1" | |
| # - name: Test for existence of build artifacts (Unix) | |
| # if: matrix.os != 'windows-2019' | |
| # shell: bash | |
| # run: | | |
| # outdir="$(ci/cargo-out-dir "${{ env.TARGET_DIR }}")" | |
| # # TODO: Check for the man page generation here. For whatever reason, | |
| # # it seems to be intermittently failing in CI. No idea why. | |
| # # for f in rg.bash rg.fish rg.1; do | |
| # for f in rg.bash rg.fish; do | |
| # # We could use file -E here, but it isn't supported on macOS. | |
| # ls "$outdir/$f" && file "$outdir/$f" | |
| # done | |
| rustfmt: | |
| name: rustfmt | |
| runs-on: ubuntu-22.04 | |
| needs: dependency-scan | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v1 | |
| with: | |
| egress-policy: block | |
| allowed-endpoints: > | |
| github.com:443 | |
| static.rust-lang.org:443 | |
| - name: Checkout repository | |
| uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v2 | |
| - name: Install Rust | |
| uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1 | |
| with: | |
| toolchain: stable | |
| override: true | |
| profile: minimal | |
| components: rustfmt | |
| - name: Check formatting | |
| run: | | |
| cargo fmt --all -- --check | |
| docs: | |
| name: Docs | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v1 | |
| with: | |
| egress-policy: block | |
| allowed-endpoints: > | |
| index.crates.io:443 | |
| crates.io:443 | |
| github.com:443 | |
| static.crates.io:443 | |
| static.rust-lang.org:443 | |
| - name: Checkout repository | |
| uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v2 | |
| - name: Install Rust | |
| uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1 | |
| with: | |
| toolchain: stable | |
| profile: minimal | |
| override: true | |
| - name: Check documentation | |
| env: | |
| RUSTDOCFLAGS: -D warnings | |
| run: cargo doc --no-deps --document-private-items --workspace | |
| dependency-scan: | |
| permissions: | |
| # Needed to upload the results to code-scanning dashboard. | |
| security-events: write | |
| contents: read # for actions/checkout to fetch code | |
| if: github.event.pull_request.draft == false | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 | |
| with: | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| ghcr.io:443 | |
| github.com:443 | |
| pkg-containers.githubusercontent.com:443 | |
| objects.githubusercontent.com:443 | |
| mirror.gcr.io:443 | |
| check.trivy.dev:443 | |
| - name: Checkout the code | |
| uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v2 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Run vulnerability scanner in repo mode | |
| if: github.actor != 'dependabot[bot]' | |
| uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # 0.2.2 | |
| with: | |
| scan-type: 'fs' | |
| ignore-unfixed: true | |
| format: 'sarif' | |
| vuln-type: 'library' | |
| severity: 'CRITICAL,HIGH' | |
| output: 'trivy-results.sarif' | |
| - name: Run vulnerability scanner in repo mode | |
| if: github.actor == 'dependabot[bot]' | |
| uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # 0.2.2 | |
| with: | |
| scan-type: 'fs' | |
| ignore-unfixed: true | |
| exit-code: 1 | |
| format: 'sarif' | |
| vuln-type: 'library' | |
| severity: 'MEDIUM,HIGH,CRITICAL' | |
| output: 'trivy-results.sarif' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v1 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' |