security: Rate limit GetAddr responses #466
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Lint | |
# Ensures that only one workflow task will run at a time. Previous builds, if | |
# already in process, will get cancelled. Only the latest commit will be allowed | |
# to run, cancelling any workflows in between | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
on: | |
# we build Rust caches on main, so they can be shared by all branches: | |
# https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache | |
push: | |
branches: | |
- main | |
pull_request: | |
env: | |
CARGO_INCREMENTAL: ${{ vars.CARGO_INCREMENTAL }} | |
RUST_LOG: ${{ vars.RUST_LOG }} | |
RUST_BACKTRACE: ${{ vars.RUST_BACKTRACE }} | |
RUST_LIB_BACKTRACE: ${{ vars.RUST_LIB_BACKTRACE }} | |
COLORBT_SHOW_HIDDEN: ${{ vars.COLORBT_SHOW_HIDDEN }} | |
jobs: | |
changed-files: | |
runs-on: ubuntu-latest | |
name: Checks changed-files | |
outputs: | |
rust: ${{ steps.changed-files-rust.outputs.any_changed == 'true' }} | |
workflows: ${{ steps.changed-files-workflows.outputs.any_changed == 'true' }} | |
steps: | |
- uses: actions/[email protected] | |
with: | |
persist-credentials: false | |
fetch-depth: 0 | |
- name: Rust files | |
id: changed-files-rust | |
uses: tj-actions/[email protected] | |
with: | |
files: | | |
**/*.rs | |
**/Cargo.toml | |
**/Cargo.lock | |
clippy.toml | |
.cargo/config.toml | |
.github/workflows/ci-lint.yml | |
- name: Workflow files | |
id: changed-files-workflows | |
uses: tj-actions/[email protected] | |
with: | |
files: | | |
.github/workflows/*.yml | |
clippy: | |
name: Clippy | |
timeout-minutes: 45 | |
runs-on: ubuntu-latest | |
needs: changed-files | |
if: ${{ needs.changed-files.outputs.rust == 'true' }} | |
steps: | |
- uses: actions/[email protected] | |
with: | |
persist-credentials: false | |
- name: Install last version of Protoc | |
uses: arduino/[email protected] | |
with: | |
# TODO: increase to latest version after https://github.com/arduino/setup-protoc/issues/33 is fixed | |
version: '23.x' | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Check workflow permissions | |
id: check_permissions | |
uses: scherermichael-oss/[email protected] | |
with: | |
required-permission: write | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
# Setup Rust with stable toolchain and default profile | |
- name: Setup Rust | |
run: | | |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain=stable --profile=default | |
- uses: Swatinem/[email protected] | |
with: | |
shared-key: "clippy-cargo-lock" | |
# TODO: keep this action until we find a better solution | |
- name: Run clippy action to produce annotations | |
uses: actions-rs/[email protected] | |
if: ${{ steps.check_permissions.outputs.has-permission }} | |
with: | |
# GitHub displays the clippy job and its results as separate entries | |
name: Clippy (stable) Results | |
token: ${{ secrets.GITHUB_TOKEN }} | |
args: --all-features --all-targets -- -D warnings | |
- name: Run clippy manually without annotations | |
if: ${{ !steps.check_permissions.outputs.has-permission }} | |
run: cargo clippy --all-features --all-targets -- -D warnings | |
fmt: | |
name: Rustfmt | |
timeout-minutes: 30 | |
runs-on: ubuntu-latest | |
needs: changed-files | |
if: ${{ needs.changed-files.outputs.rust == 'true' }} | |
steps: | |
- uses: actions/[email protected] | |
with: | |
persist-credentials: false | |
- uses: r7kamura/[email protected] | |
- name: Install last version of Protoc | |
uses: arduino/[email protected] | |
with: | |
# TODO: increase to latest version after https://github.com/arduino/setup-protoc/issues/33 is fixed | |
version: '23.x' | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
# Setup Rust with stable toolchain and default profile | |
- name: Setup Rust | |
run: | | |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain=stable --profile=default | |
# We don't cache `fmt` outputs because the job is quick, | |
# and we want to use the limited GitHub actions cache space for slower jobs. | |
#- uses: Swatinem/[email protected] | |
- run: | | |
cargo fmt --all -- --check | |
actionlint: | |
runs-on: ubuntu-latest | |
continue-on-error: true | |
needs: changed-files | |
if: ${{ needs.changed-files.outputs.workflows == 'true' }} | |
steps: | |
- uses: actions/[email protected] | |
- name: actionlint | |
uses: reviewdog/[email protected] | |
with: | |
level: warning | |
fail_on_error: false | |
- name: validate-dependabot | |
uses: marocchino/[email protected] | |
codespell: | |
runs-on: ubuntu-latest | |
needs: changed-files | |
steps: | |
- uses: actions/[email protected] | |
- uses: plettich/action-codespell@master | |
with: | |
github_token: ${{ secrets.github_token }} | |
level: warning |