-
-
Notifications
You must be signed in to change notification settings - Fork 2.7k
44 lines (38 loc) · 1.37 KB
/
supply-chain.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
# Copyright 2019-2024 Tauri Programme within The Commons Conservancy
# SPDX-License-Identifier: Apache-2.0
# SPDX-License-Identifier: MIT
name: supply chain health status
on:
workflow_dispatch:
schedule:
- cron: '0 0 * * *'
push:
branches:
- dev
paths:
- '.github/workflows/supply-chain.yml'
- '**/Cargo.lock'
- '**/Cargo.toml'
jobs:
cargo-vet:
name: check rust dependencies with cargo vet
runs-on: ubuntu-latest
env:
CARGO_VET_VERSION: 0.9.1
steps:
- uses: actions/checkout@master
- name: Install Rust
run: rustup update stable && rustup default stable
- uses: actions/cache@v4
with:
path: ${{ runner.tool_cache }}/cargo-vet
key: cargo-vet-bin-${{ env.CARGO_VET_VERSION }}
- name: Add the tool cache directory to the search path
run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH
- name: Ensure that the tool cache is populated with the cargo-vet binary
run: cargo install --root ${{ runner.tool_cache }}/cargo-vet --version ${{ env.CARGO_VET_VERSION }} cargo-vet
# Enable this again to break the workflow once we have a reasonable amount of suggestions to get to a clean base line
# - name: Invoke cargo-vet
# run: cargo vet --locked
- name: Provide audit suggestions
run: cargo vet suggest