adding system dependencies #24
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Code Scan | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| schedule: | |
| - cron: '0 12 * * 1' | |
| workflow_dispatch: | |
| permissions: | |
| contents: write | |
| security-events: write # for codeQL to write security events | |
| jobs: | |
| fossa: | |
| name: FOSSA | |
| # Needs access to the FOSSA API key secret, so don't run on pull request events | |
| if: ${{ ! github.event_name == 'pull_request' }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Run FOSSA scan and upload build data | |
| uses: fossa-contrib/fossa-action@cdc5065bcdee31a32e47d4585df72d66e8e941c2 # v3.0.0 | |
| with: | |
| fossa-api-key: ${{ secrets.FOSSA_API_KEY }} | |
| github-token: ${{ github.token }} | |
| trivy: | |
| name: Trivy | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Run Trivy vulnerability scanner in repo mode | |
| uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0 | |
| with: | |
| scan-type: fs | |
| scanners: vuln | |
| ignore-unfixed: true | |
| format: sarif | |
| output: trivy-results.sarif | |
| # - name: Upload Trivy scan results to GitHub Security tab | |
| # uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 | |
| # with: | |
| # sarif_file: trivy-results.sarif | |
| llvm-cov: | |
| name: llvm-cov | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| # Set up Rust | |
| - name: Set up Rust | |
| uses: actions-rs/toolchain@v1 | |
| with: | |
| profile: minimal | |
| toolchain: nightly | |
| override: true | |
| - name: Install cargo-llvm-cov | |
| uses: taiki-e/install-action@cargo-llvm-cov | |
| - name: Install Clippy | |
| run: rustup component add clippy | |
| # Cache Cargo dependencies | |
| - name: Cache Cargo registry | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/.cargo/registry | |
| key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-cargo-registry- | |
| - name: Cache Cargo index | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/.cargo/git | |
| key: ${{ runner.os }}-cargo-index-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-cargo-index- | |
| - name: Cache target directory | |
| uses: actions/cache@v3 | |
| with: | |
| path: target | |
| key: ${{ runner.os }}-cargo-target-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-cargo-target- | |
| - name: Generate code coverage | |
| run: cargo llvm-cov --all-features --workspace --lcov --output-path lcov.info | |
| codeql: | |
| name: SonarQube | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| # Set up Rust | |
| - name: Set up Rust | |
| uses: actions-rs/toolchain@v1 | |
| with: | |
| profile: minimal | |
| toolchain: nightly | |
| override: true | |
| - name: Install cargo-llvm-cov | |
| uses: taiki-e/install-action@cargo-llvm-cov | |
| - name: Install Clippy | |
| run: rustup component add clippy | |
| # Cache Cargo dependencies | |
| - name: Cache Cargo registry | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/.cargo/registry | |
| key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-cargo-registry- | |
| - name: Cache Cargo index | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/.cargo/git | |
| key: ${{ runner.os }}-cargo-index-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-cargo-index- | |
| - name: Cache target directory | |
| uses: actions/cache@v3 | |
| with: | |
| path: target | |
| key: ${{ runner.os }}-cargo-target-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-cargo-target- | |
| - name: Generate code coverage | |
| run: cargo llvm-cov --all-features --workspace --lcov --output-path lcov.info | |
| - name: Install cargo-sonar and run Clippy | |
| run: | | |
| cargo install cargo-sonar | |
| cargo clippy --message-format json > my-clippy-report.json | |
| cargo sonar --clippy-path my-clippy-report.json | |
| - name: SonarQube Scan | |
| uses: SonarSource/sonarqube-scan-action@v4 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} |