Skip to content
Code Quality and Security

Optimize GitHub actions workflow for code quality and security #25

Sign in to view logs

Optimize GitHub actions workflow for code quality and security

Optimize GitHub actions workflow for code quality and security #25

Workflow file for this run

.github/workflows/check_security_vulnerability.yml at edd4663
name: Code Quality and Security
on:
pull_request:
push:
branches: [main]
schedule:
- cron: '0 0 * * 0'
env:
RUST_TOOLCHAIN: stable
# Add top-level permissions
permissions:
actions: write
contents: write
security-events: write
jobs:
shared-setup:
name: Shared Setup
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
permissions:
actions: read
contents: read
security-events: write
outputs:
checkout_ref: ${{ steps.checkout.outputs.ref }}
steps:
- name: Checkout code
id: checkout
uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }} # Explicitly set token
security-scan:
name: Security Scans
needs: shared-setup
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
include:
- os: ubuntu-latest
run_devskim: true
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
ref: ${{ needs.shared-setup.outputs.checkout_ref }}
# Cache setup
- name: Cache Rust toolchain
uses: actions/cache@v3
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
~/.rustup/
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock', '**/Cargo.toml') }}-${{ github.sha }}
# Clippy Analysis
- name: Setup Rust tools
run: |
rustup toolchain install ${{ env.RUST_TOOLCHAIN }}
cargo install clippy-sarif sarif-fmt --force
- name: Run Clippy Analysis
run: cargo clippy --all-features --message-format=json | clippy-sarif | tee rust-clippy-results.sarif | sarif-fmt
continue-on-error: true
- name: Upload Clippy results
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: rust-clippy-results.sarif
wait-for-processing: true
# DevSkim Security Scan
- name: Run DevSkim scanner
if: matrix.run_devskim == 'true'
uses: microsoft/DevSkim-Action@v1
- name: Upload DevSkim scan results to GitHub Security tab
if: matrix.run_devskim == 'true'
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: devskim-results.sarif
osv-scanner:
name: OSV Scanner
needs: shared-setup
uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v1.8.2"
with:
fail-on-vuln: false