chore(deps): bump google/osv-scanner-action from 1.8.2 to 1.9.2 #27
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Code Quality and Security | |
| on: | |
| pull_request: | |
| push: | |
| branches: [main] | |
| schedule: | |
| - cron: '0 0 * * 0' | |
| env: | |
| RUST_TOOLCHAIN: stable | |
| # Add top-level permissions | |
| permissions: | |
| actions: write | |
| contents: write | |
| security-events: write | |
| jobs: | |
| shared-setup: | |
| name: Shared Setup | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| matrix: | |
| os: [ubuntu-latest, macos-latest, windows-latest] | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| outputs: | |
| checkout_ref: ${{ steps.checkout.outputs.ref }} | |
| steps: | |
| - name: Checkout code | |
| id: checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} # Explicitly set token | |
| security-scan: | |
| name: Security Scans | |
| needs: shared-setup | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| matrix: | |
| os: [ubuntu-latest, macos-latest, windows-latest] | |
| include: | |
| - os: ubuntu-latest | |
| run_devskim: true | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ needs.shared-setup.outputs.checkout_ref }} | |
| # Cache setup | |
| - name: Cache Rust toolchain | |
| uses: actions/cache@v3 | |
| with: | |
| path: | | |
| ~/.cargo/bin/ | |
| ~/.cargo/registry/index/ | |
| ~/.cargo/registry/cache/ | |
| ~/.cargo/git/db/ | |
| ~/.rustup/ | |
| key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock', '**/Cargo.toml') }}-${{ github.sha }} | |
| # Clippy Analysis | |
| - name: Setup Rust tools | |
| run: | | |
| rustup toolchain install ${{ env.RUST_TOOLCHAIN }} | |
| cargo install clippy-sarif sarif-fmt --force | |
| - name: Run Clippy Analysis | |
| run: cargo clippy --all-features --message-format=json | clippy-sarif | tee rust-clippy-results.sarif | sarif-fmt | |
| continue-on-error: true | |
| - name: Upload Clippy results | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: rust-clippy-results.sarif | |
| wait-for-processing: true | |
| # DevSkim Security Scan | |
| - name: Run DevSkim scanner | |
| if: matrix.run_devskim == 'true' | |
| uses: microsoft/DevSkim-Action@v1 | |
| - name: Upload DevSkim scan results to GitHub Security tab | |
| if: matrix.run_devskim == 'true' | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: devskim-results.sarif | |
| osv-scanner: | |
| name: OSV Scanner | |
| needs: shared-setup | |
| uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v1.9.2" | |
| with: | |
| fail-on-vuln: false |