Deny - Linux #341
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Deny - Linux | |
# | |
# Checks for security vulnerabilities or license incompatibilities | |
# | |
# Runs on: | |
# - scheduled UTC midnight | |
# - on PR review (see comment-trigger.yml) | |
# - on demand from github actions UI | |
name: Deny - Linux | |
on: | |
workflow_call: | |
workflow_dispatch: | |
schedule: | |
# At midnight UTC | |
- cron: '0 0 * * *' | |
jobs: | |
test-deny: | |
runs-on: ubuntu-latest | |
timeout-minutes: 15 | |
env: | |
CARGO_INCREMENTAL: 0 | |
steps: | |
- name: (PR review) Set latest commit status as pending | |
if: ${{ github.event_name == 'pull_request_review' }} | |
uses: myrotvorets/[email protected] | |
with: | |
sha: ${{ github.event.review.commit_id }} | |
token: ${{ secrets.GITHUB_TOKEN }} | |
context: Deny - Linux | |
status: pending | |
- name: (PR review) Checkout PR branch | |
if: ${{ github.event_name == 'pull_request_review' }} | |
uses: actions/checkout@v3 | |
with: | |
ref: ${{ github.event.review.commit_id }} | |
- name: Checkout branch | |
if: ${{ github.event_name != 'pull_request_review' }} | |
uses: actions/checkout@v3 | |
- uses: actions/cache@v4 | |
name: Cache Cargo registry + index | |
with: | |
path: | | |
~/.cargo/bin/ | |
~/.cargo/registry/index/ | |
~/.cargo/registry/cache/ | |
~/.cargo/git/db/ | |
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} | |
restore-keys: | | |
${{ runner.os }}-cargo- | |
- run: sudo -E bash scripts/environment/bootstrap-ubuntu-20.04.sh | |
- run: bash scripts/environment/prepare.sh | |
- run: echo "::add-matcher::.github/matchers/rust.json" | |
- name: Check cargo deny advisories/licenses | |
run: make check-deny | |
- name: (PR review) Set latest commit status as ${{ job.status }} | |
uses: myrotvorets/[email protected] | |
if: always() && github.event_name == 'pull_request_review' | |
with: | |
sha: ${{ github.event.review.commit_id }} | |
token: ${{ secrets.GITHUB_TOKEN }} | |
context: Deny - Linux | |
status: ${{ job.status }} |