mirror of
https://github.com/CloudNebulaProject/barycenter.git
synced 2026-04-10 21:20:41 +00:00
1e999a628a
Problem: - Security audit fails on vulnerabilities we cannot fix - RUSTSEC-2023-0071: RSA crate vulnerability (transitive dependency, no fix) - RUSTSEC-2025-0120: json5 unmaintained (transitive dependency) Solution: - Use --ignore flags to exclude known unfixable advisories - Keep continue-on-error as defense in depth - Document why each vulnerability is ignored These are transitive dependencies from openidconnect and config crates. We'll track updates to those crates that may resolve these issues. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
99 lines
2.5 KiB
YAML
99 lines
2.5 KiB
YAML
name: CI
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
- develop
|
|
- 'feature/**'
|
|
- 'release/**'
|
|
- 'hotfix/**'
|
|
pull_request:
|
|
branches:
|
|
- main
|
|
- develop
|
|
|
|
env:
|
|
CARGO_TERM_COLOR: always
|
|
RUST_BACKTRACE: 1
|
|
|
|
jobs:
|
|
test:
|
|
name: Test
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Install Rust toolchain
|
|
uses: dtolnay/rust-toolchain@stable
|
|
with:
|
|
components: rustfmt, clippy
|
|
|
|
- name: Install cargo-nextest
|
|
uses: taiki-e/install-action@v2
|
|
with:
|
|
tool: cargo-nextest
|
|
|
|
- name: Cache cargo registry
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: ~/.cargo/registry
|
|
key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-cargo-registry-
|
|
|
|
- name: Cache cargo index
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: ~/.cargo/git
|
|
key: ${{ runner.os }}-cargo-git-${{ hashFiles('**/Cargo.lock') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-cargo-git-
|
|
|
|
- name: Cache cargo build
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: target
|
|
key: ${{ runner.os }}-cargo-build-target-${{ hashFiles('**/Cargo.lock') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-cargo-build-target-
|
|
|
|
- name: Check formatting
|
|
run: cargo fmt --all -- --check
|
|
|
|
- name: Run clippy
|
|
run: cargo clippy --all-targets --all-features -- -D warnings
|
|
continue-on-error: true # Make clippy informational
|
|
|
|
- name: Build
|
|
run: cargo build --verbose
|
|
|
|
- name: Run tests
|
|
run: cargo nextest run --verbose
|
|
|
|
security:
|
|
name: Security Audit
|
|
runs-on: ubuntu-latest
|
|
continue-on-error: true # Make this informational only
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Install Rust toolchain
|
|
uses: dtolnay/rust-toolchain@stable
|
|
|
|
- name: Install cargo-audit
|
|
run: cargo install cargo-audit
|
|
|
|
- name: Run security audit
|
|
run: |
|
|
# Ignore known unfixable vulnerabilities:
|
|
# - RUSTSEC-2023-0071: RSA crate Marvin attack (transitive dep, no fix available)
|
|
# - RUSTSEC-2025-0120: json5 unmaintained (transitive dep from config crate)
|
|
cargo audit \
|
|
--ignore RUSTSEC-2023-0071 \
|
|
--ignore RUSTSEC-2025-0120
|
|
continue-on-error: true
|