Skip to content
This repository has been archived by the owner on Dec 2, 2024. It is now read-only.

Commit

Permalink
github-actions: Add cargo-deny
Browse files Browse the repository at this point in the history
Adds cargo-deny to scan for vulnerabilities and license issues regarding
rust crates.

Some modifications were required for the repo to pass the tests:

 Updates ttrpc to avoid using nix 0.16.0
   https://rustsec.org/advisories/RUSTSEC-2021-0119

 Updates slog-json to avoid MLP license (copyleft)

 Updates crossbeam-channel due to yanked package

 Ignores https://rustsec.org/advisories/RUSTSEC-2020-0071
   because chrono is dependent on that version of time.
   chronotope/chrono#578

 Allow multiple versions of the same package
  (package dependencies require this)

 Adds "oci" to src/libs workplace

 Adds Apache-2.0 license to workplace modules that did not have them
 because cargo-deny complains about them not having licenses.

Notes
GitHub Actions does not have an obvious way to loop over each of the
Cargo.toml files, so they have been hardcoded as separate steps. An
alternative that works is to use a matrix variable to run each
directory in a separate job. I opted not to do that because it uses a
bunch of runners and generates a lot of jobs, but open to feedback.

Signed-off-by: Derek Lee <derlee@redhat.com>
  • Loading branch information
Derek Lee committed Jul 21, 2022
1 parent 0a9c8ca commit 5bfe48d
Show file tree
Hide file tree
Showing 21 changed files with 400 additions and 212 deletions.
85 changes: 85 additions & 0 deletions .github/cargo-deny-composite-action/action.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
name: 'Cargo Crates Check'
description: 'Checks every Cargo.toml file using cargo-deny'
inputs:
command:
description: Either 'advisories' or 'bans licenses sources'
required: true

runs:
using: "composite"
steps:
- uses: actions/checkout@v3
path: ./cargo-deny-action-copy/
# https://github.com/actions/runner/issues/1300

- name: src/agent/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path src/agent/Cargo.toml
command: check ${{ inputs.command }}

- name: src/agent/rustjail/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path src/agent/rustjail/Cargo.toml
command: check ${{ inputs.command }}

- name: src/agent/vsock-exporter/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path src/agent/vsock-exporter/Cargo.toml
command: check ${{ inputs.command }}

- name: src/libs/logging/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path src/libs/logging/Cargo.toml
command: check ${{ inputs.command }}

- name: src/libs/oci/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path src/libs/oci/Cargo.toml
command: check ${{ inputs.command }}

- name: src/libs/protocols/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path src/libs/protocols/Cargo.toml
command: check ${{ inputs.command }}

- name: src/libs/safe-path/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path src/libs/safe-path/Cargo.toml
command: check ${{ inputs.command }}

- name: src/libs/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path src/libs/Cargo.toml
command: check ${{ inputs.command }}

- name: src/tools/agent-ctl/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path src/tools/agent-ctl/Cargo.toml
command: check ${{ inputs.command }}

- name: src/tools/runk/libcontainer/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path src/tools/runk/libcontainer/Cargo.toml
command: check ${{ inputs.command }}

- name: src/tools/runk/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path src/tools/runk/Cargo.toml
command: check ${{ inputs.command }}

- name: src/tools/trace-forwarder/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path src/tools/trace-forwarder/Cargo.toml
command: check ${{ inputs.command }}
87 changes: 87 additions & 0 deletions .github/cargo-deny-composite-action/cargo-deny-action.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
name: Cargo Crates Check
on: [pull_request]
jobs:
cargo-deny:
runs-on: ubuntu-latest
strategy:
matrix:
checks:
- advisories
- bans licenses sources

continue-on-error: true

steps:
- uses: actions/checkout@v3

- name: src/agent/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path ./src/agent/Cargo.toml
command: check ${{ matrix.checks }}

- name: src/agent/rustjail/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path ./src/agent/rustjail/Cargo.toml
command: check ${{ matrix.checks }}

- name: src/agent/vsock-exporter/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path ./src/agent/vsock-exporter/Cargo.toml
command: check ${{ matrix.checks }}

- name: src/libs/logging/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path ./src/libs/logging/Cargo.toml
command: check ${{ matrix.checks }}

- name: src/libs/oci/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path ./src/libs/oci/Cargo.toml
command: check ${{ matrix.checks }}

- name: src/libs/protocols/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path ./src/libs/protocols/Cargo.toml
command: check ${{ matrix.checks }}

- name: src/libs/safe-path/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path ./src/libs/safe-path/Cargo.toml
command: check ${{ matrix.checks }}

- name: src/libs/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path ./src/libs/Cargo.toml
command: check ${{ matrix.checks }}

- name: src/tools/agent-ctl/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path ./src/tools/agent-ctl/Cargo.toml
command: check ${{ matrix.checks }}

- name: src/tools/runk/libcontainer/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path ./src/tools/runk/libcontainer/Cargo.toml
command: check ${{ matrix.checks }}

- name: src/tools/runk/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path ./src/tools/runk/Cargo.toml
command: check ${{ matrix.checks }}

- name: src/tools/trace-forwarder/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path ./src/tools/trace-forwarder/Cargo.toml
command: check ${{ matrix.checks }}
24 changes: 24 additions & 0 deletions .github/cargo-deny-composite-action/cargo-deny-generator.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
#!/bin/bash
script_dir=$(dirname "$(readlink -f "$0")")
parent_dir=$(realpath "${script_dir}/../..")
cargo_tomls=$(find "${parent_dir}" -name Cargo.toml)

temp_checkout_dir="./cargo-deny-action-copy"

cargo_deny_file="${script_dir}/action.yaml"

cat cargo-deny-skeleton.yaml.in > "${cargo_deny_file}"

for path in $cargo_tomls
do
path=$(realpath --relative-to="${parent_dir}" "${path}")

cat >> "${cargo_deny_file}" << EOF
- name: ${path}
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path ${path}
command: check \${{ inputs.command }}
EOF
done
14 changes: 14 additions & 0 deletions .github/cargo-deny-composite-action/cargo-deny-skeleton.yaml.in
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
name: 'Cargo Crates Check'
description: 'Checks every Cargo.toml file using cargo-deny'
inputs:
command:
description: Either 'advisories' or 'bans licenses sources'
required: true

runs:
using: "composite"
steps:
- uses: actions/checkout@v3
path: ./cargo-deny-action-copy/
# https://github.com/actions/runner/issues/1300

90 changes: 90 additions & 0 deletions .github/workflows/.old-cargo-deny.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
name: Cargo Crates Check
on: [pull_request]
jobs:
cargo-deny:
runs-on: ubuntu-latest
strategy:
matrix:
checks:
- advisories
- bans licenses sources

continue-on-error: true

# Github Actions does not have a clean way of looping
# Could use matrix, but leads to 12+ jobs being run separately

steps:
- uses: actions/checkout@v2

- name: src/agent/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path ./src/agent/Cargo.toml
command: check ${{ matrix.checks }}

- name: src/agent/rustjail/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path ./src/agent/rustjail/Cargo.toml
command: check ${{ matrix.checks }}

- name: src/agent/vsock-exporter/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path ./src/agent/vsock-exporter/Cargo.toml
command: check ${{ matrix.checks }}

- name: src/libs/logging/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path ./src/libs/logging/Cargo.toml
command: check ${{ matrix.checks }}

- name: src/libs/oci/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path ./src/libs/oci/Cargo.toml
command: check ${{ matrix.checks }}

- name: src/libs/protocols/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path ./src/libs/protocols/Cargo.toml
command: check ${{ matrix.checks }}

- name: src/libs/safe-path/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path ./src/libs/safe-path/Cargo.toml
command: check ${{ matrix.checks }}

- name: src/libs/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path ./src/libs/Cargo.toml
command: check ${{ matrix.checks }}

- name: src/tools/agent-ctl/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path ./src/tools/agent-ctl/Cargo.toml
command: check ${{ matrix.checks }}

- name: src/tools/runk/libcontainer/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path ./src/tools/runk/libcontainer/Cargo.toml
command: check ${{ matrix.checks }}

- name: src/tools/runk/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path ./src/tools/runk/Cargo.toml
command: check ${{ matrix.checks }}

- name: src/tools/trace-forwarder/Cargo.toml
uses: EmbarkStudios/cargo-deny-action@v1
with:
arguments: --manifest-path ./src/tools/trace-forwarder/Cargo.toml
command: check ${{ matrix.checks }}
20 changes: 20 additions & 0 deletions .github/workflows/cargo-deny-master.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
name: Cargo Crates Check
on: [pull_request]
jobs:
cargo-deny-master:
runs-on: ubuntu-latest
strategy:
matrix:
checks:
- advisories
- bans licenses sources

continue-on-error: ${{ matrix.checks == 'advisories' }}

steps:
- uses: actions/checkout@v3
- run: bash cargo-deny-generator.sh
working-directory: ./.github/cargo-deny-composite-action/
- uses: ./.github/cargo-deny-composite-action
with:
command: ${{ matrix.checks }}
34 changes: 0 additions & 34 deletions .github/workflows/cargo-deny.yaml

This file was deleted.

Loading

0 comments on commit 5bfe48d

Please sign in to comment.