Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: use cargo deny #6931

Merged
merged 2 commits into from
Oct 23, 2024
Merged

ci: use cargo deny #6931

merged 2 commits into from
Oct 23, 2024

Conversation

Darksonn
Copy link
Contributor

The rustsec audit check is not working anymore due to a Cargo.lock requirement. Update to cargo deny instead.

I'm not completely sure about this configuration. Ideally, we want advisories to result in an issue being opened, rather than in failing CI on random PRs. Thoughts?

@Darksonn Darksonn added the A-ci Area: The continuous integration setup label Oct 23, 2024
@Darksonn Darksonn requested review from djc and taiki-e October 23, 2024 09:58
@mox692
Copy link
Member

mox692 commented Oct 23, 2024

I think it could make sense to change the pr-audit settings as well

- name: Audit dependencies
run: cargo audit

@Darksonn
Copy link
Contributor Author

Oh I was not aware we had two jobs for this ...

.github/workflows/audit.yml Outdated Show resolved Hide resolved
benches/Cargo.toml Show resolved Hide resolved
{ allow = ["Unicode-DFS-2016"], crate = "unicode-ident" },
]

[bans]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't usually have bans and sources sections, are the defaults not good enough?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's spamming warnings about some duplicate versions of windows-sys.

@djc
Copy link
Contributor

djc commented Oct 23, 2024

I'm not completely sure about this configuration. Ideally, we want advisories to result in an issue being opened, rather than in failing CI on random PRs. Thoughts?

Understandable, but I usually just set it up like this. In most repositories it's not a big deal. Not sure how common yanking is in your dependency chain?

@Darksonn
Copy link
Contributor Author

I mean, it's fine if we can't have it make issues, but I'd like to do that if it's just a config option away.

Copy link
Member

@taiki-e taiki-e left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the change to private crates can be avoided with adding private.ignore = true to [licenses] and allow-wildcard-paths = true to [bans], but I'm fine with this as it is.

Comment on lines 17 to +20
permissions:
checks: write # for rustsec/audit-check to create check
contents: read # for actions/checkout to fetch code
issues: write # for rustsec/audit-check to create issues
checks: write
contents: read
issues: write
Copy link
Member

@taiki-e taiki-e Oct 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

EmbarkStudios/cargo-deny-action action does not seem create issues (EmbarkStudios/cargo-deny-action#64), so these permissions are probably not needed.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean, not like the rustsec one has ever created an issue ...

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(The last time rustsec action created an issue in this repository was two years ago, which IIRC was before fine-grained permission settings in GitHub actions were supported.)
https://github.com/tokio-rs/tokio/issues?q=is%3Aissue+author%3Aapp%2Fgithub-actions

@@ -16,17 +16,8 @@ permissions:
contents: read

jobs:
security-audit:
cargo-deny:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we are doing the same thing with both files, I think it would be better to merge them.

Copy link
Contributor Author

@Darksonn Darksonn Oct 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The docs recommend using this:

name: CI
on: [push, pull_request]
jobs:
  cargo-deny:
    runs-on: ubuntu-22.04
    strategy:
      matrix:
        checks:
          - advisories
          - bans licenses sources

    # Prevent sudden announcement of a new advisory from failing ci:
    continue-on-error: ${{ matrix.checks == 'advisories' }}

    steps:
    - uses: actions/checkout@v3
    - uses: EmbarkStudios/cargo-deny-action@v1
      with:
        command: check ${{ matrix.checks }}

Perhaps we should do this in the toml for master, but keep it as-is on PRs?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps we should do this in the toml for master, but keep it as-is on PRs?

Hmm. This will cause the advisory to be ignored until someone next opens a PR that edits Cargo.toml, right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess that depends on whether we get an email on error ...

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have an image that continue-on-error treats failures the same as successes, but in practice I have rarely used it.

https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idcontinue-on-error

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, this PR is sufficient as-is to address the problem of broken CI, so I think it is fine to leave the fine tuning to future PRs.

runs-on: ubuntu-latest
if: "!contains(github.event.head_commit.message, 'ci skip')"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We never used that 🤷‍♀️

@Darksonn Darksonn merged commit ebe2416 into master Oct 23, 2024
82 checks passed
@Darksonn Darksonn deleted the cargo-deny branch October 23, 2024 16:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A-ci Area: The continuous integration setup
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants