chore(ci): bump mozilla-actions/sccache-action from 0.0.9 to 0.0.10 in the github-actions-all group across 1 directory #347
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI - Security | |
| on: | |
| push: | |
| branches: [main] | |
| paths: | |
| - '**.rs' | |
| - '**/Cargo.toml' | |
| - '**/Cargo.lock' | |
| - 'deny.toml' | |
| - 'supply-chain/**' | |
| - '.github/workflows/ci-security.yml' | |
| pull_request: | |
| branches: [main] | |
| paths: | |
| - '**.rs' | |
| - '**/Cargo.toml' | |
| - '**/Cargo.lock' | |
| - 'deny.toml' | |
| - 'supply-chain/**' | |
| - '.github/workflows/ci-security.yml' | |
| workflow_dispatch: | |
| # Run security checks weekly regardless of changes | |
| schedule: | |
| - cron: '0 0 * * 0' # Weekly on Sunday at midnight UTC | |
| env: | |
| CARGO_TERM_COLOR: always | |
| jobs: | |
| # Supply chain security check using cargo-deny | |
| supply-chain-security: | |
| name: Supply Chain Security | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Install cargo-deny | |
| run: cargo install cargo-deny --locked | |
| - name: Check advisories | |
| run: cargo deny check advisories | |
| - name: Check licenses | |
| run: cargo deny check licenses | |
| - name: Check bans | |
| run: cargo deny check bans | |
| - name: Check sources | |
| run: cargo deny check sources | |
| # Unsafe code audit via cargo-geiger | |
| # Only runs when dependencies change (Cargo.toml/Cargo.lock) or on schedule/manual trigger | |
| # Skips entirely on PR/push when only .rs files change (dependencies unchanged) | |
| unsafe-audit: | |
| name: Unsafe Code Audit | |
| runs-on: ubuntu-latest | |
| if: | | |
| github.event_name == 'schedule' || | |
| github.event_name == 'workflow_dispatch' || | |
| contains(toJSON(github.event.commits.*.modified), 'Cargo.toml') || | |
| contains(toJSON(github.event.commits.*.modified), 'Cargo.lock') || | |
| contains(toJSON(github.event.commits.*.added), 'Cargo.toml') || | |
| contains(toJSON(github.event.commits.*.added), 'Cargo.lock') | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Install stable toolchain | |
| uses: dtolnay/rust-toolchain@master | |
| with: | |
| toolchain: stable | |
| - name: Install cargo-geiger | |
| run: cargo install cargo-geiger --locked | |
| - name: Configure sccache | |
| id: sccache | |
| uses: mozilla-actions/sccache-action@v0.0.10 | |
| continue-on-error: true | |
| - name: Verify sccache is working | |
| id: sccache-check | |
| if: steps.sccache.outcome == 'success' | |
| run: ./scripts/ci/verify-sccache.sh | |
| continue-on-error: true | |
| - name: Clear sccache env on failure | |
| if: steps.sccache.outcome != 'success' || steps.sccache-check.outcome != 'success' | |
| run: | | |
| echo "RUSTC_WRAPPER=" >> "$GITHUB_ENV" | |
| echo "SCCACHE_GHA_ENABLED=" >> "$GITHUB_ENV" | |
| - name: Cache cargo registry and build | |
| uses: actions/cache@v5 | |
| with: | |
| path: | | |
| ~/.cargo/registry | |
| ~/.cargo/git | |
| target | |
| key: geiger-${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| geiger-${{ runner.os }}-cargo- | |
| - name: Check cached geiger report | |
| id: geiger-cache | |
| uses: actions/cache@v5 | |
| with: | |
| path: geiger-report.txt | |
| key: geiger-report-${{ hashFiles('**/Cargo.lock') }} | |
| - name: Audit unsafe code in dependencies | |
| if: steps.geiger-cache.outputs.cache-hit != 'true' | |
| run: cargo geiger --all-features --lib 2>&1 | tee geiger-report.txt || true | |
| env: | |
| RUSTC_WRAPPER: ${{ steps.sccache-check.outputs.working == 'true' && 'sccache' || '' }} | |
| SCCACHE_GHA_ENABLED: ${{ steps.sccache-check.outputs.working == 'true' && 'true' || 'false' }} | |
| SCCACHE_IGNORE_SERVER_IO_ERROR: "1" | |
| SCCACHE_STARTUP_NOTIFY_TIMEOUT: "60" | |
| SCCACHE_IDLE_TIMEOUT: "0" | |
| - name: Display cached geiger report | |
| if: steps.geiger-cache.outputs.cache-hit == 'true' | |
| run: | | |
| echo "Using cached geiger report (dependencies unchanged)" | |
| cat geiger-report.txt | |
| - name: Verify no unsafe in library code | |
| run: | | |
| # Check that our library has 0 unsafe usage | |
| if grep -E "^[0-9]+/[0-9]+ .* fortress-rollback" geiger-report.txt | grep -v "0/0"; then | |
| echo "ERROR: Unsafe code detected in fortress-rollback library!" | |
| exit 1 | |
| fi | |
| echo "✓ No unsafe code in fortress-rollback library" | |
| # Unused dependencies check | |
| unused-deps: | |
| name: Unused Dependencies | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Install nightly toolchain (required for udeps) | |
| uses: dtolnay/rust-toolchain@master | |
| with: | |
| toolchain: nightly | |
| - name: Install cargo-udeps | |
| uses: ./.github/actions/install-cargo-tool | |
| with: | |
| tool: cargo-udeps | |
| - name: Configure sccache | |
| id: sccache | |
| uses: mozilla-actions/sccache-action@v0.0.10 | |
| continue-on-error: true | |
| - name: Verify sccache is working | |
| id: sccache-check | |
| if: steps.sccache.outcome == 'success' | |
| run: ./scripts/ci/verify-sccache.sh | |
| continue-on-error: true | |
| - name: Clear sccache env on failure | |
| if: steps.sccache.outcome != 'success' || steps.sccache-check.outcome != 'success' | |
| run: | | |
| echo "RUSTC_WRAPPER=" >> "$GITHUB_ENV" | |
| echo "SCCACHE_GHA_ENABLED=" >> "$GITHUB_ENV" | |
| - name: Cache cargo registry and build | |
| uses: actions/cache@v5 | |
| with: | |
| path: | | |
| ~/.cargo/registry | |
| ~/.cargo/git | |
| target | |
| key: udeps-${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| udeps-${{ runner.os }}-cargo- | |
| - name: Check for unused dependencies | |
| run: cargo +nightly udeps --all-targets | |
| continue-on-error: true # Warn but don't fail build | |
| env: | |
| RUSTC_WRAPPER: ${{ steps.sccache-check.outputs.working == 'true' && 'sccache' || '' }} | |
| SCCACHE_GHA_ENABLED: ${{ steps.sccache-check.outputs.working == 'true' && 'true' || 'false' }} | |
| SCCACHE_IGNORE_SERVER_IO_ERROR: "1" | |
| SCCACHE_STARTUP_NOTIFY_TIMEOUT: "60" | |
| SCCACHE_IDLE_TIMEOUT: "0" | |
| # Dependency freshness check | |
| outdated: | |
| name: Dependency Freshness | |
| runs-on: ubuntu-latest | |
| # Only run on schedule or manual trigger (not on every PR) | |
| if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Install stable toolchain | |
| uses: dtolnay/rust-toolchain@master | |
| with: | |
| toolchain: stable | |
| - name: Install cargo-outdated | |
| uses: ./.github/actions/install-cargo-tool | |
| with: | |
| tool: cargo-outdated | |
| - name: Cache cargo registry | |
| uses: actions/cache@v5 | |
| with: | |
| path: | | |
| ~/.cargo/registry | |
| ~/.cargo/git | |
| key: outdated-${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| outdated-${{ runner.os }}-cargo- | |
| - name: Check for outdated dependencies | |
| id: outdated | |
| run: | | |
| { | |
| echo "## Dependency Freshness Check" | |
| echo "" | |
| } >> "$GITHUB_STEP_SUMMARY" | |
| if cargo outdated --root-deps-only --exit-code 1 2>&1 | tee outdated-report.txt; then | |
| echo "✅ All direct dependencies are up to date!" >> "$GITHUB_STEP_SUMMARY" | |
| else | |
| { | |
| echo "⚠️ Some dependencies have newer versions available:" | |
| echo "" | |
| echo '```' | |
| cat outdated-report.txt | |
| echo '```' | |
| } >> "$GITHUB_STEP_SUMMARY" | |
| fi | |
| continue-on-error: true # Advisory, not blocking |