Skip to content

ci: bump google/osv-scanner from 1.8.4 to 1.8.5 #18503

ci: bump google/osv-scanner from 1.8.4 to 1.8.5

ci: bump google/osv-scanner from 1.8.4 to 1.8.5 #18503

Workflow file for this run

name: All
permissions:
contents: read
on:
merge_group:
pull_request:
push:
branches:
- develop
workflow_dispatch:
inputs:
commit_sha:
description: Git commit sha, on which, to run this workflow
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}
cancel-in-progress: true
defaults:
run:
shell: bash
jobs:
lint_commits:
name: All - lint_commits
runs-on: ubuntu-20.04
# We assume that commit 2fd0d36fe6ae0c2d527368683ec3a6352617b381 will be in the history
# of all commits based on ockam develop branch
# https://github.com/build-trust/ockam/commit/2fd0d36fe6ae0c2d527368683ec3a6352617b381
env:
FIRST_COMMIT: 2fd0d36fe6ae0c2d527368683ec3a6352617b381
CONTRIBUTORS_CSV_PATH: .github/CONTRIBUTORS.csv
COMMITLINT_CONFIG_PATH: tools/commitlint/commitlint.config.js
steps:
- name: Check Commit Lint
uses: build-trust/.github/actions/commit_lint@0455ed96606ee7021639e74a1ae0289a30e33d86
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
lint_editorconfig:
name: All - lint_editorconfig
runs-on: ubuntu-20.04
container: # gitlab.com/greut/eclint
image: greut/eclint:v0.3.3@sha256:95e9a3dcbd236bae6569625cd403175cbde3705303774e7baca418b6442b8d77
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
with:
ref: ${{ github.event.inputs.commit_sha }}
- shell: sh
run: eclint -color=always
# Semgrep is a static analysis tool to lint code for patterns we want to forbid
# https://github.com/returntocorp/semgrep
lint_semgrep:
name: All - lint_semgrep
runs-on: ubuntu-20.04
container:
image: returntocorp/semgrep@sha256:2fd35fa409f209e0fea0c2d72cf1e5b801a607959a93b13d04822bb3b6a9dfe4
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
with:
ref: ${{ github.event.inputs.commit_sha }}
- name: Run Semgrep
# Bash is not available in the specified docker image of semgrep
shell: sh
# .semgrepignore is not processed outside of working directory. See https://github.com/returntocorp/semgrep/issues/5669
run: |
mv tools/semgrep/.semgrepignore . & \
semgrep --verbose --config="r2c" --config="tools/semgrep/rules/example.yaml"
# Check notice file for update
notice_update:
name: All - notice_update
runs-on: ubuntu-20.04
steps:
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@da36cb69b1c3247ad7a1f931ebfd954a1105ef14
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- name: Update Notice File
shell: nix shell nixpkgs#jq nixpkgs#cargo-deny --command bash {0}
run: make notice_file_update
- name: Fail if notice update needed
shell: bash
run: |
set -ex
git diff --exit-code NOTICE.md &> /dev/null || \
{ \
echo "NOTICE file outdated"; \
git diff;
exit 1; \
}
check_crates:
runs-on: ubuntu-latest
name: All - check_crates
steps:
- name: Checkout code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- name: Install dependencies
run: |
sudo apt-get update
sudo apt-get install -y jq
- name: Install Rust
uses: actions-rs/toolchain@88dc2356392166efad76775c878094f4e83ff746
with:
toolchain: stable
profile: minimal
override: true
- name: Install tomlq
run: cargo install --locked tomlq --version 0.1.0
- name: Check for CHANGELOG.md
run: |
for crate in $(find implementations/rust/ockam -name Cargo.toml); do
dir=$(dirname $crate)
if [ ! -f "$dir/CHANGELOG.md" ]; then
echo "Error: $dir/CHANGELOG.md is missing"
exit 1
fi
done
- name: Check for README.md
run: |
for crate in $(find implementations/rust/ockam -name Cargo.toml); do
dir=$(dirname $crate)
if [ ! -f "$dir/README.md" ]; then
echo "Error: $dir/README.md is missing"
exit 1
fi
done
- name: Validate Cargo.toml categories
run: |
allowed_categories="
accessibility
aerospace
drones
protocols
simulation
space-protocols
unmanned-aerial-vehicles
algorithms
api-bindings
asynchronous
authentication
caching
command-line-interface
command-line-utilities
compilers
compression
computer-vision
concurrency
config
cryptography
cryptocurrencies
data-structures
database
database-implementations
date-and-time
development-tools
build-utils
cargo-plugins
debugging
ffi
procedural-macro-helpers
profiling
testing
email
embedded
emulators
encoding
external-ffi-bindings
filesystem
finance
game-development
game-engines
games
graphics
gui
hardware-support
internationalization
localization
mathematics
memory-management
multimedia
audio
encoding
images
video
network-programming
no-std
no-std::no-alloc
os
android-apis
freebsd-apis
linux-apis
macos-apis
unix-apis
windows-apis
parser-implementations
parsing
rendering
rendering::data-formats
rendering::engine
rendering::graphics-api
rust-patterns
science
bioinformatics
genomics
proteomics
sequence-analysis
geo
neuroscience
robotics
simulation
template-engine
text-editors
text-processing
value-formatting
virtualization
visualization
wasm
web-programming
http-client
http-server
websocket
"
for crate in $(find implementations/rust/ockam -name Cargo.toml); do
categories=$(tomlq package.categories -f "$crate" | jq -r '.[]')
for category in $categories; do
if ! echo "$allowed_categories" | grep -q "$category"; then
echo "Error: $crate contains invalid category $category"
exit 1
fi
done
done
- name: Check Cargo.toml To Ensure That All 3rd Party Crates Have Specified Versions
run: |
set -ex
cargo install [email protected]
regex="^[\^|=]*[0-9]+(\.[0-9]+)*(\.[0-9]+)*"
for crate in $(find implementations/rust/ockam -name Cargo.toml); do
deps=$(toml2json <<< cat "$crate" | jq -r '.dependencies')
dev_deps=$(toml2json <<< cat "$crate" | jq -r ".\"dev-dependencies\"")
dependencies=$(echo "$deps $dev_deps" | jq -s add)
dependencies=$(toml2json <<< cat "$crate" | jq -r '.dependencies')
dependencies_keys=$(echo $dependencies | jq -r 'keys')
dependencies_keys_len=$(echo $dependencies | jq -r 'keys | length')
for ((i=0; i<$dependencies_keys_len; i++)); do
crate_name=$(jq -r ".[$i]" <<< $dependencies_keys)
version=$(jq -r ".\"$crate_name\".version" <<< $dependencies || jq -r ".\"$crate_name\"" <<< $dependencies)
if [[ $version =~ $regex ]]; then
echo "crate_name: $crate_name"
echo "version: $version"
else
echo "No version found for $crate_name $version in crate $crate"
exit 1
fi
done
done