chore(deps): update linting #1227
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security audit | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-server | |
| cancel-in-progress: true | |
| on: | |
| schedule: | |
| - cron: "0 0 * * *" | |
| push: | |
| branches: ["main"] | |
| pull_request: | |
| permissions: {} | |
| jobs: | |
| zizmor: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| contents: read | |
| actions: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: { persist-credentials: false } | |
| - name: Run zizmor | |
| uses: zizmorcore/zizmor-action@135698455da5c3b3e55f73f4419e481ab68cdd95 # v0.4.1 | |
| cargo-audit: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| issues: write | |
| checks: write | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: { persist-credentials: false } | |
| - uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # v2.0.0 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| ignore: RUSTSEC-2023-0071,RUSTSEC-2024-0363,RUSTSEC-2024-0379,RUSTSEC-2024-0384,RUSTSEC-2024-0421,RUSTSEC-2025-0004,RUSTSEC-2025-0006,RUSTSEC-2025-0134 | |
| # RUSTSEC-2024-0421 = idna accepts Punycode labels that do not produce any non-ASCII when decoded => not used explitably | |
| # RUSTSEC-2024-0379 = unsoundness in fast-float => only used in intialisation logic, fix in polars is in main and is awaiting release | |
| # RUSTSEC-2024-0363 = Binary Protocol Misinterpretation caused by Truncating or Overflowing Casts => caught by maximum request sizes | |
| # RUSTSEC-2023-0071 = Marvin Attack: potential key recovery through timing sidechannels => not used explitably | |
| # RUSTSEC-2025-0004 = ssl::select_next_proto use after free => not used | |
| # RUSTSEC-2025-0006 = Hickory DNS failure to verify self-signed RRSIG for DNSKEYs => not used | |
| # RUSTSEC-2025-0134 = rustls-pemfile is unmaintained, but only used in development dependencies | |
| codeql: | |
| name: CodeQL (${{ matrix.language }}) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # required for all workflows | |
| security-events: write | |
| # required to fetch internal or private CodeQL packs | |
| packages: read | |
| # only required for workflows in private repositories | |
| actions: read | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - language: actions | |
| - language: javascript-typescript | |
| - language: rust | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: { persist-credentials: false } | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@19b2f06db2b6f5108140aeb04014ef02b648f789 # v4.31.11 | |
| with: | |
| languages: ${{ matrix.language }} | |
| build-mode: none | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@19b2f06db2b6f5108140aeb04014ef02b648f789 # v4.31.11 | |
| with: | |
| category: "/language:${{matrix.language}}" | |
| # This final step is needed to mark the whole workflow as successful | |
| # Don't change its name - it is used by the merge protection rules | |
| done: | |
| name: Finished security scan | |
| runs-on: ubuntu-latest | |
| needs: [ zizmor, codeql ] | |
| if: always() | |
| permissions: {} | |
| steps: | |
| - name: Result of the needed steps | |
| run: echo "${{ toJSON(needs) }}" # zizmor: ignore[template-injection] | |
| - if: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') || contains(needs.*.result, 'skipped') }} | |
| name: CI Result | |
| run: exit 1 |