openstack/.github/workflows/linters.yml at a02d478457a985e8721e90494fba1cc5c3b0f02a · gtema/openstack · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
---
name: Linters

permissions:
  contents: read

on:
  push:
    branches: ["main" ]
  pull_request:
    branches: ["main" ]
    paths:
      - 'Cargo.toml'
      - 'Cargo.lock'
      - '.github/workflows/linters.yml'
      - 'openstack_cli/**'
      - 'openstack_sdk/**'
      - 'openstack_tui/**'
      - 'openstack_types/**'
      - 'fuzz/**'

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
  cancel-in-progress: true

env:
  CARGO_TERM_COLOR: always

jobs:
  rustfmt:
    name: Run rustfmt on the latest supported toolchain
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
        with:
          egress-policy: audit

      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

      - name: Install Rust
        uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921 # stable
        with:
          toolchain: stable
          components: rustfmt

      - name: Run rustfmt
        run: cargo fmt -- --check

  clippy:
    name: Run clippy on the minimum supported toolchain
    runs-on: ubuntu-latest
    # reduce job-level privileges so this job can run for forked PRs without requiring maintainer approval
    permissions:
      contents: read
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
        with:
          egress-policy: audit

      - name: Install dependencies
        run: |
          sudo apt-get update
          sudo apt-get install -y libudev-dev

      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          persist-credentials: false

      - name: Ensure bash is installed
        run: sudo apt-get update && sudo apt-get install -y bash

      - name: Install Rust
        uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921 # stable
        with:
          toolchain: stable
          components: rustfmt, clippy

      - name: Install cargo-binstall
        uses: taiki-e/install-action@f37a1e4d34f3e1c6a571e294b0258f2805eab48d # v2.58.4
        with:
          tool: cargo-binstall

      - name: Install required cargo
        run: cargo binstall clippy-sarif sarif-fmt --force

      - name: Run rust-clippy
        run:
          cargo clippy
          --lib --tests
          --all-features
          --message-format=json | ${CARGO_HOME}/bin/clippy-sarif | tee rust-clippy-results.sarif | ${CARGO_HOME}/bin/sarif-fmt

      - name: Upload SARIF as artifact (so a separate, trusted job can upload to GitHub)
        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: rust-clippy-results
          path: rust-clippy-results.sarif

  upload-sarif:
    name: Upload CodeQL results
    needs: clippy
    runs-on: ubuntu-latest
    # grant the write permission only to this job (trusted execution)
    permissions:
      contents: read
      security-events: write
    # Only run the upload step for trusted contexts:
    # - pushes (e.g. push to main)
    # - pull requests whose head repo is not a fork (i.e. runs from trusted repository)
    if: ${{ github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false) }}
    steps:

      - name: Harden Runner
        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
        with:
          egress-policy: audit

      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

      - name: Download SARIF artifact
        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
        with:
          name: rust-clippy-results
          path: .

      - name: Upload analysis results to GitHub
        uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
        with:
          sarif_file: rust-clippy-results.sarif
          wait-for-processing: true

  typos:
    name: Spell Check with Typos
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
        with:
          egress-policy: audit

      - name: Checkout Actions Repository
        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

      - name: Check for typos
        uses: crate-ci/typos@93cbdb2d23269548cf0db0f74d0bc6a09a3f0d5c # v1.43.0
        with:
          config: typos.toml