Skip to content

Commit 9a0975f

Browse files
mlevkovmlevkov
authored
Fix CI security audit permissions and ignore transitive advisories (#7)
* fix(ci): add issues write permission for security audit * chore: ignore unmaintained transitive dependency advisories - RUSTSEC-2024-0384 (instant): from iggy -> reqwest-retry -> parking_lot v0.11 - RUSTSEC-2025-0134 (rustls-pemfile): from testcontainers -> bollard (dev-dep) Both are transitive dependencies we cannot directly update. Upstream packages need to release updates. * docs: update changelog with CI fix and security advisory ignores
1 parent 7da158d commit 9a0975f

File tree

3 files changed

+214
-194
lines changed

3 files changed

+214
-194
lines changed

.github/workflows/ci.yml

Lines changed: 193 additions & 192 deletions
Original file line numberDiff line numberDiff line change
@@ -6,202 +6,203 @@
66
name: CI
77

88
on:
9-
push:
10-
branches: [main, develop]
11-
pull_request:
12-
branches: [main]
13-
schedule:
14-
# Run every Monday at 2:00 AM UTC to catch dependency issues early
15-
- cron: "0 2 * * 1"
9+
push:
10+
branches: [main, develop]
11+
pull_request:
12+
branches: [main]
13+
schedule:
14+
# Run every Monday at 2:00 AM UTC to catch dependency issues early
15+
- cron: "0 2 * * 1"
1616

1717
env:
18-
CARGO_TERM_COLOR: always
19-
RUST_BACKTRACE: 1
20-
# Minimum supported Rust version
21-
MSRV: "1.90.0"
18+
CARGO_TERM_COLOR: always
19+
RUST_BACKTRACE: 1
20+
# Minimum supported Rust version
21+
MSRV: "1.90.0"
2222

2323
# Cancel in-progress runs for the same branch
2424
concurrency:
25-
group: ${{ github.workflow }}-${{ github.ref }}
26-
cancel-in-progress: true
25+
group: ${{ github.workflow }}-${{ github.ref }}
26+
cancel-in-progress: true
2727

2828
jobs:
29-
# ==========================================================================
30-
# Formatting check (fast, run first)
31-
# ==========================================================================
32-
fmt:
33-
name: Rustfmt
34-
runs-on: ubuntu-latest
35-
steps:
36-
- uses: actions/checkout@v4
37-
- uses: dtolnay/rust-toolchain@nightly
38-
with:
39-
components: rustfmt
40-
- name: Check formatting
41-
run: cargo fmt --all -- --check
42-
43-
# ==========================================================================
44-
# Clippy linting
45-
# ==========================================================================
46-
clippy:
47-
name: Clippy
48-
runs-on: ubuntu-latest
49-
steps:
50-
- uses: actions/checkout@v4
51-
- uses: dtolnay/rust-toolchain@stable
52-
with:
53-
components: clippy
54-
- uses: Swatinem/rust-cache@v2
55-
- name: Run Clippy
56-
run: cargo clippy --all-targets --all-features -- -D warnings
57-
58-
# ==========================================================================
59-
# Test matrix across OS and Rust versions
60-
# ==========================================================================
61-
test:
62-
name: Test (${{ matrix.os }}, ${{ matrix.rust }})
63-
runs-on: ${{ matrix.os }}
64-
needs: [fmt]
65-
strategy:
66-
fail-fast: false
67-
matrix:
68-
os: [ubuntu-latest, macos-latest, windows-latest]
69-
rust: [stable, beta]
70-
include:
71-
# MSRV check on Ubuntu only
72-
- os: ubuntu-latest
73-
rust: "1.90.0"
74-
steps:
75-
- uses: actions/checkout@v4
76-
- uses: dtolnay/rust-toolchain@master
77-
with:
78-
toolchain: ${{ matrix.rust }}
79-
- uses: Swatinem/rust-cache@v2
80-
with:
81-
key: ${{ matrix.os }}-${{ matrix.rust }}
82-
83-
- name: Build
84-
run: cargo build --all-features
85-
86-
- name: Run unit tests
87-
run: cargo test --lib --all-features
88-
89-
- name: Run doc tests
90-
run: cargo test --doc --all-features
91-
92-
# ==========================================================================
93-
# Integration tests (requires Docker for testcontainers)
94-
# ==========================================================================
95-
integration:
96-
name: Integration Tests
97-
runs-on: ubuntu-latest
98-
needs: [fmt, clippy]
99-
steps:
100-
- uses: actions/checkout@v4
101-
- uses: dtolnay/rust-toolchain@stable
102-
- uses: Swatinem/rust-cache@v2
103-
104-
- name: Run integration tests
105-
run: cargo test --test '*' --all-features
106-
env:
107-
# Testcontainers will pull and run Iggy server automatically
108-
TESTCONTAINERS: true
109-
110-
# ==========================================================================
111-
# Code coverage
112-
# ==========================================================================
113-
coverage:
114-
name: Code Coverage
115-
runs-on: ubuntu-latest
116-
needs: [test]
117-
steps:
118-
- uses: actions/checkout@v4
119-
- uses: dtolnay/rust-toolchain@stable
120-
with:
121-
components: llvm-tools-preview
122-
- uses: Swatinem/rust-cache@v2
123-
124-
- name: Install cargo-llvm-cov
125-
uses: taiki-e/install-action@cargo-llvm-cov
126-
127-
- name: Generate coverage report
128-
run: cargo llvm-cov --all-features --workspace --lcov --output-path lcov.info
129-
130-
- name: Upload coverage to Codecov
131-
uses: codecov/codecov-action@v4
132-
with:
133-
files: lcov.info
134-
fail_ci_if_error: false
135-
env:
136-
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
137-
138-
# ==========================================================================
139-
# Documentation build
140-
# ==========================================================================
141-
docs:
142-
name: Documentation
143-
runs-on: ubuntu-latest
144-
steps:
145-
- uses: actions/checkout@v4
146-
- uses: dtolnay/rust-toolchain@stable
147-
- uses: Swatinem/rust-cache@v2
148-
149-
- name: Build documentation
150-
run: cargo doc --no-deps --all-features
151-
env:
152-
RUSTDOCFLAGS: -D warnings
153-
154-
# ==========================================================================
155-
# Security audit
156-
# ==========================================================================
157-
audit:
158-
name: Security Audit
159-
runs-on: ubuntu-latest
160-
permissions:
161-
checks: write
162-
contents: read
163-
steps:
164-
- uses: actions/checkout@v4
165-
- uses: rustsec/audit-check@v2
166-
with:
167-
token: ${{ secrets.GITHUB_TOKEN }}
168-
169-
# ==========================================================================
170-
# Dependency license check
171-
# ==========================================================================
172-
licenses:
173-
name: License Check
174-
runs-on: ubuntu-latest
175-
steps:
176-
- uses: actions/checkout@v4
177-
- uses: dtolnay/rust-toolchain@stable
178-
- uses: Swatinem/rust-cache@v2
179-
180-
- name: Install cargo-deny
181-
uses: taiki-e/install-action@cargo-deny
182-
183-
- name: Check licenses
184-
run: cargo deny check licenses
185-
continue-on-error: true # Don't fail CI on license issues, just warn
186-
187-
# ==========================================================================
188-
# Final status check (for branch protection)
189-
# ==========================================================================
190-
ci-success:
191-
name: CI Success
192-
runs-on: ubuntu-latest
193-
needs: [fmt, clippy, test, integration, docs, audit]
194-
if: always()
195-
steps:
196-
- name: Check all jobs passed
197-
run: |
198-
if [[ "${{ needs.fmt.result }}" != "success" ]] || \
199-
[[ "${{ needs.clippy.result }}" != "success" ]] || \
200-
[[ "${{ needs.test.result }}" != "success" ]] || \
201-
[[ "${{ needs.integration.result }}" != "success" ]] || \
202-
[[ "${{ needs.docs.result }}" != "success" ]] || \
203-
[[ "${{ needs.audit.result }}" != "success" ]]; then
204-
echo "One or more jobs failed"
205-
exit 1
206-
fi
207-
echo "All CI checks passed!"
29+
# ==========================================================================
30+
# Formatting check (fast, run first)
31+
# ==========================================================================
32+
fmt:
33+
name: Rustfmt
34+
runs-on: ubuntu-latest
35+
steps:
36+
- uses: actions/checkout@v4
37+
- uses: dtolnay/rust-toolchain@nightly
38+
with:
39+
components: rustfmt
40+
- name: Check formatting
41+
run: cargo fmt --all -- --check
42+
43+
# ==========================================================================
44+
# Clippy linting
45+
# ==========================================================================
46+
clippy:
47+
name: Clippy
48+
runs-on: ubuntu-latest
49+
steps:
50+
- uses: actions/checkout@v4
51+
- uses: dtolnay/rust-toolchain@stable
52+
with:
53+
components: clippy
54+
- uses: Swatinem/rust-cache@v2
55+
- name: Run Clippy
56+
run: cargo clippy --all-targets --all-features -- -D warnings
57+
58+
# ==========================================================================
59+
# Test matrix across OS and Rust versions
60+
# ==========================================================================
61+
test:
62+
name: Test (${{ matrix.os }}, ${{ matrix.rust }})
63+
runs-on: ${{ matrix.os }}
64+
needs: [fmt]
65+
strategy:
66+
fail-fast: false
67+
matrix:
68+
os: [ubuntu-latest, macos-latest, windows-latest]
69+
rust: [stable, beta]
70+
include:
71+
# MSRV check on Ubuntu only
72+
- os: ubuntu-latest
73+
rust: "1.90.0"
74+
steps:
75+
- uses: actions/checkout@v4
76+
- uses: dtolnay/rust-toolchain@master
77+
with:
78+
toolchain: ${{ matrix.rust }}
79+
- uses: Swatinem/rust-cache@v2
80+
with:
81+
key: ${{ matrix.os }}-${{ matrix.rust }}
82+
83+
- name: Build
84+
run: cargo build --all-features
85+
86+
- name: Run unit tests
87+
run: cargo test --lib --all-features
88+
89+
- name: Run doc tests
90+
run: cargo test --doc --all-features
91+
92+
# ==========================================================================
93+
# Integration tests (requires Docker for testcontainers)
94+
# ==========================================================================
95+
integration:
96+
name: Integration Tests
97+
runs-on: ubuntu-latest
98+
needs: [fmt, clippy]
99+
steps:
100+
- uses: actions/checkout@v4
101+
- uses: dtolnay/rust-toolchain@stable
102+
- uses: Swatinem/rust-cache@v2
103+
104+
- name: Run integration tests
105+
run: cargo test --test '*' --all-features
106+
env:
107+
# Testcontainers will pull and run Iggy server automatically
108+
TESTCONTAINERS: true
109+
110+
# ==========================================================================
111+
# Code coverage
112+
# ==========================================================================
113+
coverage:
114+
name: Code Coverage
115+
runs-on: ubuntu-latest
116+
needs: [test]
117+
steps:
118+
- uses: actions/checkout@v4
119+
- uses: dtolnay/rust-toolchain@stable
120+
with:
121+
components: llvm-tools-preview
122+
- uses: Swatinem/rust-cache@v2
123+
124+
- name: Install cargo-llvm-cov
125+
uses: taiki-e/install-action@cargo-llvm-cov
126+
127+
- name: Generate coverage report
128+
run: cargo llvm-cov --all-features --workspace --lcov --output-path lcov.info
129+
130+
- name: Upload coverage to Codecov
131+
uses: codecov/codecov-action@v4
132+
with:
133+
files: lcov.info
134+
fail_ci_if_error: false
135+
env:
136+
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
137+
138+
# ==========================================================================
139+
# Documentation build
140+
# ==========================================================================
141+
docs:
142+
name: Documentation
143+
runs-on: ubuntu-latest
144+
steps:
145+
- uses: actions/checkout@v4
146+
- uses: dtolnay/rust-toolchain@stable
147+
- uses: Swatinem/rust-cache@v2
148+
149+
- name: Build documentation
150+
run: cargo doc --no-deps --all-features
151+
env:
152+
RUSTDOCFLAGS: -D warnings
153+
154+
# ==========================================================================
155+
# Security audit
156+
# ==========================================================================
157+
audit:
158+
name: Security Audit
159+
runs-on: ubuntu-latest
160+
permissions:
161+
checks: write
162+
contents: read
163+
issues: write
164+
steps:
165+
- uses: actions/checkout@v4
166+
- uses: rustsec/audit-check@v2
167+
with:
168+
token: ${{ secrets.GITHUB_TOKEN }}
169+
170+
# ==========================================================================
171+
# Dependency license check
172+
# ==========================================================================
173+
licenses:
174+
name: License Check
175+
runs-on: ubuntu-latest
176+
steps:
177+
- uses: actions/checkout@v4
178+
- uses: dtolnay/rust-toolchain@stable
179+
- uses: Swatinem/rust-cache@v2
180+
181+
- name: Install cargo-deny
182+
uses: taiki-e/install-action@cargo-deny
183+
184+
- name: Check licenses
185+
run: cargo deny check licenses
186+
continue-on-error: true # Don't fail CI on license issues, just warn
187+
188+
# ==========================================================================
189+
# Final status check (for branch protection)
190+
# ==========================================================================
191+
ci-success:
192+
name: CI Success
193+
runs-on: ubuntu-latest
194+
needs: [fmt, clippy, test, integration, docs, audit]
195+
if: always()
196+
steps:
197+
- name: Check all jobs passed
198+
run: |
199+
if [[ "${{ needs.fmt.result }}" != "success" ]] || \
200+
[[ "${{ needs.clippy.result }}" != "success" ]] || \
201+
[[ "${{ needs.test.result }}" != "success" ]] || \
202+
[[ "${{ needs.integration.result }}" != "success" ]] || \
203+
[[ "${{ needs.docs.result }}" != "success" ]] || \
204+
[[ "${{ needs.audit.result }}" != "success" ]]; then
205+
echo "One or more jobs failed"
206+
exit 1
207+
fi
208+
echo "All CI checks passed!"

0 commit comments

Comments
 (0)