mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-04-27 11:31:05 +00:00
bed4aab7ee
Adds cargo-deny to scan for vulnerabilities and license issues regarding rust crates. GitHub Actions does not have an obvious way to loop over each of the Cargo.toml files. To avoid hardcoding it, I worked around the problem using a composite action that first generates the cargo-deny action by finding all Cargo.toml files before calling this new generated action in the master workflow. Uses recommended deny.toml from cargo-deny repo with the following modifications: ignore = ["RUSTSEC-2020-0071"] because chrono is dependent on the version of time with the vulnerability and there is no simple workaround multiple-versions = "allow" Because of the above error and other packages, there are instances where some crates require different versions of a crate. unknown-git = "allow" I don't see a particular issue with allowing crates from other repos. An alternative would be the manually set each repo we want in an allow-git list, but I see this as more of a nuisance that its worth. We could leave this as a warning (default), but to avoid clutter I'm going to allow it. If deny.toml needs to be edited in the future, here's the guide: https://embarkstudios.github.io/cargo-deny/index.html Fixes #3359 Signed-off-by: Derek Lee <derlee@redhat.com>
67 lines
1.8 KiB
Bash
67 lines
1.8 KiB
Bash
#
|
|
# Copyright (c) 2018 Intel Corporation
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
set -o nounset
|
|
|
|
export tests_repo="${tests_repo:-github.com/kata-containers/tests}"
|
|
export tests_repo_dir="$GOPATH/src/$tests_repo"
|
|
export branch="${target_branch:-main}"
|
|
|
|
# Clones the tests repository and checkout to the branch pointed out by
|
|
# the global $branch variable.
|
|
# If the clone exists and `CI` is exported then it does nothing. Otherwise
|
|
# it will clone the repository or `git pull` the latest code.
|
|
#
|
|
clone_tests_repo()
|
|
{
|
|
if [ -d "$tests_repo_dir" ]; then
|
|
[ -n "${CI:-}" ] && return
|
|
# git config --global --add safe.directory will always append
|
|
# the target to .gitconfig without checking the existence of
|
|
# the target, so it's better to check it before adding the target repo.
|
|
local sd="$(git config --global --get safe.directory ${tests_repo_dir} || true)"
|
|
if [ -z "${sd}" ]; then
|
|
git config --global --add safe.directory ${tests_repo_dir}
|
|
fi
|
|
pushd "${tests_repo_dir}"
|
|
git checkout "${branch}"
|
|
git pull
|
|
popd
|
|
else
|
|
git clone -q "https://${tests_repo}" "$tests_repo_dir"
|
|
pushd "${tests_repo_dir}"
|
|
git checkout "${branch}"
|
|
popd
|
|
fi
|
|
}
|
|
|
|
run_static_checks()
|
|
{
|
|
clone_tests_repo
|
|
# Make sure we have the targeting branch
|
|
git remote set-branches --add origin "${branch}"
|
|
git fetch -a
|
|
bash "$tests_repo_dir/.ci/static-checks.sh" "$@"
|
|
}
|
|
|
|
run_docs_url_alive_check()
|
|
{
|
|
clone_tests_repo
|
|
# Make sure we have the targeting branch
|
|
git remote set-branches --add origin "${branch}"
|
|
git fetch -a
|
|
bash "$tests_repo_dir/.ci/static-checks.sh" --docs --all "github.com/kata-containers/kata-containers"
|
|
}
|
|
|
|
run_get_pr_changed_file_details()
|
|
{
|
|
clone_tests_repo
|
|
# Make sure we have the targeting branch
|
|
git remote set-branches --add origin "${branch}"
|
|
git fetch -a
|
|
source "$tests_repo_dir/.ci/lib.sh"
|
|
get_pr_changed_file_details
|
|
}
|