github workflows

Signed-off-by: microwavedcola1 <microwavedcola@gmail.com>
2022-02-28 12:58:39 +01:00 · 2022-02-28 12:58:39 +01:00 · ccab3b867f
parent 12d2a9f962
commit ccab3b867f
3 changed files with 173 additions and 0 deletions
--- a/.github/workflows/ci-cargo-audit.yml
+++ b/.github/workflows/ci-cargo-audit.yml
@ -0,0 +1,45 @@
+# CI job for scanning Cargo dependencies for vulnerabilities and report/fail job based on criticality.
+# Critically vulnerable dependencies with fix available will mark the run as failed (X)
+name: Rust Cargo Audit
+
+on:
+  push:
+    branches: master
+  pull_request:
+
+  # Allowing manual runs with ability to choose branch
+  workflow_dispatch:
+
+  # Optimisation option by targeting direct paths to only scan when there are changes to dependencies in the push/PR
+  #  push:
+  #    paths:
+  #      - 'Cargo.toml'
+  #      - 'Cargo.lock'
+  #  pull_request:
+  #    paths:
+  #      - 'Cargo.toml'
+  #      - 'Cargo.lock'
+
+  # Example of running scheduled scans at 6AM UTC every Monday to regularly check for vulnerable dependencies
+  #  schedule:
+  #  - cron: '0 6 * * 1'
+
+# Run the job
+jobs:
+  Cargo-audit:
+    name: Cargo Vulnerability Scanner
+    runs-on: ubuntu-latest
+    steps:
+      # Check out GitHub repo
+      - uses: actions/checkout@v2
+      
+      # Install cargo audit
+      - name: Install Cargo Audit
+        uses: actions-rs/install@v0.1
+        with:
+          crate: cargo-audit
+          version: latest
+
+      # Run cargo audit using args from .cargo/audit.toml (ignores, etc.)
+      - name: Run Cargo Audit
+        run: cargo audit -c always
--- a/.github/workflows/ci-lint-test.yml
+++ b/.github/workflows/ci-lint-test.yml
@ -0,0 +1,72 @@
+name: Lint and Test
+on:
+  push:
+    branches: master
+  pull_request:
+
+env:
+  CARGO_TERM_COLOR: always
+  SOLANA_VERSION: "1.9.5"
+  RUST_TOOLCHAIN: stable
+
+defaults:
+  run:
+    working-directory: ./
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: Install Rust nightly
+        uses: actions-rs/toolchain@v1
+        with:
+          override: true
+          profile: minimal
+          toolchain: ${{ env.RUST_TOOLCHAIN }}
+          components: rustfmt, clippy
+      - name: Cache dependencies
+        uses: Swatinem/rust-cache@v1
+
+      - name: Run fmt
+        run: cargo fmt -- --check
+      # The style and complexity lints have not been processed yet.
+      - name: Run clippy
+        run: cargo clippy -- --deny=warnings --allow=clippy::style --allow=clippy::complexity
+
+  tests:
+    name: Test
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: Install Linux dependencies
+        run: sudo apt-get update && sudo apt-get install -y pkg-config build-essential libudev-dev
+      - name: Install Rust nightly
+        uses: actions-rs/toolchain@v1
+        with:
+          override: true
+          profile: minimal
+          toolchain: ${{ env.RUST_TOOLCHAIN }}
+      - name: Cache dependencies
+        uses: Swatinem/rust-cache@v1
+        
+      # Install Solana
+      - name: Cache Solana binaries
+        uses: actions/cache@v2
+        with:
+          path: ~/.cache/solana
+          key: ${{ runner.os }}-${{ env.SOLANA_VERSION }}
+      - name: Install Solana
+        run: |
+          sh -c "$(curl -sSfL https://release.solana.com/v${{ env.SOLANA_VERSION }}/install)"
+          echo "$HOME/.local/share/solana/install/active_release/bin" >> $GITHUB_PATH
+          export PATH="/home/runner/.local/share/solana/install/active_release/bin:$PATH"
+          solana --version
+          echo "Generating keypair..."
+          solana-keygen new -o "$HOME/.config/solana/id.json" --no-passphrase --silent
+
+      - name: Run bpf tests
+        run: cargo test-bpf
--- a/.github/workflows/ci-soteria.yml
+++ b/.github/workflows/ci-soteria.yml
@ -0,0 +1,56 @@
+name: Soteria Scan
+
+on:
+  push:
+    branches: master
+  pull_request:
+
+env:
+  CARGO_TERM_COLOR: always
+  SOLANA_VERSION: "1.9.5"
+
+jobs:
+  build:
+    name: Soteria
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check-out repo
+        uses: actions/checkout@v2
+
+      - name: Cache Solana binaries
+        uses: actions/cache@v2
+        id: solana-cache
+        with:
+          path: |
+            ~/.cache/solana
+            ~/.local/share/solana
+            ~/.rustup
+          key: solana-${{ env.SOLANA_VERSION }}
+
+      - name: Cache build dependencies
+        uses: Swatinem/rust-cache@v1
+        with:
+          target-dir: .coderrect/build
+
+      - name: Install Solana
+        if: steps.solana-cache.outputs.cache-hit != 'true'
+        run: |
+          echo Installing Solana v${{ env.SOLANA_VERSION }}...
+          sh -c "$(curl -sSfL https://release.solana.com/v${{ env.SOLANA_VERSION }}/install)"
+          echo "$HOME/.local/share/solana/install/active_release/bin" >> $GITHUB_PATH
+          export PATH="/home/runner/.local/share/solana/install/active_release/bin:$PATH"
+          echo Installing bpf toolchain...
+          (cd /home/runner/.local/share/solana/install/active_release/bin/sdk/bpf/scripts; ./install.sh)
+        shell: bash
+
+      - name: Install Soteria
+        run: |
+          echo Installing Soteria...
+          sh -c "$(curl -k https://supercompiler.xyz/install)"
+          export PATH=$PWD/soteria-linux-develop/bin/:$PATH
+          echo "$PWD/soteria-linux-develop/bin" >> $GITHUB_PATH
+        shell: bash
+
+      - name: Run Soteria
+        run: soteria -analyzeAll .
+        shell: bash