From ccab3b867fc0f8cd3b1bdaf662b429ad472f3b7c Mon Sep 17 00:00:00 2001 From: microwavedcola1 Date: Mon, 28 Feb 2022 12:58:39 +0100 Subject: [PATCH] github workflows Signed-off-by: microwavedcola1 --- .github/workflows/ci-cargo-audit.yml | 45 +++++++++++++++++ .github/workflows/ci-lint-test.yml | 72 ++++++++++++++++++++++++++++ .github/workflows/ci-soteria.yml | 56 ++++++++++++++++++++++ 3 files changed, 173 insertions(+) create mode 100644 .github/workflows/ci-cargo-audit.yml create mode 100644 .github/workflows/ci-lint-test.yml create mode 100644 .github/workflows/ci-soteria.yml diff --git a/.github/workflows/ci-cargo-audit.yml b/.github/workflows/ci-cargo-audit.yml new file mode 100644 index 000000000..d56c23d1e --- /dev/null +++ b/.github/workflows/ci-cargo-audit.yml @@ -0,0 +1,45 @@ +# CI job for scanning Cargo dependencies for vulnerabilities and report/fail job based on criticality. +# Critically vulnerable dependencies with fix available will mark the run as failed (X) +name: Rust Cargo Audit + +on: + push: + branches: master + pull_request: + + # Allowing manual runs with ability to choose branch + workflow_dispatch: + + # Optimisation option by targeting direct paths to only scan when there are changes to dependencies in the push/PR + # push: + # paths: + # - 'Cargo.toml' + # - 'Cargo.lock' + # pull_request: + # paths: + # - 'Cargo.toml' + # - 'Cargo.lock' + + # Example of running scheduled scans at 6AM UTC every Monday to regularly check for vulnerable dependencies + # schedule: + # - cron: '0 6 * * 1' + +# Run the job +jobs: + Cargo-audit: + name: Cargo Vulnerability Scanner + runs-on: ubuntu-latest + steps: + # Check out GitHub repo + - uses: actions/checkout@v2 + + # Install cargo audit + - name: Install Cargo Audit + uses: actions-rs/install@v0.1 + with: + crate: cargo-audit + version: latest + + # Run cargo audit using args from .cargo/audit.toml (ignores, etc.) + - name: Run Cargo Audit + run: cargo audit -c always diff --git a/.github/workflows/ci-lint-test.yml b/.github/workflows/ci-lint-test.yml new file mode 100644 index 000000000..04b7a36fe --- /dev/null +++ b/.github/workflows/ci-lint-test.yml @@ -0,0 +1,72 @@ +name: Lint and Test +on: + push: + branches: master + pull_request: + +env: + CARGO_TERM_COLOR: always + SOLANA_VERSION: "1.9.5" + RUST_TOOLCHAIN: stable + +defaults: + run: + working-directory: ./ + +jobs: + lint: + name: Lint + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + - name: Install Rust nightly + uses: actions-rs/toolchain@v1 + with: + override: true + profile: minimal + toolchain: ${{ env.RUST_TOOLCHAIN }} + components: rustfmt, clippy + - name: Cache dependencies + uses: Swatinem/rust-cache@v1 + + - name: Run fmt + run: cargo fmt -- --check + # The style and complexity lints have not been processed yet. + - name: Run clippy + run: cargo clippy -- --deny=warnings --allow=clippy::style --allow=clippy::complexity + + tests: + name: Test + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + - name: Install Linux dependencies + run: sudo apt-get update && sudo apt-get install -y pkg-config build-essential libudev-dev + - name: Install Rust nightly + uses: actions-rs/toolchain@v1 + with: + override: true + profile: minimal + toolchain: ${{ env.RUST_TOOLCHAIN }} + - name: Cache dependencies + uses: Swatinem/rust-cache@v1 + + # Install Solana + - name: Cache Solana binaries + uses: actions/cache@v2 + with: + path: ~/.cache/solana + key: ${{ runner.os }}-${{ env.SOLANA_VERSION }} + - name: Install Solana + run: | + sh -c "$(curl -sSfL https://release.solana.com/v${{ env.SOLANA_VERSION }}/install)" + echo "$HOME/.local/share/solana/install/active_release/bin" >> $GITHUB_PATH + export PATH="/home/runner/.local/share/solana/install/active_release/bin:$PATH" + solana --version + echo "Generating keypair..." + solana-keygen new -o "$HOME/.config/solana/id.json" --no-passphrase --silent + + - name: Run bpf tests + run: cargo test-bpf diff --git a/.github/workflows/ci-soteria.yml b/.github/workflows/ci-soteria.yml new file mode 100644 index 000000000..bbe2fab08 --- /dev/null +++ b/.github/workflows/ci-soteria.yml @@ -0,0 +1,56 @@ +name: Soteria Scan + +on: + push: + branches: master + pull_request: + +env: + CARGO_TERM_COLOR: always + SOLANA_VERSION: "1.9.5" + +jobs: + build: + name: Soteria + runs-on: ubuntu-latest + steps: + - name: Check-out repo + uses: actions/checkout@v2 + + - name: Cache Solana binaries + uses: actions/cache@v2 + id: solana-cache + with: + path: | + ~/.cache/solana + ~/.local/share/solana + ~/.rustup + key: solana-${{ env.SOLANA_VERSION }} + + - name: Cache build dependencies + uses: Swatinem/rust-cache@v1 + with: + target-dir: .coderrect/build + + - name: Install Solana + if: steps.solana-cache.outputs.cache-hit != 'true' + run: | + echo Installing Solana v${{ env.SOLANA_VERSION }}... + sh -c "$(curl -sSfL https://release.solana.com/v${{ env.SOLANA_VERSION }}/install)" + echo "$HOME/.local/share/solana/install/active_release/bin" >> $GITHUB_PATH + export PATH="/home/runner/.local/share/solana/install/active_release/bin:$PATH" + echo Installing bpf toolchain... + (cd /home/runner/.local/share/solana/install/active_release/bin/sdk/bpf/scripts; ./install.sh) + shell: bash + + - name: Install Soteria + run: | + echo Installing Soteria... + sh -c "$(curl -k https://supercompiler.xyz/install)" + export PATH=$PWD/soteria-linux-develop/bin/:$PATH + echo "$PWD/soteria-linux-develop/bin" >> $GITHUB_PATH + shell: bash + + - name: Run Soteria + run: soteria -analyzeAll . + shell: bash