Merge pull request #42 from blockworks-foundation/revert-35-feat/depbot

Revert "add dependabot"
2022-04-11 14:29:40 +01:00 · 2022-04-11 14:29:40 +01:00 · 7a1ec116ef
parent 535429bf3f 4e02903393
commit 7a1ec116ef
3 changed files with 27 additions and 33 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -1,27 +0,0 @@
-version: 2
-updates:
-  - package-ecosystem: 'cargo'
-    directory: 'programs/mango-v4'
-    schedule:
-      interval: 'daily'
-    allow:
-      - dependency-type: 'direct'
-    commit-message:
-      prefix: 'v4'
-    open-pull-requests-limit: 5
-    labels:
-      - 'cargo'
-      - 'dependency'
-      
-  - package-ecosystem: 'cargo'
-    directory: 'programs/margin-trade'
-    schedule:
-      interval: 'daily'
-    allow:
-      - dependency-type: 'direct'
-    commit-message:
-      prefix: 'margin'
-    open-pull-requests-limit: 5
-    labels:
-      - 'cargo'
-      - 'dependency'
--- a/.github/workflows/ci-cargo-audit.yml
+++ b/.github/workflows/ci-cargo-audit.yml
@ -1,23 +1,45 @@
-name: Cargo Audit
+# CI job for scanning Cargo dependencies for vulnerabilities and report/fail job based on criticality.
+# Critically vulnerable dependencies with fix available will mark the run as failed (X)
+name: Rust Cargo Audit

 on:
  push:
    branches: master
  pull_request:

+  # Allowing manual runs with ability to choose branch
+  workflow_dispatch:
+
+  # Optimisation option by targeting direct paths to only scan when there are changes to dependencies in the push/PR
+  #  push:
+  #    paths:
+  #      - 'Cargo.toml'
+  #      - 'Cargo.lock'
+  #  pull_request:
+  #    paths:
+  #      - 'Cargo.toml'
+  #      - 'Cargo.lock'
+
+  # Example of running scheduled scans at 6AM UTC every Monday to regularly check for vulnerable dependencies
+  #  schedule:
+  #  - cron: '0 6 * * 1'
+
+# Run the job
 jobs:
-  cargo-audit:
-    name: Cargo Audit
+  Cargo-audit:
+    name: Cargo Vulnerability Scanner
    runs-on: ubuntu-latest
    steps:
+      # Check out GitHub repo
      - uses: actions/checkout@v2
-
+      
+      # Install cargo audit
      - name: Install Cargo Audit
        uses: actions-rs/install@v0.1
        with:
          crate: cargo-audit
          version: latest

-      # Run cargo audit using args from .cargo/audit.toml
+      # Run cargo audit using args from .cargo/audit.toml (ignores, etc.)
      - name: Run Cargo Audit
        run: cargo audit -c always
--- a/.github/workflows/ci-soteria.yml
+++ b/.github/workflows/ci-soteria.yml
@ -13,7 +13,6 @@ jobs:
  build:
    name: Soteria
    runs-on: ubuntu-latest
-    if: (github.actor != 'dependabot[bot]')
    steps:
      - name: Check-out repo
        uses: actions/checkout@v2