Dependency Check #2047
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Dependency Check | |
on: | |
push: | |
branches: [ main ] | |
paths: | |
- '**Cargo.toml' | |
- '**Cargo.lock' | |
- '**requirements.txt' | |
- '**DEPENDENCIES.md' | |
- '**dependency-licenses.xml' | |
- '**dependency_summary.py' | |
pull_request: | |
branches: [ main ] | |
paths: | |
- '**Cargo.toml' | |
- '**Cargo.lock' | |
- '**requirements.txt' | |
- '**DEPENDENCIES.md' | |
- '**dependency-licenses.xml' | |
- '**dependency_summary.py' | |
schedule: | |
# Runs at 7:00 UTC every day | |
- cron: '0 7 * * *' | |
# Allows you to run this workflow manually from the Actions tab | |
workflow_dispatch: | |
jobs: | |
check-dependencies: | |
# Run on macos to detect iOS dependencies | |
runs-on: macos-latest | |
strategy: | |
matrix: | |
python-version: [3.7] | |
steps: | |
- uses: actions/checkout@v2 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
submodules: 'recursive' | |
- name: Setup Python ${{ matrix.python-version }} | |
uses: actions/setup-python@v1 | |
with: | |
python-version: ${{ matrix.python-version }} | |
- name: Install Python dependencies | |
run: | | |
python -m pip install --upgrade pip | |
pip install --require-hashes -r ./tools/requirements.txt | |
- name: Install Rust | |
run: | | |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y | |
source $HOME/.cargo/env | |
- name: Run Cargo Audit | |
run: | | |
cargo install cargo-audit | |
# Explanation for ignored issues: | |
# * RUSTSEC-2020-0071: `time` has a problem where invocations of `localtime_r` could segfault, our code base doesn't trigger this, | |
# but time is a transitive dependency for other crates so is difficult to update. | |
# * RUSTSEC-2018-0006: Uncontrolled recursion in `yaml-rust`, which is included by `clap` v2. `clap` itself already updated to a safe | |
# version of `yaml-rust`, which will be released in `v3` and additionally, | |
# reading https://github.com/rustsec/advisory-db/issues/288, this is a false | |
# positive for clap and based on our dependency tree, we only use `yaml-rust` in `clap`. | |
cargo audit --ignore RUSTSEC-2020-0071 --ignore RUSTSEC-2018-0006 | |
- name: Check for any unrecorded changes in our dependency trees | |
run: | | |
cargo metadata --locked > /dev/null | |
python ./tools/dependency_summary.py --check ./DEPENDENCIES.md | |
python ./tools/dependency_summary.py --all-ios-targets --package megazord_ios --check megazords/ios-rust/DEPENDENCIES.md | |
python ./tools/dependency_summary.py --all-android-targets --package megazord --check megazords/full/DEPENDENCIES.md | |
python ./tools/dependency_summary.py --all-android-targets --package megazord --format pom --check megazords/full/android/dependency-licenses.xml |