Add audit check #2595
Merged
Add audit check #2595
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
An audit warning formatted by |
Darksonn
added
A-tokio
taiki-e
reviewed
Jun 10, 2020
|
I activated issues on my fork in order to ensure the issue creating functionality works, and it looks like it does. |
taiki-e
added
the
S-waiting-on-review
taiki-e
reviewed
Jul 5, 2020
There was a problem hiding this comment.
One of the concerns about using actions-rs/audit-check is that it doesn't seem to support passing options to cargo-audit (actions-rs/audit-check#132, e.g., we want to silence the warning that net2 is deprecated), but otherwise it looks good to me.
taiki-e
removed
the
S-waiting-on-review
carllerche
approved these changes
Jul 21, 2020
|
Thanks! |
|
I'll follow up with another PR when my PR to add an args parameter to audit-check gets accepted 🤞 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This continues the work started in #2516, adding two workflows to run
cargo auditon the code and report these failures in a variety of useful ways. The intent is that the closer the code being audited is to being run in production, the louder these checks will complain. In order of increasing severity:A "manual"
cargo auditcheck is run on each pr and push event containing changes to anyCargo.tomlin the workspace. This check only fails the job in order to mark a Pull Request as failing.Every day at 02:00 UTC the master branch is audited using the
actions-rs/audit-checkaction. When this check fails it will create an issue on github detailing the issue.Cargo.tomlin the workspace the sameactions-rs/audit-checkis run, and if that check fails an issue will be created and a notification will be sent to the Tokio Discord channel (sending to the correct channel still needs to be set up).This set of checks is slightly different from what was discussed in the previous PR, but I think that these checks make sense. We use
actions-rs/audit-checkonly in contexts where theGITHUB_TOKENwill be accessible, so that on failure the action will be able to create an issue on Github. We still want to audit any proposed changes to the dependency tree in pull requests, but we don't need to report this in any extra fashion than blocking a merge.