ci: order nix workflows; add cargo audit

anyrun-org · Jun 4, 2024 · 636ddab · 636ddab
1 parent 1af8887
commit 636ddab
Show file tree

Hide file tree

Showing 5 changed files with 123 additions and 19 deletions.
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
@@ -0,0 +1,29 @@
+name: Security audit
+on:
+  workflow_call:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 0 * * *"
+  push:
+    paths:
+      - "**/Cargo.toml"
+      - "**/Cargo.lock"
+  pull_request:
+    branches: ["master"]
+    paths:
+      - "**/Cargo.toml"
+      - "**/Cargo.lock"
+
+jobs:
+  audit:
+    name: Security Audit
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install cargo-deny
+        uses: taiki-e/install-action@cargo-deny
+
+      - name: Scan for vulnerabilities
+        run: cargo deny check advisories
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,35 @@
+name: Build Cargo Workspace
+
+on:
+  workflow_call:
+  workflow_dispatch:
+  pull_request:
+    branches: ["master"]
+  push:
+    branches:
+      - "*"
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  build:
+    name: Build Cargo Workspace
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - uses: actions-rs/toolchain@v1
+        with:
+          toolchain: stable
+          override: true
+
+      - uses: Swatinem/rust-cache@v2
+        name: Cache dependencies
+
+      - uses: actions-rs/cargo@v1
+        name: Build crate
+        with:
+          command: build
+          args: --verbose --all-features
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
diff --git a/.github/workflows/cachix.yml → .github/workflows/nix.yml b/.github/workflows/cachix.yml → .github/workflows/nix.yml
@@ -16,9 +16,26 @@ on:
       - README.md
 
 jobs:
+  check-flake:
+    name: "Check flake validity"
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+        with:
+          logger: pretty
+
+      - name: Check Flake
+        run: nix flake check --accept-flake-config
+
   cachix:
     name: "Build Exposed Packages"
     runs-on: ubuntu-latest
+    needs: check-flake
     strategy:
       matrix:
         package:

diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml
@@ -0,0 +1,42 @@
+name: "Update repository dependencies"
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 4 1 * *"
+
+jobs:
+  main:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Bump nix
+        run: nix flake update
+
+      - name: Install dependencies
+        run: nix profile install --inputs-from . nixpkgs#cargo-bump nixpkgs#cargo
+
+      - name: Bump rust
+        run: |
+          cargo bump patch
+          cargo update
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v4
+        with:
+          token: "${{ secrets.github_token }}"
+          title: "ci: update inputs"
+          author: GitHub <[email protected]>
+          branch: update
+          branch-suffix: timestamp
+          delete-branch: true
+          commit-message: |
+            Update all inputs
+
+            Co-authored-by: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>