Skip to content

Commit

Permalink
Split cargo-deny job into two non-matrix jobs
Browse files Browse the repository at this point in the history
Instead of conditionally applying `continue-on-error: true` at the
job level to the `advisories` job, this splits `cargo-deny` into
two job definitions, `cargo-deny-advisories` and `cargo-deny`,
where *neither* has `continue-on-error` but `cargo-deny-advisories`
is omitted as a dependency of the `tests-pass` job that makes jobs
effectively required for PR auto-merge. This way, when there is an
unaddressed advisory, the `cargo-deny-advisories` job unambiguously
fails, even failing the workflow, but PRs can still auto-merge.

One implication of this is that, on Dependabot security update PRs,
`@dependabot merge` and `@dependabot squash and merge` commands
will only perform a merge if `cargo deny check advisories` reports
no other outstanding advisories. This is because, when Dependabot
is told to merge a PR, it only goes ahead with the merge if all
checks pass (i.e. report a successful conclusion). This would be
convenient for cases where, if the fix is not complete, further
manual review is desired. It would otherwise be inconvenient, but
then a usual PR auto-merge could be done instead (which is the more
common practice here anyway).
  • Loading branch information
EliahKagan committed Nov 12, 2024
1 parent 5173e9a commit 38edb2c
Showing 1 changed file with 12 additions and 9 deletions.
21 changes: 12 additions & 9 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -192,23 +192,25 @@ jobs:
# than allows is no problem either if it comes to that.
continue-on-error: true

cargo-deny:
# This job is not required for PR auto-merge, so that sudden announcement of a
# new advisory does not keep otherwise OK pull requests from being integrated.
cargo-deny-advisories:
runs-on: ubuntu-latest

strategy:
matrix:
checks:
- advisories
- bans licenses sources
steps:
- uses: actions/checkout@v4
- uses: EmbarkStudios/cargo-deny-action@v2
with:
command: check advisories

# Prevent sudden announcement of a new advisory from failing ci:
continue-on-error: ${{ matrix.checks == 'advisories' }}
cargo-deny:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4
- uses: EmbarkStudios/cargo-deny-action@v2
with:
command: check ${{ matrix.checks }}
command: check bans licenses sources

wasm:
name: WebAssembly
Expand Down Expand Up @@ -300,6 +302,7 @@ jobs:
# List all jobs that are intended NOT to block PR auto-merge here.
EXPECTED_NONBLOCKING_JOBS: |-
test-fixtures-windows
cargo-deny-advisories
wasm
tests-pass
Expand Down

0 comments on commit 38edb2c

Please sign in to comment.