Dependency Check #3226
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Dependency Check | |
on: | |
push: | |
branches: [ main ] | |
paths: | |
- '**Cargo.toml' | |
- '**Cargo.lock' | |
- '**requirements.txt' | |
- '**DEPENDENCIES.md' | |
- '**dependency-licenses.xml' | |
- '**dependency_summary.py' | |
pull_request: | |
branches: [ main ] | |
paths: | |
- '**Cargo.toml' | |
- '**Cargo.lock' | |
- '**requirements.txt' | |
- '**DEPENDENCIES.md' | |
- '**dependency-licenses.xml' | |
- '**dependency_summary.py' | |
schedule: | |
# Runs at 7:00 UTC every day | |
- cron: '0 7 * * *' | |
# Allows you to run this workflow manually from the Actions tab | |
workflow_dispatch: | |
jobs: | |
check-dependencies: | |
# Run on macos to detect iOS dependencies | |
runs-on: macos-latest | |
strategy: | |
matrix: | |
python-version: [3.11] | |
steps: | |
- uses: actions/checkout@v2 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
submodules: 'recursive' | |
- name: Setup Python ${{ matrix.python-version }} | |
uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ matrix.python-version }} | |
- name: Install Python dependencies | |
run: | | |
python -m pip install --upgrade pip | |
pip install --require-hashes -r ./taskcluster/requirements.txt | |
pip install --require-hashes -r ./tools/requirements.txt | |
- name: Install Rust | |
run: | | |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y | |
source $HOME/.cargo/env | |
- name: Run Cargo Audit | |
run: | | |
# cargo-audit 0.20 is giving us trouble in CI - it's failing to build the package. | |
# not clear what's causing this, but we work around it by pinning to 0.19 | |
cargo install cargo-audit@^0.19 | |
# Explanation for ignored issues: | |
# * RUSTSEC-2018-0006: Uncontrolled recursion in `yaml-rust`, which is included by `clap` v2. `clap` itself already updated to a safe | |
# version of `yaml-rust`, which will be released in `v3` and additionally, | |
# reading https://github.com/rustsec/advisory-db/issues/288, this is a false | |
# positive for clap and based on our dependency tree, we only use `yaml-rust` in `clap`. | |
cargo audit --ignore RUSTSEC-2018-0006 | |
- name: Check for any unrecorded changes in our dependency trees | |
run: | | |
cargo metadata --locked > /dev/null | |
python ./tools/dependency_summary.py --check ./DEPENDENCIES.md | |
python ./tools/dependency_summary.py --all-ios-targets --package megazord_ios --check megazords/ios-rust/DEPENDENCIES.md | |
python ./tools/dependency_summary.py --all-android-targets --package megazord --check megazords/full/DEPENDENCIES.md | |
python ./tools/dependency_summary.py --all-android-targets --package megazord --format pom --check megazords/full/android/dependency-licenses.xml |