name: Cargo Audit and Update on: schedule: # Run on Monday mornings, 11AM UTC. - cron: '0 11 * * 1' pull_request: # Enable push for testing when working on this file. #push: workflow_dispatch: concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true permissions: read-all jobs: # This job runs `cargo audit` and will exit with a failure code if # any warnings are raised. audit: name: Cargo Audit runs-on: ubuntu-latest container: almalinux:9 steps: - name: Cache cargo registry uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo key: ${{ github.job }}-cargo - name: Cache RPMs uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: /var/cache/dnf key: ${{ github.job }}-dnf - run: echo "keepcache=1" >> /etc/dnf/dnf.conf - name: Install system packages run: | dnf -y install dnf-plugins-core epel-release dnf config-manager --set-enabled crb dnf -y install \ autoconf \ automake \ cbindgen \ diffutils \ numactl-devel \ dpdk-devel \ file-devel \ gcc \ gcc-c++ \ git \ jansson-devel \ jq \ libtool \ libyaml-devel \ libnfnetlink-devel \ libnetfilter_queue-devel \ libnet-devel \ libcap-ng-devel \ libevent-devel \ libmaxminddb-devel \ libpcap-devel \ libtool \ lz4-devel \ make \ pcre2-devel \ pkgconfig \ python3-devel \ python3-sphinx \ python3-yaml \ sudo \ which \ zlib-devel - name: Install Rust run: | curl https://sh.rustup.rs -sSf | sh -s -- -y echo "$HOME/.cargo/bin" >> $GITHUB_PATH - name: Install Cargo Audit run: cargo install cargo-audit - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 - name: Configure Suricata run: | ./scripts/bundle.sh libhtp ./autogen.sh ./configure --enable-warnings - name: Run Cargo Audit working-directory: rust run: | IGNORES=() # failure, via bendy IGNORES+=(--ignore RUSTSEC-2020-0036) # failure, via bendy IGNORES+=(--ignore RUSTSEC-2019-0036) cargo audit -D warnings "${IGNORES[@]}" # This job uses our MSRV and does a `cargo update` with the idea # that it should catch early any dependencies that have done a patch # update pulling in a new MSRV. This would be an indicator that we # have to more tightly pin the dependency, or even attempt to pin a # transitive dependency. update: name: Cargo Update runs-on: ubuntu-latest container: almalinux:9 steps: - name: Cache cargo registry uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: ~/.cargo key: ${{ github.job }}-cargo - name: Cache RPMs uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 with: path: /var/cache/dnf key: ${{ github.job }}-dnf - run: echo "keepcache=1" >> /etc/dnf/dnf.conf - name: Install system packages run: | dnf -y install dnf-plugins-core epel-release dnf config-manager --set-enabled crb dnf -y install \ autoconf \ automake \ cbindgen \ diffutils \ numactl-devel \ dpdk-devel \ file-devel \ gcc \ gcc-c++ \ git \ jansson-devel \ jq \ libtool \ libyaml-devel \ libnfnetlink-devel \ libnetfilter_queue-devel \ libnet-devel \ libcap-ng-devel \ libevent-devel \ libmaxminddb-devel \ libpcap-devel \ libtool \ lz4-devel \ make \ pcre2-devel \ pkgconfig \ python3-devel \ python3-sphinx \ python3-yaml \ sudo \ which \ zlib-devel - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 - name: Install Minimum Supported Rust Version run: | curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain $(awk -F '"' '/rust-version/ { print $2 }' rust/Cargo.toml.in) echo "$HOME/.cargo/bin" >> $GITHUB_PATH - name: Configure Suricata run: | ./scripts/bundle.sh libhtp ./autogen.sh ./configure --enable-warnings - name: Cargo Update and Build working-directory: rust run: | cargo update cargo build --all-features --all-targets