Skip to content
This repository was archived by the owner on Jun 29, 2026. It is now read-only.

Commit 125693b

Browse files
authored
Refactor: Addressing SecObserve advisories (#64)
* Refactor: Addressing secobserve advisories * Fix: Fixing incorrect indentation
1 parent 2934864 commit 125693b

1 file changed

Lines changed: 95 additions & 39 deletions

File tree

.github/workflows/build.yml

Lines changed: 95 additions & 39 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,8 @@ on:
1313
pull_request:
1414
merge_group:
1515

16+
permissions: {}
17+
1618
env:
1719
CARGO_TERM_COLOR: always
1820
CARGO_INCREMENTAL: "0"
@@ -27,22 +29,37 @@ jobs:
2729
run_udeps:
2830
name: Run Cargo Udeps
2931
runs-on: ubuntu-latest
32+
permissions:
33+
contents: read
3034
env:
31-
RUSTC_BOOTSTRAP: 1
35+
RUSTC_BOOTSTRAP: "1"
36+
3237
steps:
3338
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
34-
- uses: dtolnay/rust-toolchain@master
3539
with:
36-
toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
40+
persist-credentials: false
41+
42+
- name: Install rust toolchain
43+
run: |
44+
rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" --profile minimal
45+
rustup default "${RUST_TOOLCHAIN_VERSION}"
46+
3747
- uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8
3848
with:
3949
key: udeps
40-
- uses: stackabletech/cargo-install-action@cargo-udeps
41-
- run: cargo udeps --all-targets --all-features
50+
51+
- name: Install cargo-udeps
52+
run: cargo install cargo-udeps --locked
53+
54+
- name: Check for unused dependencies
55+
run: cargo udeps --all-targets --all-features
4256

4357
run_cargodeny:
4458
name: Run Cargo Deny
4559
runs-on: ubuntu-latest
60+
permissions:
61+
contents: read
62+
4663
strategy:
4764
matrix:
4865
checks:
@@ -54,73 +71,97 @@ jobs:
5471

5572
steps:
5673
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
74+
with:
75+
persist-credentials: false
76+
5777
- uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2.0.15
5878
with:
5979
command: check ${{ matrix.checks }}
6080

6181
run_rustfmt:
6282
name: Run Rustfmt
6383
runs-on: ubuntu-latest
84+
permissions:
85+
contents: read
86+
6487
steps:
6588
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
66-
- uses: dtolnay/rust-toolchain@master
6789
with:
68-
toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
69-
components: rustfmt
90+
persist-credentials: false
91+
92+
- name: Install Rust toolchain with rustfmt
93+
run: |
94+
rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" \
95+
--profile minimal \
96+
--component rustfmt
97+
rustup default "${RUST_TOOLCHAIN_VERSION}"
98+
7099
- uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8
71100
with:
72101
key: fmt
73-
- run: cargo fmt --all -- --check
102+
103+
- name: Run Rustfmt
104+
run: cargo fmt --all -- --check
74105

75106
run_clippy:
76107
name: Run Clippy
77108
runs-on: ubuntu-latest
109+
permissions:
110+
contents: read
111+
78112
steps:
79113
- name: Install host dependencies
80114
run: |
81115
sudo apt-get update
82-
sudo apt-get install protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config
116+
sudo apt-get install --yes \
117+
protobuf-compiler \
118+
krb5-user \
119+
libkrb5-dev \
120+
libclang-dev \
121+
liblzma-dev \
122+
libssl-dev \
123+
pkg-config
124+
83125
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
84126
with:
85127
submodules: recursive
86-
- uses: dtolnay/rust-toolchain@master
87-
with:
88-
toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
89-
components: clippy
128+
persist-credentials: false
129+
130+
- name: Install Rust toolchain with Clippy
131+
run: |
132+
rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" \
133+
--profile minimal \
134+
--component clippy
135+
rustup default "${RUST_TOOLCHAIN_VERSION}"
136+
90137
- uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8
91138
with:
92139
key: clippy
93-
- name: Run clippy action to produce annotations
94-
# NOTE (@Techassi): This action might get a new release soon, because it
95-
# currently uses Node 16, which is deprecated in the next few months by
96-
# GitHub. See https://github.com/giraffate/clippy-action/pull/87
97-
uses: giraffate/clippy-action@13b9d32482f25d29ead141b79e7e04e7900281e0 # v1.0.1
98-
env:
99-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
100-
if: env.GITHUB_TOKEN != null && github.event.pull_request.draft == false
101-
with:
102-
clippy_flags: --all-targets -- -D warnings
103-
reporter: "github-pr-review"
104-
github_token: ${{ secrets.GITHUB_TOKEN }}
105-
- name: Run clippy manually without annotations
106-
env:
107-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
108-
if: env.GITHUB_TOKEN == null
109-
run: cargo clippy --color never -q --all-targets -- -D warnings
110140

141+
- name: Run Clippy
142+
run: cargo clippy --color never -q --all-targets -- -D warnings
111143
run_rustdoc:
112144
name: Run RustDoc
113145
runs-on: ubuntu-latest
146+
permissions:
147+
contents: read
148+
114149
steps:
115150
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
116-
- uses: dtolnay/rust-toolchain@master
117151
with:
118-
toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
119-
components: rustfmt
152+
persist-credentials: false
153+
154+
- name: Install Rust toolchain
155+
run: |
156+
rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" --profile minimal
157+
rustup default "${RUST_TOOLCHAIN_VERSION}"
158+
120159
- uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8
121160
with:
122161
key: doc
123-
- run: cargo doc --document-private-items
162+
163+
- name: Build documentation
164+
run: cargo doc --document-private-items
124165

125166
run_tests:
126167
name: Run Cargo Tests
@@ -129,26 +170,41 @@ jobs:
129170
- run_rustfmt
130171
- run_rustdoc
131172
runs-on: ubuntu-latest
173+
permissions:
174+
contents: read # Required by actions/checkout.
175+
132176
steps:
133177
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
134-
- uses: dtolnay/rust-toolchain@master
135178
with:
136-
toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
179+
persist-credentials: false
180+
181+
- name: Install Rust toolchain with rust-src
182+
run: |
183+
rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" \
184+
--profile minimal \
185+
--component rust-src
186+
rustup default "${RUST_TOOLCHAIN_VERSION}"
187+
137188
# rust-src is required for trybuild stderr output comparison to work
138189
# for our cases.
139190
# See: https://github.com/dtolnay/trybuild/issues/236#issuecomment-1620950759
140-
components: rust-src
141191
- uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8
142192
with:
143193
key: test
144-
- run: cargo test --all-features
194+
195+
- name: Run tests
196+
run: cargo test --all-features
145197

146198
tests_passed:
147199
name: All tests passed
148200
needs:
149201
- run_udeps
202+
- run_cargodeny
150203
- run_tests
151204
runs-on: ubuntu-latest
205+
permissions: {}
206+
152207
steps:
153208
- name: log
154209
run: echo All tests have passed!
210+

0 commit comments

Comments
 (0)