From ca6f70427746d0e0f6ccb049a014ac5a63afaeb2 Mon Sep 17 00:00:00 2001 From: Saul Beck Date: Fri, 26 Jun 2026 09:14:53 +0100 Subject: [PATCH 1/2] Refactor: Addressing secobserve advisories --- .github/workflows/build.yml | 128 ++++++++++++++++++++++-------------- 1 file changed, 79 insertions(+), 49 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e41faca..211d8eb 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -13,6 +13,8 @@ on: pull_request: merge_group: + permissions: {} + env: CARGO_TERM_COLOR: always CARGO_INCREMENTAL: "0" @@ -27,22 +29,36 @@ jobs: run_udeps: name: Run Cargo Udeps runs-on: ubuntu-latest + permissions: + contents: read env: RUSTC_BOOTSTRAP: 1 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: dtolnay/rust-toolchain@master - with: - toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} + with: + persist-credentials: false + + - name: Install rust toolchain + run: | + rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" + rustup default "${RUST_TOOLCHAIN_VERSION}" + - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8 with: key: udeps - - uses: stackabletech/cargo-install-action@cargo-udeps - - run: cargo udeps --all-targets --all-features + + - name: Install cargo-udeps + run: cargo install cargo-udeps --version "${CARGO_UDEPS_VERSION}" --locked + + - name: Check for unused dependencies + run: cargo udeps --all-targets --all-features + run_cargodeny: name: Run Cargo Deny runs-on: ubuntu-latest + permissions: + contents: read strategy: matrix: checks: @@ -54,6 +70,9 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2.0.15 with: command: check ${{ matrix.checks }} @@ -61,12 +80,18 @@ jobs: run_rustfmt: name: Run Rustfmt runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: dtolnay/rust-toolchain@master with: - toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} - components: rustfmt + persist-credentials: false + + - name: Install Rust toolchain with rustfmt + run: | + rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" --profile minimal --component rustfmt + rustup default "${RUST_TOOLCHAIN_VERSION}" + - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8 with: key: fmt @@ -83,65 +108,70 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: recursive - - uses: dtolnay/rust-toolchain@master - with: - toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} - components: clippy + persist-credentials: false + + - name: Install Rust toolchain with Clippy + run: | + rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" --profile minimal --component clippy + rustup default "${RUST_TOOLCHAIN_VERSION}" + - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8 with: key: clippy - - name: Run clippy action to produce annotations - # NOTE (@Techassi): This action might get a new release soon, because it - # currently uses Node 16, which is deprecated in the next few months by - # GitHub. See https://github.com/giraffate/clippy-action/pull/87 - uses: giraffate/clippy-action@13b9d32482f25d29ead141b79e7e04e7900281e0 # v1.0.1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - if: env.GITHUB_TOKEN != null && github.event.pull_request.draft == false - with: - clippy_flags: --all-targets -- -D warnings - reporter: "github-pr-review" - github_token: ${{ secrets.GITHUB_TOKEN }} - - name: Run clippy manually without annotations - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - if: env.GITHUB_TOKEN == null + + - name: Run Clippy run: cargo clippy --color never -q --all-targets -- -D warnings run_rustdoc: name: Run RustDoc runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: dtolnay/rust-toolchain@master with: - toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} - components: rustfmt + persist-credentials: false + + - name: Install Rust toolchain + run: | + rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" --profile minimal + rustup default "${RUST_TOOLCHAIN_VERSION}" + - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8 with: key: doc - - run: cargo doc --document-private-items - run_tests: - name: Run Cargo Tests - needs: - - run_clippy - - run_rustfmt - - run_rustdoc - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: dtolnay/rust-toolchain@master - with: - toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }} + - name: Build documentation + run: cargo doc --document-private-items + run_tests: + name: Run Cargo Tests + needs: + - run_clippy + - run_rustfmt + - run_rustdoc + runs-on: ubuntu-latest + permissions: + contents: read # Required by actions/checkout. + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: Install Rust toolchain with rust-src + run: | + rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" --profile minimal --component rust-src + rustup default "${RUST_TOOLCHAIN_VERSION}" + # rust-src is required for trybuild stderr output comparison to work # for our cases. # See: https://github.com/dtolnay/trybuild/issues/236#issuecomment-1620950759 - components: rust-src - - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8 - with: - key: test - - run: cargo test --all-features + + - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8 + with: + key: test + + - name: Run tests + run: cargo test --all-feature tests_passed: name: All tests passed From 304de92a5bf80e6f81cd2bfb0dddb88fdc1e2c11 Mon Sep 17 00:00:00 2001 From: Saul Beck Date: Fri, 26 Jun 2026 09:31:48 +0100 Subject: [PATCH 2/2] Fix: Fixing incorrect indentation --- .github/workflows/build.yml | 116 ++++++++++++++++++++++-------------- 1 file changed, 71 insertions(+), 45 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 211d8eb..960e849 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -13,7 +13,7 @@ on: pull_request: merge_group: - permissions: {} +permissions: {} env: CARGO_TERM_COLOR: always @@ -29,36 +29,37 @@ jobs: run_udeps: name: Run Cargo Udeps runs-on: ubuntu-latest - permissions: + permissions: contents: read env: - RUSTC_BOOTSTRAP: 1 + RUSTC_BOOTSTRAP: "1" + steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: + with: persist-credentials: false - + - name: Install rust toolchain - run: | - rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" - rustup default "${RUST_TOOLCHAIN_VERSION}" - + run: | + rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" --profile minimal + rustup default "${RUST_TOOLCHAIN_VERSION}" + - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8 with: key: udeps - name: Install cargo-udeps - run: cargo install cargo-udeps --version "${CARGO_UDEPS_VERSION}" --locked + run: cargo install cargo-udeps --locked - name: Check for unused dependencies run: cargo udeps --all-targets --all-features - run_cargodeny: name: Run Cargo Deny runs-on: ubuntu-latest - permissions: + permissions: contents: read + strategy: matrix: checks: @@ -72,7 +73,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - + - uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2.0.15 with: command: check ${{ matrix.checks }} @@ -80,8 +81,9 @@ jobs: run_rustfmt: name: Run Rustfmt runs-on: ubuntu-latest - permissions: + permissions: contents: read + steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: @@ -89,30 +91,47 @@ jobs: - name: Install Rust toolchain with rustfmt run: | - rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" --profile minimal --component rustfmt + rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" \ + --profile minimal \ + --component rustfmt rustup default "${RUST_TOOLCHAIN_VERSION}" - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8 with: key: fmt - - run: cargo fmt --all -- --check + + - name: Run Rustfmt + run: cargo fmt --all -- --check run_clippy: name: Run Clippy runs-on: ubuntu-latest + permissions: + contents: read + steps: - name: Install host dependencies run: | sudo apt-get update - sudo apt-get install protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config + sudo apt-get install --yes \ + protobuf-compiler \ + krb5-user \ + libkrb5-dev \ + libclang-dev \ + liblzma-dev \ + libssl-dev \ + pkg-config + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: recursive persist-credentials: false - - name: Install Rust toolchain with Clippy + - name: Install Rust toolchain with Clippy run: | - rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" --profile minimal --component clippy + rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" \ + --profile minimal \ + --component clippy rustup default "${RUST_TOOLCHAIN_VERSION}" - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8 @@ -121,12 +140,12 @@ jobs: - name: Run Clippy run: cargo clippy --color never -q --all-targets -- -D warnings - run_rustdoc: name: Run RustDoc runs-on: ubuntu-latest permissions: - contents: read + contents: read + steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: @@ -143,42 +162,49 @@ jobs: - name: Build documentation run: cargo doc --document-private-items - run_tests: - name: Run Cargo Tests - needs: - - run_clippy - - run_rustfmt - - run_rustdoc - runs-on: ubuntu-latest - permissions: - contents: read # Required by actions/checkout. - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - persist-credentials: false - - - name: Install Rust toolchain with rust-src - run: | - rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" --profile minimal --component rust-src - rustup default "${RUST_TOOLCHAIN_VERSION}" + + run_tests: + name: Run Cargo Tests + needs: + - run_clippy + - run_rustfmt + - run_rustdoc + runs-on: ubuntu-latest + permissions: + contents: read # Required by actions/checkout. + + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: Install Rust toolchain with rust-src + run: | + rustup toolchain install "${RUST_TOOLCHAIN_VERSION}" \ + --profile minimal \ + --component rust-src + rustup default "${RUST_TOOLCHAIN_VERSION}" # rust-src is required for trybuild stderr output comparison to work # for our cases. # See: https://github.com/dtolnay/trybuild/issues/236#issuecomment-1620950759 + - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8 + with: + key: test - - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8 - with: - key: test - - - name: Run tests - run: cargo test --all-feature + - name: Run tests + run: cargo test --all-features tests_passed: name: All tests passed needs: - run_udeps + - run_cargodeny - run_tests runs-on: ubuntu-latest + permissions: {} + steps: - name: log run: echo All tests have passed! + \ No newline at end of file