name: CI on: push: branches: [main] pull_request: branches: [main] permissions: contents: write jobs: test: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Install Rust uses: dtolnay/rust-toolchain@stable - name: Cache cargo registry & build uses: actions/cache@v4 with: path: | ~/.cargo/registry ~/.cargo/git target key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} restore-keys: | ${{ runner.os }}-cargo- - name: Build run: cargo build --verbose - name: Run tests run: cargo test --verbose enrich: runs-on: ubuntu-latest if: github.event_name == 'pull_request' timeout-minutes: 30 steps: - uses: actions/checkout@v4 with: ref: ${{ github.head_ref }} fetch-depth: 0 - name: Install Rust uses: dtolnay/rust-toolchain@stable - name: Cache cargo registry & build uses: actions/cache@v4 with: path: | ~/.cargo/registry ~/.cargo/git target key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} restore-keys: | ${{ runner.os }}-cargo- - name: Build run: cargo build --release - name: Re-enrich vuln_db.json with updated code env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | cargo run --release -- enrich \ --existing-db vuln_db.json \ --re-enrich \ --limit 999999 \ --timeout-secs 1500 \ --output vuln_db.json - name: Commit updated vuln_db.json if changed run: | git config user.name "github-actions[bot]" git config user.email "github-actions[bot]@users.noreply.github.com" git add vuln_db.json if git diff --cached --quiet; then echo "No changes to vuln_db.json, skipping commit." else TOTAL=$(jq '.entries | length' vuln_db.json) WITH_SYMBOLS=$(jq '[.entries[] | select(.vulnerable_symbols | length > 0)] | length' vuln_db.json) git commit -m "chore: enrich vuln db from CI (${TOTAL} entries, ${WITH_SYMBOLS} with symbols)" git push fi - name: Upload enriched DB artifact uses: actions/upload-artifact@v4 with: name: vuln-db path: vuln_db.json