1
0
Fork 0
mirror of https://github.com/imjasonh/rustvulncheck synced 2026-07-13 16:39:12 +00:00
rustvulncheck/.github/workflows/ci.yml
Claude d1d1a95991
Add CI enrichment job that commits vuln_db.json back to PR
Replaces the old enrichment-dry-run job with an enrich job that:
- Only runs on pull requests (not push to main)
- Checks out the PR branch (not merge ref) so it can push back
- Builds with --release for faster enrichment
- Uses --existing-db to resume from the committed vuln_db.json
- Enriches up to 20 new advisories with a 25-min timeout
- Commits and pushes updated vuln_db.json if it changed
- Also uploads as an artifact for inspection

The workflow has contents: write permission so the bot can push
commits to the PR branch.

https://claude.ai/code/session_01P1LKP6aqGt68rQAXrF6kSE
2026-03-25 15:15:01 +00:00

98 lines
2.5 KiB
YAML

name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
contents: write
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust
uses: dtolnay/rust-toolchain@stable
- name: Cache cargo registry & build
uses: actions/cache@v4
with:
path: |
~/.cargo/registry
~/.cargo/git
target
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
restore-keys: |
${{ runner.os }}-cargo-
- name: Build
run: cargo build --verbose
- name: Run tests
run: cargo test --verbose
enrich:
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
timeout-minutes: 30
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.head_ref }}
fetch-depth: 0
- name: Install Rust
uses: dtolnay/rust-toolchain@stable
- name: Cache cargo registry & build
uses: actions/cache@v4
with:
path: |
~/.cargo/registry
~/.cargo/git
target
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
restore-keys: |
${{ runner.os }}-cargo-
- name: Build
run: cargo build --release
- name: Run enrichment pipeline
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
EXISTING_FLAG=""
if [ -f vuln_db.json ]; then
EXISTING_FLAG="--existing-db vuln_db.json"
fi
cargo run --release -- enrich \
--limit 20 \
--timeout-secs 1500 \
$EXISTING_FLAG \
--output vuln_db.json
- name: Commit updated vuln_db.json if changed
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add vuln_db.json
if git diff --cached --quiet; then
echo "No changes to vuln_db.json, skipping commit."
else
TOTAL=$(jq '.entries | length' vuln_db.json)
WITH_SYMBOLS=$(jq '[.entries[] | select(.vulnerable_symbols | length > 0)] | length' vuln_db.json)
git commit -m "chore: enrich vuln db from CI (${TOTAL} entries, ${WITH_SYMBOLS} with symbols)"
git push
fi
- name: Upload enriched DB artifact
uses: actions/upload-artifact@v4
with:
name: vuln-db
path: vuln_db.json