mirror of
https://github.com/imjasonh/rustvulncheck
synced 2026-07-13 16:39:12 +00:00
Replaces the old enrichment-dry-run job with an enrich job that: - Only runs on pull requests (not push to main) - Checks out the PR branch (not merge ref) so it can push back - Builds with --release for faster enrichment - Uses --existing-db to resume from the committed vuln_db.json - Enriches up to 20 new advisories with a 25-min timeout - Commits and pushes updated vuln_db.json if it changed - Also uploads as an artifact for inspection The workflow has contents: write permission so the bot can push commits to the PR branch. https://claude.ai/code/session_01P1LKP6aqGt68rQAXrF6kSE
98 lines
2.5 KiB
YAML
98 lines
2.5 KiB
YAML
name: CI
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
branches: [main]
|
|
|
|
permissions:
|
|
contents: write
|
|
|
|
jobs:
|
|
test:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install Rust
|
|
uses: dtolnay/rust-toolchain@stable
|
|
|
|
- name: Cache cargo registry & build
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: |
|
|
~/.cargo/registry
|
|
~/.cargo/git
|
|
target
|
|
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-cargo-
|
|
|
|
- name: Build
|
|
run: cargo build --verbose
|
|
|
|
- name: Run tests
|
|
run: cargo test --verbose
|
|
|
|
enrich:
|
|
runs-on: ubuntu-latest
|
|
if: github.event_name == 'pull_request'
|
|
timeout-minutes: 30
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
ref: ${{ github.head_ref }}
|
|
fetch-depth: 0
|
|
|
|
- name: Install Rust
|
|
uses: dtolnay/rust-toolchain@stable
|
|
|
|
- name: Cache cargo registry & build
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: |
|
|
~/.cargo/registry
|
|
~/.cargo/git
|
|
target
|
|
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-cargo-
|
|
|
|
- name: Build
|
|
run: cargo build --release
|
|
|
|
- name: Run enrichment pipeline
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
EXISTING_FLAG=""
|
|
if [ -f vuln_db.json ]; then
|
|
EXISTING_FLAG="--existing-db vuln_db.json"
|
|
fi
|
|
|
|
cargo run --release -- enrich \
|
|
--limit 20 \
|
|
--timeout-secs 1500 \
|
|
$EXISTING_FLAG \
|
|
--output vuln_db.json
|
|
|
|
- name: Commit updated vuln_db.json if changed
|
|
run: |
|
|
git config user.name "github-actions[bot]"
|
|
git config user.email "github-actions[bot]@users.noreply.github.com"
|
|
git add vuln_db.json
|
|
if git diff --cached --quiet; then
|
|
echo "No changes to vuln_db.json, skipping commit."
|
|
else
|
|
TOTAL=$(jq '.entries | length' vuln_db.json)
|
|
WITH_SYMBOLS=$(jq '[.entries[] | select(.vulnerable_symbols | length > 0)] | length' vuln_db.json)
|
|
git commit -m "chore: enrich vuln db from CI (${TOTAL} entries, ${WITH_SYMBOLS} with symbols)"
|
|
git push
|
|
fi
|
|
|
|
- name: Upload enriched DB artifact
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: vuln-db
|
|
path: vuln_db.json
|