1
0
Fork 0
mirror of https://github.com/imjasonh/rustvulncheck synced 2026-07-09 21:06:59 +00:00
rustvulncheck/.github/workflows/ci.yml
Claude 0b933a662d
Add --re-enrich flag to reprocess existing DB entries with current code
The old --existing-db flag skipped already-enriched entries by advisory
ID, so improvements to diff_analyzer.rs had no effect on the committed
vuln_db.json. The new --re-enrich flag re-fetches diffs for existing
entries and re-extracts symbols using the current code, updating them
in-place.

The CI enrich job now passes --re-enrich so that code changes to the
symbol extraction pipeline are reflected in the PR's vuln_db.json diff.

https://claude.ai/code/session_01P1LKP6aqGt68rQAXrF6kSE
2026-03-25 15:26:11 +00:00

94 lines
2.5 KiB
YAML

name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
contents: write
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust
uses: dtolnay/rust-toolchain@stable
- name: Cache cargo registry & build
uses: actions/cache@v4
with:
path: |
~/.cargo/registry
~/.cargo/git
target
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
restore-keys: |
${{ runner.os }}-cargo-
- name: Build
run: cargo build --verbose
- name: Run tests
run: cargo test --verbose
enrich:
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
timeout-minutes: 30
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.head_ref }}
fetch-depth: 0
- name: Install Rust
uses: dtolnay/rust-toolchain@stable
- name: Cache cargo registry & build
uses: actions/cache@v4
with:
path: |
~/.cargo/registry
~/.cargo/git
target
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
restore-keys: |
${{ runner.os }}-cargo-
- name: Build
run: cargo build --release
- name: Re-enrich vuln_db.json with updated code
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
cargo run --release -- enrich \
--existing-db vuln_db.json \
--re-enrich \
--limit 999999 \
--timeout-secs 1500 \
--output vuln_db.json
- name: Commit updated vuln_db.json if changed
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add vuln_db.json
if git diff --cached --quiet; then
echo "No changes to vuln_db.json, skipping commit."
else
TOTAL=$(jq '.entries | length' vuln_db.json)
WITH_SYMBOLS=$(jq '[.entries[] | select(.vulnerable_symbols | length > 0)] | length' vuln_db.json)
git commit -m "chore: enrich vuln db from CI (${TOTAL} entries, ${WITH_SYMBOLS} with symbols)"
git push
fi
- name: Upload enriched DB artifact
uses: actions/upload-artifact@v4
with:
name: vuln-db
path: vuln_db.json