mirror of
https://github.com/imjasonh/rustvulncheck
synced 2026-07-09 21:06:59 +00:00
The old --existing-db flag skipped already-enriched entries by advisory ID, so improvements to diff_analyzer.rs had no effect on the committed vuln_db.json. The new --re-enrich flag re-fetches diffs for existing entries and re-extracts symbols using the current code, updating them in-place. The CI enrich job now passes --re-enrich so that code changes to the symbol extraction pipeline are reflected in the PR's vuln_db.json diff. https://claude.ai/code/session_01P1LKP6aqGt68rQAXrF6kSE
94 lines
2.5 KiB
YAML
94 lines
2.5 KiB
YAML
name: CI
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
branches: [main]
|
|
|
|
permissions:
|
|
contents: write
|
|
|
|
jobs:
|
|
test:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install Rust
|
|
uses: dtolnay/rust-toolchain@stable
|
|
|
|
- name: Cache cargo registry & build
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: |
|
|
~/.cargo/registry
|
|
~/.cargo/git
|
|
target
|
|
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-cargo-
|
|
|
|
- name: Build
|
|
run: cargo build --verbose
|
|
|
|
- name: Run tests
|
|
run: cargo test --verbose
|
|
|
|
enrich:
|
|
runs-on: ubuntu-latest
|
|
if: github.event_name == 'pull_request'
|
|
timeout-minutes: 30
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
ref: ${{ github.head_ref }}
|
|
fetch-depth: 0
|
|
|
|
- name: Install Rust
|
|
uses: dtolnay/rust-toolchain@stable
|
|
|
|
- name: Cache cargo registry & build
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: |
|
|
~/.cargo/registry
|
|
~/.cargo/git
|
|
target
|
|
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-cargo-
|
|
|
|
- name: Build
|
|
run: cargo build --release
|
|
|
|
- name: Re-enrich vuln_db.json with updated code
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
cargo run --release -- enrich \
|
|
--existing-db vuln_db.json \
|
|
--re-enrich \
|
|
--limit 999999 \
|
|
--timeout-secs 1500 \
|
|
--output vuln_db.json
|
|
|
|
- name: Commit updated vuln_db.json if changed
|
|
run: |
|
|
git config user.name "github-actions[bot]"
|
|
git config user.email "github-actions[bot]@users.noreply.github.com"
|
|
git add vuln_db.json
|
|
if git diff --cached --quiet; then
|
|
echo "No changes to vuln_db.json, skipping commit."
|
|
else
|
|
TOTAL=$(jq '.entries | length' vuln_db.json)
|
|
WITH_SYMBOLS=$(jq '[.entries[] | select(.vulnerable_symbols | length > 0)] | length' vuln_db.json)
|
|
git commit -m "chore: enrich vuln db from CI (${TOTAL} entries, ${WITH_SYMBOLS} with symbols)"
|
|
git push
|
|
fi
|
|
|
|
- name: Upload enriched DB artifact
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: vuln-db
|
|
path: vuln_db.json
|