CI: Check workflows and actions with zizmor #1108
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Audits | |
on: | |
pull_request: | |
push: | |
branches: main | |
permissions: | |
contents: read | |
jobs: | |
cargo-vet: | |
name: Vet Rust dependencies | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: dtolnay/rust-toolchain@stable | |
id: toolchain | |
- run: rustup override set ${{steps.toolchain.outputs.name}} | |
- run: cargo install cargo-vet --version ~0.10 | |
- run: cargo vet --locked | |
cargo-deny: | |
name: Check licenses | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: EmbarkStudios/cargo-deny-action@v2 | |
with: | |
command: check licenses | |
required-audits: | |
name: Required audits have passed | |
needs: | |
- cargo-vet | |
- cargo-deny | |
if: ${{ always() }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Determine whether all required-pass steps succeeded | |
run: | | |
echo '${{ toJSON(needs) }}' | jq -e '[ .[] | .result == "success" ] | all' |