Add cargo audit CI #9182
Add cargo audit CI #9182
Conversation
.github/workflows/audit.yml
Outdated
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: rustsec/[email protected] |
There was a problem hiding this comment.
Apache policy only allows actions from certain other repos and rustsec isn't one.
I tested this action via a PR that also updated datafusion-cli/Cargo.lock: #9185
This check fails
https://github.com/apache/arrow-datafusion/actions/runs/7849603823
Annotations
1 error
Error: .github#L1
rustsec/[email protected] is not allowed to be used in apache/arrow-datafusion. Actions in this workflow must be: within a repository owned by apache, created by GitHub, verified in the GitHub Marketplace, or matching the following: */*@[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]+, AdoptOpenJDK/install-jdk@*, JamesIves/github-pages-deploy-action@5dc1d5a192aeb5ab5b7d5a77b7d36aea4a7f5c92, TobKed/label-when-approved-action@*, actions-cool/issues-helper@*, actions-rs/*, al-cheb/configure-pagefile-action@*, amannn/action-semantic-pull-request@*, apache/*, burrunan/gradle-cache-action@*, bytedeco/javacpp-presets/.github/actions/*, chromaui/action@*, codecov/codecov-action@*, conda-incubator/setup-miniconda@*, container-tools/kind-action@*, container-tools/microshift-action@*, dawidd6/action-download-artifact@*, delaguardo/setup-graalvm@*, docker://jekyll/jekyll:*, docker://pandoc/core:2.9, eps1lon/actions-label-merge-conflict@*, gaurav-nelson/github-action-markdown-link-chec...
Maybe we can just install/run cargo audit directly 🤔 Or maybe https://embarkstudios.github.io/cargo-deny/ which is what we use in InfluxDb
There was a problem hiding this comment.
I was misunderstanding before, so it's about the policy.
Not sure if the action from Embark Studios is on the allowlist, so I'm going to install cargo-audit from cargo in the workflow at this moment.
It takes a couple of minutes to install cargo-audit and download the advisory db while installing from Cargo. Instead of that, use The audit process takes about 10 seconds to complete. |
|
👍 looks good to me -- the audit check job takes 12s to run: https://github.com/apache/arrow-datafusion/actions/runs/7877518929/job/21493850998?pr=9205 Perhaps we can simply add this to the normal CI runs on every PR rather than only on main? |
|
The GitHub CI runner VM does not recreate each time it runs, the installation time of cargo-audit could be ignored in most cases. It's would be viable to include this action on every PR. |
| paths: | ||
| - "**/Cargo.toml" | ||
| - "**/Cargo.lock" |
There was a problem hiding this comment.
Should we instead have it run each main push? e.g. in case an existing dependency gets flagged
There was a problem hiding this comment.
This is what @ongchi had in his initial PR (only un on main)
I think it was better to run on each PR because:
- It takes 12 seconds to run
- If it fails, this will block PRs merging and force us to fix it quickly rather than waiting for someone to notice mai is broken. If we are going to have a CI check I think we should invest the effort to keep it green
However, if others agree it would be better to run only on main, I would be fine with that too
When I looked at the log of It appears to show that cargo-audit is already installed (so "reinstalling" it is just a no op) |
|
Thanks again @ongchi |
Which issue does this PR close?
Closes #9116 .
Rationale for this change
What changes are included in this PR?
Add cargo audit CI.
Are these changes tested?
Are there any user-facing changes?