Skip to content

Commit

Permalink
Optimize GitHub actions workflow for code quality and security (#28)
Browse files Browse the repository at this point in the history 
* Optimize GitHub Actions workflow for code quality and security  - Reuse checkout step from shared-setup job to reduce duplication - Add caching for Rust toolchain to improve build times - These changes should improve the overall efficiency and performance of the workflow without compromising the code quality and security checks

This pull request optimizes the existing GitHub Actions workflow for code quality and security checks. The key changes include:

1. Reusing the checkout step from the `shared-setup` job in both the `devskim` and `rust-clippy` jobs to reduce duplication.
2. Adding caching for the Rust toolchain in the `rust-clippy` job to speed up the installation process.

These changes should help improve the overall efficiency and performance of the workflow, while maintaining the same level of code quality and security checks.

* Optimize GitHub Actions workflow for code quality and security

* feat: Update GitHub Actions workflow to support multiple operating systems

The GitHub Actions workflow has been updated to support multiple operating systems. This change allows the workflow to run on Ubuntu, macOS, and Windows. The matrix strategy has been added to specify the different operating systems. This optimization improves code quality and security.

* Update GitHub Actions DevSkim workflow to use Ubuntu Latest as default operating system, as it is only supported on Linux

* Optimize GitHub Actions workflow by checking if clippy-sarif and sarif-fmt are already installed before installing them

* Optimize GitHub Actions workflow by checking if clippy-sarif and sarif-fmt are already installed before installing them

* Optimize GitHub Actions workflow by checking if clippy-sarif and sarif-fmt are already installed before installing them

* Optimize GitHub Actions workflow by installing clippy-sarif and sarif-fmt without checking if they are already installed

* Optimize GitHub Actions workflow by forcing installation of clippy-sarif and sarif-fmt

* Optimize GitHub Actions workflow by updating codeql-action to v3

* Optimize insert_startup_scripts function for Windows

The insert_startup_scripts function in the windows.rs file has been optimized to improve performance and readability. The unnecessary conversion of the path variable to a Path object has been removed, resulting in more efficient code execution. This change enhances the overall functionality of the function and ensures smoother operation on Windows systems.

* Refactoring Shared Setup
Adding OSV Scanner

* chore: improve Windows Update step and add PSWindowsUpdate Module

* Optimize GitHub Actions workflow for code quality and security

* Optimize GitHub Actions workflow by adding DevSkim linting step

* Revert "Optimize GitHub Actions workflow by adding DevSkim linting step"

This reverts commit e9ca075.

* feat: add fail-on-vuln option to OSV Scanner workflow

* feat: enhance security workflow with DevSkim and Clippy analysis

* feat: update security vulnerability workflow with explicit permissions and token

---------

Co-authored-by: nistee <[email protected]>
  • Loading branch information
@niStee
niStee and nistee authored Feb 16, 2025
1 parent 1613d5d commit bece264
Showing 1 changed file with 75 additions and 12 deletions.
87 changes: 75 additions & 12 deletions .github/workflows/check_security_vulnerability.yml
View file
Original file line number Diff line number Diff line change
@@ -1,32 +1,95 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

name: Check Security Vulnerability
name: Code Quality and Security

on:
pull_request:
push:
branches:
- main
branches: [main]
schedule:
- cron: '0 0 * * 0'

env:
RUST_TOOLCHAIN: stable

# Add top-level permissions
permissions:
actions: write
contents: write
security-events: write
jobs:
lint:
name: DevSkim
runs-on: ubuntu-latest
shared-setup:
name: Shared Setup
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
permissions:
actions: read
contents: read
security-events: write
outputs:
checkout_ref: ${{ steps.checkout.outputs.ref }}
steps:
- name: Checkout code
id: checkout
uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }} # Explicitly set token

security-scan:
name: Security Scans
needs: shared-setup
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
include:
- os: ubuntu-latest
run_devskim: true
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
ref: ${{ needs.shared-setup.outputs.checkout_ref }}

# Cache setup
- name: Cache Rust toolchain
uses: actions/cache@v3
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
~/.rustup/
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock', '**/Cargo.toml') }}-${{ github.sha }}

# Clippy Analysis
- name: Setup Rust tools
run: |
rustup toolchain install ${{ env.RUST_TOOLCHAIN }}
cargo install clippy-sarif sarif-fmt --force
- name: Run Clippy Analysis
run: cargo clippy --all-features --message-format=json | clippy-sarif | tee rust-clippy-results.sarif | sarif-fmt
continue-on-error: true
- name: Upload Clippy results
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: rust-clippy-results.sarif
wait-for-processing: true

# DevSkim Security Scan
- name: Run DevSkim scanner
if: matrix.run_devskim == 'true'
uses: microsoft/DevSkim-Action@v1

- name: Upload DevSkim scan results to GitHub Security tab
if: matrix.run_devskim == 'true'
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: devskim-results.sarif

osv-scanner:
name: OSV Scanner
needs: shared-setup
uses: "google/osv-scanner-action/.github/workflows/[email protected]"
with:
fail-on-vuln: false

0 comments on commit bece264

Please sign in to comment.