Merge pull request #372 from artichoke/lopopolo/cargo-deny-action

Use cargo-deny GitHub Action from upstream maintainer
artichoke · Sep 5, 2022 · 0e267d2 · 0e267d2
2 parents 41b4e9d + 41800c8
commit 0e267d2
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 24 deletions.
diff --git a/github-org-artichoke/repository_file_github_actions_audit_workflow.tf b/github-org-artichoke/repository_file_github_actions_audit_workflow.tf
@@ -45,12 +45,6 @@ locals {
   audit_node_ruby_rust_repos = [
     "playground", // https://github.com/artichoke/playground
   ]
-
-  // https://github.com/EmbarkStudios/cargo-deny/releases/tag/0.11.3
-  cargo_deny = {
-    version  = "0.11.3"
-    base_url = "https://github.com/EmbarkStudios/cargo-deny/releases/download"
-  }
 }
 
 module "audit_workflow_node" {
@@ -95,7 +89,7 @@ module "audit_workflow_ruby_rust" {
   base_branch  = "trunk"
   file_path    = ".github/workflows/audit.yaml"
 
-  file_contents = templatefile("${path.module}/templates/audit-workflow-ruby-rust.yaml", { cargo_deny = local.cargo_deny })
+  file_contents = file("${path.module}/templates/audit-workflow-ruby-rust.yaml")
 }
 
 module "audit_workflow_node_ruby_rust" {
@@ -107,5 +101,5 @@ module "audit_workflow_node_ruby_rust" {
   base_branch  = "trunk"
   file_path    = ".github/workflows/audit.yaml"
 
-  file_contents = templatefile("${path.module}/templates/audit-workflow-node-ruby-rust.yaml", { cargo_deny = local.cargo_deny })
+  file_contents = file("${path.module}/templates/audit-workflow-node-ruby-rust.yaml")
 }
diff --git a/github-org-artichoke/templates/audit-workflow-node-ruby-rust.yaml b/github-org-artichoke/templates/audit-workflow-node-ruby-rust.yaml
@@ -44,6 +44,14 @@ jobs:
   rust:
     name: Audit Rust Dependencies
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        checks:
+          - advisories
+          - bans licenses sources
+
+    # Prevent sudden announcement of a new advisory from failing ci:
+    continue-on-error: ${{ matrix.checks == 'advisories' }}
 
     steps:
       - name: Checkout repository
@@ -73,11 +81,8 @@ jobs:
             cargo +stable generate-lockfile --verbose
           fi
 
-      - name: Setup cargo-deny
-        run: curl -sL "${cargo_deny.base_url}/${cargo_deny.version}/cargo-deny-${cargo_deny.version}-x86_64-unknown-linux-musl.tar.gz" | sudo tar xvz -C /usr/local/bin/ --strip-components=1
-
-      - name: Show cargo-deny version
-        run: cargo-deny --version
-
-      - name: Run cargo-deny
-        run: cargo-deny --locked check --show-stats
+      - uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --locked --all-features
+          command: check ${{ matrix.checks }}
+          command-arguments: --show-stats
diff --git a/github-org-artichoke/templates/audit-workflow-ruby-rust.yaml b/github-org-artichoke/templates/audit-workflow-ruby-rust.yaml
@@ -30,6 +30,14 @@ jobs:
   rust:
     name: Audit Rust Dependencies
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        checks:
+          - advisories
+          - bans licenses sources
+
+    # Prevent sudden announcement of a new advisory from failing ci:
+    continue-on-error: ${{ matrix.checks == 'advisories' }}
 
     steps:
       - name: Checkout repository
@@ -59,11 +67,8 @@ jobs:
             cargo +stable generate-lockfile --verbose
           fi
 
-      - name: Setup cargo-deny
-        run: curl -sL "${cargo_deny.base_url}/${cargo_deny.version}/cargo-deny-${cargo_deny.version}-x86_64-unknown-linux-musl.tar.gz" | sudo tar xvz -C /usr/local/bin/ --strip-components=1
-
-      - name: Show cargo-deny version
-        run: cargo-deny --version
-
-      - name: Run cargo-deny
-        run: cargo-deny --locked check --show-stats
+      - uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --locked --all-features
+          command: check ${{ matrix.checks }}
+          command-arguments: --show-stats