diff --git a/github-org-artichoke/repository_file_github_actions_audit_workflow.tf b/github-org-artichoke/repository_file_github_actions_audit_workflow.tf index 850fc19..9cdf250 100644 --- a/github-org-artichoke/repository_file_github_actions_audit_workflow.tf +++ b/github-org-artichoke/repository_file_github_actions_audit_workflow.tf @@ -45,12 +45,6 @@ locals { audit_node_ruby_rust_repos = [ "playground", // https://github.com/artichoke/playground ] - - // https://github.com/EmbarkStudios/cargo-deny/releases/tag/0.11.3 - cargo_deny = { - version = "0.11.3" - base_url = "https://github.com/EmbarkStudios/cargo-deny/releases/download" - } } module "audit_workflow_node" { @@ -95,7 +89,7 @@ module "audit_workflow_ruby_rust" { base_branch = "trunk" file_path = ".github/workflows/audit.yaml" - file_contents = templatefile("${path.module}/templates/audit-workflow-ruby-rust.yaml", { cargo_deny = local.cargo_deny }) + file_contents = file("${path.module}/templates/audit-workflow-ruby-rust.yaml") } module "audit_workflow_node_ruby_rust" { @@ -107,5 +101,5 @@ module "audit_workflow_node_ruby_rust" { base_branch = "trunk" file_path = ".github/workflows/audit.yaml" - file_contents = templatefile("${path.module}/templates/audit-workflow-node-ruby-rust.yaml", { cargo_deny = local.cargo_deny }) + file_contents = file("${path.module}/templates/audit-workflow-node-ruby-rust.yaml") } diff --git a/github-org-artichoke/templates/audit-workflow-node-ruby-rust.yaml b/github-org-artichoke/templates/audit-workflow-node-ruby-rust.yaml index 0f5d168..ef4e216 100644 --- a/github-org-artichoke/templates/audit-workflow-node-ruby-rust.yaml +++ b/github-org-artichoke/templates/audit-workflow-node-ruby-rust.yaml @@ -44,6 +44,14 @@ jobs: rust: name: Audit Rust Dependencies runs-on: ubuntu-latest + strategy: + matrix: + checks: + - advisories + - bans licenses sources + + # Prevent sudden announcement of a new advisory from failing ci: + continue-on-error: ${{ matrix.checks == 'advisories' }} steps: - name: Checkout repository @@ -73,11 +81,8 @@ jobs: cargo +stable generate-lockfile --verbose fi - - name: Setup cargo-deny - run: curl -sL "${cargo_deny.base_url}/${cargo_deny.version}/cargo-deny-${cargo_deny.version}-x86_64-unknown-linux-musl.tar.gz" | sudo tar xvz -C /usr/local/bin/ --strip-components=1 - - - name: Show cargo-deny version - run: cargo-deny --version - - - name: Run cargo-deny - run: cargo-deny --locked check --show-stats + - uses: EmbarkStudios/cargo-deny-action@v1 + with: + arguments: --locked --all-features + command: check ${{ matrix.checks }} + command-arguments: --show-stats diff --git a/github-org-artichoke/templates/audit-workflow-ruby-rust.yaml b/github-org-artichoke/templates/audit-workflow-ruby-rust.yaml index 957f126..91f3534 100644 --- a/github-org-artichoke/templates/audit-workflow-ruby-rust.yaml +++ b/github-org-artichoke/templates/audit-workflow-ruby-rust.yaml @@ -30,6 +30,14 @@ jobs: rust: name: Audit Rust Dependencies runs-on: ubuntu-latest + strategy: + matrix: + checks: + - advisories + - bans licenses sources + + # Prevent sudden announcement of a new advisory from failing ci: + continue-on-error: ${{ matrix.checks == 'advisories' }} steps: - name: Checkout repository @@ -59,11 +67,8 @@ jobs: cargo +stable generate-lockfile --verbose fi - - name: Setup cargo-deny - run: curl -sL "${cargo_deny.base_url}/${cargo_deny.version}/cargo-deny-${cargo_deny.version}-x86_64-unknown-linux-musl.tar.gz" | sudo tar xvz -C /usr/local/bin/ --strip-components=1 - - - name: Show cargo-deny version - run: cargo-deny --version - - - name: Run cargo-deny - run: cargo-deny --locked check --show-stats + - uses: EmbarkStudios/cargo-deny-action@v1 + with: + arguments: --locked --all-features + command: check ${{ matrix.checks }} + command-arguments: --show-stats