Merge branch 'main' of https://github.com/0xNikilite/oboromi

2026-01-31 01:15:22 +01:00 · 2025-09-01 18:13:04 +02:00
parent 4f9273bb23 35079e73b5
commit 7c0f327bca
1 changed files with 95 additions and 15 deletions
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -2,27 +2,53 @@ name: Security Audit

 on:
  schedule:
-    - cron: '0 0 * * 1' # Every Monday at 00:00 UTC
-  pull_request:
+    - cron: '0 0 * * 1'
+  push:
    branches: [main]
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+  issues: write

 jobs:
  security:
    runs-on: ubuntu-latest
    steps:
-    
-      - uses: actions/checkout@v4
-      
+      - name: Checkout
+        uses: actions/checkout@v4
+
      - name: Install stable Rust
        uses: dtolnay/rust-toolchain@v1
        with:
          toolchain: stable
-          
-      - name: Audit dependencies for vulnerabilities
-        uses: actions-rs/audit-check@v1
+
+      - name: Ensure cargo-audit installed
+        run: |
+          if ! command -v cargo-audit &> /dev/null; then
+            cargo install cargo-audit --locked
+          fi
+
+      - name: Run cargo-audit and save JSON
+        run: |
+          cargo audit --json > audit.json || true
+          echo "Saved audit.json (cargo-audit exit ignored to collect full report)."
+          echo "Vulnerabilities summary (first 10 entries):"
+          jq -r '
+            if (.vulnerabilities and .vulnerabilities.list) then
+              .vulnerabilities.list[:10][] |
+              (.advisory.id // "N/A") + " | " + (.package.name // "?") + " " + (.package.version // "?") + " | " + (.advisory.title // "")
+            else
+              "No vulnerabilities found"
+            end
+          ' audit.json || true
+
+      - name: Upload cargo-audit report
+        uses: actions/upload-artifact@v4
        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          
+          name: cargo-audit-report
+          path: audit.json
+
      - name: Cache cargo bin directory
        uses: actions/cache@v3
        with:
@@ -30,17 +56,71 @@ jobs:
          key: ${{ runner.os }}-cargo-bin-${{ hashFiles('**/Cargo.lock') }}
          restore-keys: |
            ${{ runner.os }}-cargo-bin-
-            
-      - name: Install cargo-outdated if needed
+
+      - name: Ensure cargo-outdated installed
        run: |
          if ! command -v cargo-outdated &> /dev/null; then
            cargo install cargo-outdated --locked
          fi
+
      - name: Check for outdated dependencies
-      
-        run: cargo outdated --exit-code 1 || echo "Outdated dependencies found - not failing build"
-        
+        run: cargo outdated --exit-code 1 || echo "Outdated dependencies found - not failing workflow"
+
      - name: Scan for exposed secrets
        uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Create or update issue if vulnerabilities found
+        uses: actions/github-script@v6
+        with:
+          script: |
+            const fs = require('fs');
+            const dataRaw = fs.existsSync('audit.json') ? fs.readFileSync('audit.json','utf8') : '{}';
+            const data = JSON.parse(dataRaw || '{}');
+            const vulns = (data.vulnerabilities && data.vulnerabilities.list) || [];
+            if (vulns.length === 0) {
+              core.info('No vulnerabilities found by cargo-audit. Exiting issue step.');
+              return;
+            }
+
+            const owner = context.repo.owner;
+            const repo = context.repo.repo;
+            const label = 'security';
+            const fixedTitle = 'Security: cargo-audit vulnerabilities detected';
+
+            let body = `cargo-audit found **${vulns.length}** vulnerability(ies).\n\n`;
+            body += 'Summary (first 25 entries):\n\n';
+            for (let i=0;i<Math.min(25,vulns.length);i++){
+              const v=vulns[i];
+              const adv=v.advisory||{};
+              const pkg=v.package||{};
+              body += `- **${adv.id || 'N/A'}** - ${adv.title || ''}\n  - crate: ${pkg.name || '?'} ${pkg.version || '?'}\n  - date: ${adv.date || 'N/A'}\n  - url: ${adv.url || 'N/A'}\n\n`;
+            }
+            body += '\nFull JSON report is attached as an artifact `cargo-audit-report`.\n\nSuggested action: run `cargo tree -i <crate>` locally and `cargo update -p <crate> --precise <version>` if possible, then commit the updated Cargo.lock.';
+
+            const issues = await github.rest.issues.listForRepo({
+              owner, repo,
+              state: 'open',
+              labels: label,
+              per_page: 100
+            });
+
+            const existing = issues.data.find(i => (i.title || '').toLowerCase() === fixedTitle.toLowerCase());
+
+            if (existing) {
+              await github.rest.issues.createComment({
+                owner, repo,
+                issue_number: existing.number,
+                body: `New cargo-audit run detected **${vulns.length}** vulnerability(ies) on ${new Date().toISOString()}.\n\n` + body
+              });
+              core.info(`Appended comment to existing issue #${existing.number}`);
+            } else {
+              await github.rest.issues.create({
+                owner, repo,
+                title: fixedTitle,
+                body: body,
+                labels: [label]
+              });
+              core.info('Created new security issue.');
+            }