From dd105a4491d8026869cd9264fdbe65c0dc4352ec Mon Sep 17 00:00:00 2001 From: Karolin Varner Date: Fri, 30 May 2025 13:15:37 +0200 Subject: [PATCH] Revert "fix: make CI workflows run after pushing excemptions for cargo-vet (#652)" This reverts commit bbd7e7bb729af55040684ba0a998c9523a7fa898, reversing changes made to db9d0b642b213fb4d0d1759d2c8cbffed669f922. --- .github/workflows/dependent-issues.yml | 6 --- .github/workflows/docker.yaml | 21 ++------ .github/workflows/nix-mac.yaml | 12 ----- .github/workflows/nix.yaml | 43 +-------------- .github/workflows/qc-mac.yaml | 2 - .github/workflows/qc.yaml | 28 ---------- .../regenerate-cargo-vet-exemptions.yml | 54 ------------------- .github/workflows/regressions.yml | 8 --- .github/workflows/supply-chain.yml | 30 +++++++---- 9 files changed, 26 insertions(+), 178 deletions(-) delete mode 100644 .github/workflows/regenerate-cargo-vet-exemptions.yml diff --git a/.github/workflows/dependent-issues.yml b/.github/workflows/dependent-issues.yml index 2009b1b..11a8eeb 100644 --- a/.github/workflows/dependent-issues.yml +++ b/.github/workflows/dependent-issues.yml @@ -17,10 +17,6 @@ on: # this action is required to pass before merging. Otherwise, it # can be removed. - synchronize - workflow_run: - workflows: [Regenerate cargo-vet exemptions for dependabot-PRs] - types: - - completed # Schedule a daily check. Useful if you reference cross-repository # issues or pull requests. Otherwise, it can be removed. @@ -29,8 +25,6 @@ on: jobs: check: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} permissions: issues: write pull-requests: write diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index 63def6d..cee9afc 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -14,15 +14,6 @@ on: - ".github/workflows/docker.yaml" branches: - "main" - workflow_run: - workflows: [Regenerate cargo-vet exemptions for dependabot-PRs] - types: - - completed - paths: - - "docker/Dockerfile" - - ".github/workflows/docker.yaml" - branches: - - "main" permissions: contents: read @@ -33,8 +24,6 @@ jobs: # 1. BUILD & TEST # -------------------------------- build-and-test-rp: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} strategy: matrix: arch: [amd64, arm64] @@ -129,8 +118,8 @@ jobs: docker-image-rp: needs: - build-and-test-rp - # Only run this job if it s triggered by by a push to the main branch or a version tag. - if: ${{ github.event_name != 'pull_request' && github.event_name != 'workflow_run' }} + # Skip if this is not a PR. Then we want to push this image. + if: ${{ github.event_name != 'pull_request' }} # Use a matrix to build for both AMD64 and ARM64 strategy: matrix: @@ -194,8 +183,8 @@ jobs: docker-image-rosenpass: needs: - build-and-test-rp - # Only run this job if it s triggered by by a push to the main branch or a version tag. - if: ${{ github.event_name != 'pull_request' && github.event_name != 'workflow_run' }} + # Skip if this is not a PR. Then we want to push this image. + if: ${{ github.event_name != 'pull_request' }} # Use a matrix to build for both AMD64 and ARM64 strategy: matrix: @@ -260,7 +249,7 @@ jobs: needs: - docker-image-rosenpass - docker-image-rp - if: ${{ github.event_name != 'pull_request' && github.event_name != 'workflow_run' }} + if: ${{ github.event_name != 'pull_request' }} strategy: matrix: target: [rp, rosenpass] diff --git a/.github/workflows/nix-mac.yaml b/.github/workflows/nix-mac.yaml index 0feba92..73e77cd 100644 --- a/.github/workflows/nix-mac.yaml +++ b/.github/workflows/nix-mac.yaml @@ -13,8 +13,6 @@ concurrency: jobs: aarch64-darwin---default: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions or explicitly called - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' || github.event_name == 'workflow_call'}} name: Build aarch64-darwin.default runs-on: - warp-macos-13-arm64-6x @@ -32,8 +30,6 @@ jobs: - name: Build run: nix build .#packages.aarch64-darwin.default --print-build-logs aarch64-darwin---release-package: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions or explicitly called - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' || github.event_name == 'workflow_call'}} name: Build aarch64-darwin.release-package runs-on: - warp-macos-13-arm64-6x @@ -53,8 +49,6 @@ jobs: - name: Build run: nix build .#packages.aarch64-darwin.release-package --print-build-logs aarch64-darwin---rosenpass: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions or explicitly called - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' || github.event_name == 'workflow_call'}} name: Build aarch64-darwin.rosenpass runs-on: - warp-macos-13-arm64-6x @@ -71,8 +65,6 @@ jobs: - name: Build run: nix build .#packages.aarch64-darwin.rosenpass --print-build-logs aarch64-darwin---rp: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions or explicitly called - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' || github.event_name == 'workflow_call'}} name: Build aarch64-darwin.rp runs-on: - warp-macos-13-arm64-6x @@ -89,8 +81,6 @@ jobs: - name: Build run: nix build .#packages.aarch64-darwin.rp --print-build-logs aarch64-darwin---rosenpass-oci-image: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions or explicitly called - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' || github.event_name == 'workflow_call'}} name: Build aarch64-darwin.rosenpass-oci-image runs-on: - warp-macos-13-arm64-6x @@ -108,8 +98,6 @@ jobs: - name: Build run: nix build .#packages.aarch64-darwin.rosenpass-oci-image --print-build-logs aarch64-darwin---check: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions or explicitly called - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' || github.event_name == 'workflow_call'}} name: Run Nix checks on aarch64-darwin runs-on: - warp-macos-13-arm64-6x diff --git a/.github/workflows/nix.yaml b/.github/workflows/nix.yaml index ced5531..8efda2f 100644 --- a/.github/workflows/nix.yaml +++ b/.github/workflows/nix.yaml @@ -6,10 +6,6 @@ on: push: branches: - main - workflow_run: - workflows: [Regenerate cargo-vet exemptions for dependabot-PRs] - types: - - completed concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -17,8 +13,6 @@ concurrency: jobs: i686-linux---default: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} name: Build i686-linux.default runs-on: - ubicloud-standard-2-ubuntu-2204 @@ -36,8 +30,6 @@ jobs: - name: Build run: nix build .#packages.i686-linux.default --print-build-logs i686-linux---rosenpass: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} name: Build i686-linux.rosenpass runs-on: - ubicloud-standard-2-ubuntu-2204 @@ -54,8 +46,6 @@ jobs: - name: Build run: nix build .#packages.i686-linux.rosenpass --print-build-logs i686-linux---rosenpass-oci-image: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} name: Build i686-linux.rosenpass-oci-image runs-on: - ubicloud-standard-2-ubuntu-2204 @@ -73,8 +63,6 @@ jobs: - name: Build run: nix build .#packages.i686-linux.rosenpass-oci-image --print-build-logs i686-linux---check: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} name: Run Nix checks on i686-linux runs-on: - ubicloud-standard-2-ubuntu-2204 @@ -90,8 +78,6 @@ jobs: - name: Check run: nix flake check . --print-build-logs x86_64-linux---default: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} name: Build x86_64-linux.default runs-on: - ubicloud-standard-2-ubuntu-2204 @@ -109,8 +95,6 @@ jobs: - name: Build run: nix build .#packages.x86_64-linux.default --print-build-logs x86_64-linux---proof-proverif: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} name: Build x86_64-linux.proof-proverif runs-on: - ubicloud-standard-2-ubuntu-2204 @@ -128,8 +112,6 @@ jobs: - name: Build run: nix build .#packages.x86_64-linux.proof-proverif --print-build-logs x86_64-linux---proverif-patched: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} name: Build x86_64-linux.proverif-patched runs-on: - ubicloud-standard-2-ubuntu-2204 @@ -146,8 +128,6 @@ jobs: - name: Build run: nix build .#packages.x86_64-linux.proverif-patched --print-build-logs x86_64-linux---release-package: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} name: Build x86_64-linux.release-package runs-on: - ubicloud-standard-2-ubuntu-2204 @@ -191,8 +171,6 @@ jobs: # - name: Build # run: nix build .#packages.aarch64-linux.release-package --print-build-logs x86_64-linux---rosenpass: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} name: Build x86_64-linux.rosenpass runs-on: - ubicloud-standard-2-ubuntu-2204 @@ -209,8 +187,6 @@ jobs: - name: Build run: nix build .#packages.x86_64-linux.rosenpass --print-build-logs aarch64-linux---rosenpass: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} name: Build aarch64-linux.rosenpass runs-on: - ubicloud-standard-2-arm-ubuntu-2204 @@ -232,8 +208,6 @@ jobs: - name: Build run: nix build .#packages.aarch64-linux.rosenpass --print-build-logs aarch64-linux---rp: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} name: Build aarch64-linux.rp runs-on: - ubicloud-standard-2-arm-ubuntu-2204 @@ -255,8 +229,6 @@ jobs: - name: Build run: nix build .#packages.aarch64-linux.rp --print-build-logs x86_64-linux---rosenpass-oci-image: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} name: Build x86_64-linux.rosenpass-oci-image runs-on: - ubicloud-standard-2-ubuntu-2204 @@ -274,8 +246,6 @@ jobs: - name: Build run: nix build .#packages.x86_64-linux.rosenpass-oci-image --print-build-logs aarch64-linux---rosenpass-oci-image: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} name: Build aarch64-linux.rosenpass-oci-image runs-on: - ubicloud-standard-2-arm-ubuntu-2204 @@ -298,8 +268,6 @@ jobs: - name: Build run: nix build .#packages.aarch64-linux.rosenpass-oci-image --print-build-logs x86_64-linux---rosenpass-static: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} name: Build x86_64-linux.rosenpass-static runs-on: - ubicloud-standard-2-ubuntu-2204 @@ -316,8 +284,6 @@ jobs: - name: Build run: nix build .#packages.x86_64-linux.rosenpass-static --print-build-logs x86_64-linux---rp-static: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} name: Build x86_64-linux.rp-static runs-on: - ubicloud-standard-2-ubuntu-2204 @@ -334,8 +300,6 @@ jobs: - name: Build run: nix build .#packages.x86_64-linux.rp-static --print-build-logs x86_64-linux---rosenpass-static-oci-image: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} name: Build x86_64-linux.rosenpass-static-oci-image runs-on: - ubicloud-standard-2-ubuntu-2204 @@ -353,8 +317,6 @@ jobs: - name: Build run: nix build .#packages.x86_64-linux.rosenpass-static-oci-image --print-build-logs x86_64-linux---whitepaper: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} name: Build x86_64-linux.whitepaper runs-on: - ubicloud-standard-2-ubuntu-2204 @@ -371,8 +333,6 @@ jobs: - name: Build run: nix build .#packages.x86_64-linux.whitepaper --print-build-logs x86_64-linux---check: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} name: Run Nix checks on x86_64-linux runs-on: - ubicloud-standard-2-ubuntu-2204 @@ -390,8 +350,7 @@ jobs: x86_64-linux---whitepaper-upload: name: Upload whitepaper x86_64-linux runs-on: ubicloud-standard-2-ubuntu-2204 - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ (github.ref == 'refs/heads/main') && (github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run') }} + if: ${{ github.ref == 'refs/heads/main' }} steps: - uses: actions/checkout@v4 - uses: cachix/install-nix-action@v30 diff --git a/.github/workflows/qc-mac.yaml b/.github/workflows/qc-mac.yaml index b25ac6d..390e56e 100644 --- a/.github/workflows/qc-mac.yaml +++ b/.github/workflows/qc-mac.yaml @@ -14,8 +14,6 @@ permissions: jobs: cargo-test-mac: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions or explicitly called - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' || github.event_name == 'workflow_call'}} runs-on: warp-macos-13-arm64-6x steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/qc.yaml b/.github/workflows/qc.yaml index 435f92a..5a25111 100644 --- a/.github/workflows/qc.yaml +++ b/.github/workflows/qc.yaml @@ -3,10 +3,6 @@ on: pull_request: push: branches: [main] - workflow_run: - workflows: [Regenerate cargo-vet exemptions for dependabot-PRs] - types: - - completed concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -18,8 +14,6 @@ permissions: jobs: prettier: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} runs-on: ubicloud-standard-2-ubuntu-2204 steps: - uses: actions/checkout@v4 @@ -28,8 +22,6 @@ jobs: args: --check . shellcheck: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} name: Shellcheck runs-on: ubicloud-standard-2-ubuntu-2204 steps: @@ -38,8 +30,6 @@ jobs: uses: ludeeus/action-shellcheck@master rustfmt: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} name: Rust Format runs-on: ubicloud-standard-2-ubuntu-2204 steps: @@ -48,8 +38,6 @@ jobs: run: bash format_rust_code.sh --mode check cargo-bench: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} runs-on: ubicloud-standard-2-ubuntu-2204 steps: - uses: actions/checkout@v4 @@ -68,8 +56,6 @@ jobs: - run: RUST_MIN_STACK=8388608 cargo bench --workspace --exclude rosenpass-fuzzing mandoc: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} name: mandoc runs-on: ubicloud-standard-2-ubuntu-2204 steps: @@ -80,8 +66,6 @@ jobs: run: doc/check.sh doc/rp.1 cargo-audit: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} runs-on: ubicloud-standard-2-ubuntu-2204 steps: - uses: actions/checkout@v4 @@ -90,8 +74,6 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} cargo-clippy: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} runs-on: ubicloud-standard-2-ubuntu-2204 steps: - uses: actions/checkout@v4 @@ -111,8 +93,6 @@ jobs: args: --all-features cargo-doc: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} runs-on: ubicloud-standard-2-ubuntu-2204 steps: - uses: actions/checkout@v4 @@ -132,8 +112,6 @@ jobs: - run: RUSTDOCFLAGS="-D warnings" cargo doc --no-deps --document-private-items cargo-test: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} runs-on: ${{ matrix.os }} strategy: matrix: @@ -157,8 +135,6 @@ jobs: - run: RUST_MIN_STACK=8388608 cargo test --workspace --all-features cargo-test-nix-devshell-x86_64-linux: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} runs-on: - ubicloud-standard-2-ubuntu-2204 steps: @@ -182,8 +158,6 @@ jobs: - run: nix develop --command cargo test --workspace --all-features cargo-fuzz: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} runs-on: ubicloud-standard-2-ubuntu-2204 env: steps: @@ -218,8 +192,6 @@ jobs: cargo fuzz run fuzz_vec_secret_alloc_memfdsec_mallocfb -- -max_total_time=5 codecov: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} runs-on: ubicloud-standard-2-ubuntu-2204 steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/regenerate-cargo-vet-exemptions.yml b/.github/workflows/regenerate-cargo-vet-exemptions.yml deleted file mode 100644 index fd71e82..0000000 --- a/.github/workflows/regenerate-cargo-vet-exemptions.yml +++ /dev/null @@ -1,54 +0,0 @@ -name: Regenerate cargo-vet exemptions for dependabot-PRs -on: - pull_request: - push: - branches: [main] - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - regen-cargo-vet-exemptions: - if: ${{ github.actor == 'dependabot[bot]' }} - name: Regenerate exemptions for cargo-vet for dependabot-PRs - runs-on: ubuntu-latest - permissions: - contents: write - steps: - - uses: actions/checkout@v4 - - uses: actions/cache@v4 - with: - path: | - ~/.cargo/bin/ - ~/.cargo/registry/index/ - ~/.cargo/registry/cache/ - key: cargo-vet-cache - - name: Install stable toolchain # Since we are running/compiling cargo-vet, we should rely on the stable toolchain. - run: | - rustup toolchain install stable - rustup default stable - - uses: actions/cache@v4 - with: - path: ${{ runner.tool_cache }}/cargo-vet - key: cargo-vet-bin - - name: Add the tool cache directory to the search path - run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH - - name: Ensure that the tool cache is populated with the cargo-vet binary - run: cargo install --root ${{ runner.tool_cache }}/cargo-vet cargo-vet - - name: Regenerate vet exemptions for dependabot PRs - run: cargo vet regenerate exemptions - - name: Check for changes in case of dependabot PR - run: git diff --exit-code || echo "Changes detected, committing..." - - name: Commit and push changes for dependabot PRs - if: ${{ success() }} - run: | - git fetch origin ${{ github.head_ref }} - git switch ${{ github.head_ref }} - git config --global user.name "github-actions[bot]" - git config --global user.email "github-actions@github.com" - git add supply-chain/* - git commit -m "Regenerate cargo vet exemptions" - git push origin ${{ github.head_ref }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/regressions.yml b/.github/workflows/regressions.yml index c57f292..1f19746 100644 --- a/.github/workflows/regressions.yml +++ b/.github/workflows/regressions.yml @@ -3,10 +3,6 @@ on: pull_request: push: branches: [main] - workflow_run: - workflows: [Regenerate cargo-vet exemptions for dependabot-PRs] - types: - - completed concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -18,8 +14,6 @@ permissions: jobs: multi-peer: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} runs-on: ubicloud-standard-2-ubuntu-2204 steps: - uses: actions/checkout@v4 @@ -31,8 +25,6 @@ jobs: [ $(ls -1 output/ate/out | wc -l) -eq 100 ] boot-race: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} runs-on: ubicloud-standard-2-ubuntu-2204 steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/supply-chain.yml b/.github/workflows/supply-chain.yml index e83e9c2..effbb59 100644 --- a/.github/workflows/supply-chain.yml +++ b/.github/workflows/supply-chain.yml @@ -3,10 +3,6 @@ on: pull_request: push: branches: [main] - workflow_run: - workflows: [Regenerate cargo-vet exemptions for dependabot-PRs] - types: - - completed concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,16 +10,12 @@ concurrency: jobs: cargo-deny: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} name: Deny dependencies with vulnerabilities or incompatible licenses runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: EmbarkStudios/cargo-deny-action@v2 cargo-supply-chain: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} name: Supply Chain Report runs-on: ubuntu-latest steps: @@ -52,10 +44,10 @@ jobs: run: cargo supply-chain crates # The setup for cargo-vet follows the recommendations in the cargo-vet documentation: https://mozilla.github.io/cargo-vet/configuring-ci.html cargo-vet: - # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions - if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }} name: Vet Dependencies runs-on: ubuntu-latest + permissions: + contents: write steps: - uses: actions/checkout@v4 - uses: actions/cache@v4 @@ -77,5 +69,23 @@ jobs: run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH - name: Ensure that the tool cache is populated with the cargo-vet binary run: cargo install --root ${{ runner.tool_cache }}/cargo-vet cargo-vet + - name: Regenerate vet exemptions for dependabot PRs + if: github.actor == 'dependabot[bot]' # Run only for Dependabot PRs + run: cargo vet regenerate exemptions + - name: Check for changes in case of dependabot PR + if: github.actor == 'dependabot[bot]' # Run only for Dependabot PRs + run: git diff --exit-code || echo "Changes detected, committing..." + - name: Commit and push changes for dependabot PRs + if: success() && github.actor == 'dependabot[bot]' + run: | + git fetch origin ${{ github.head_ref }} + git switch ${{ github.head_ref }} + git config --global user.name "github-actions[bot]" + git config --global user.email "github-actions@github.com" + git add supply-chain/* + git commit -m "Regenerate cargo vet exemptions" + git push origin ${{ github.head_ref }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Invoke cargo-vet run: cargo vet --locked