From 612684f3d42216c0c2d4af4560b5f0d792c4ece6 Mon Sep 17 00:00:00 2001 From: Andrew Brown Date: Thu, 26 Sep 2024 15:30:06 -0700 Subject: [PATCH] ci: add `clippy` results to GitHub code scans In the past, we've overlooked clippy warnings that get lost in the CI build logs. This change would collect all of those warnings, put them in [SARIF] form, and list them in GitHub's code scanning view. I recently added this to `ittapi` and it looks like this: [Code Scanning]. This means warnings and errors will show up on the security tab as a notification; the UI allows one to dismiss the warnings. There might be some integration with PRs but I haven't experimented with that. I configured this to also run periodically (every Tuesday night); we can remove that if we only want commits to `main`, e.g. If we do adopt this, we should think about what to do with the `clippy` job in `main.yml`--does it stay or go? [SARIF]: https://sarifweb.azurewebsites.net [Code Scanning]: https://github.com/intel/ittapi/security/code-scanning?query=branch%3Amaster+ --- .github/workflows/scan.yml | 52 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 .github/workflows/scan.yml diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml new file mode 100644 index 000000000000..7a3d2d3b2cf4 --- /dev/null +++ b/.github/workflows/scan.yml @@ -0,0 +1,52 @@ +# Scan the code in this repository; publish results to +# https://github.com/bytecodealliance/wasmtime/security/code-scanning. + +name: Code Scan + +on: + push: + branches: ["main"] + pull_request: + branches: ["main"] + schedule: + - cron: "4 3 * * 2" + +permissions: + contents: read + +jobs: + analyze: + name: Analyze (Rust) + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + env: + CARGO_NDK_VERSION: 2.12.2 + steps: + - name: Checkout repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + submodules: true + + - name: Install clippy + run: rustup component add clippy + + - name: Install cargo-binstall + uses: cargo-bins/cargo-binstall@3a99ae3c155195e5518c9ff954bee1b90f98b82c # v1.10.6 + + - name: Install dependencies + run: cargo binstall --no-confirm clippy-sarif sarif-fmt + + - name: Run clippy + run: | + cargo clippy --workspace --all-targets --message-format=json > clippy.json + clippy-sarif --input clippy.json --output clippy.sarif + sarif-fmt --input clippy.sarif + continue-on-error: true + + - name: Upload analysis + uses: github/codeql-action/upload-sarif@5618c9fc1e675841ca52c1c6b1304f5255a905a0 # v2.19.0 + with: + sarif_file: clippy.sarif + wait-for-processing: true