Merge pull request #277 from cordx56/dependabot/npm_and_yarn/vscode/t… #202
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security & Memory Safety | |
| on: | |
| pull_request: | |
| branches: [ "main" ] | |
| push: | |
| branches: [ "main" ] | |
| workflow_dispatch: | |
| env: | |
| CARGO_TERM_COLOR: always | |
| RUSTC_BOOTSTRAP: 1 | |
| jobs: | |
| security-checks: | |
| name: Security & Memory Safety Analysis | |
| strategy: | |
| matrix: | |
| os: [ubuntu-latest, macos-latest, ubuntu-24.04-arm] | |
| include: | |
| - os: ubuntu-latest | |
| runner_os: Linux | |
| - os: ubuntu-24.04-arm | |
| runner_os: Linux | |
| - os: macos-latest | |
| runner_os: macOS | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Install Rust toolchain (from rust-toolchain.toml) | |
| uses: actions-rust-lang/setup-rust-toolchain@v1 | |
| with: | |
| components: miri,rust-src,llvm-tools-preview,rustc-dev | |
| # Automatically reads from rust-toolchain.toml | |
| - name: Install system dependencies (Linux) | |
| if: matrix.runner_os == 'Linux' | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y valgrind | |
| - name: Make scripts executable (Unix) | |
| if: runner.os != 'Windows' | |
| run: chmod +x scripts/*.sh | |
| - name: Run comprehensive security checks | |
| shell: bash | |
| run: | | |
| # The security script will auto-detect CI environment and install missing tools | |
| # Exit with proper code to fail CI if security tests fail | |
| if ! ./scripts/security.sh; then | |
| echo "::error::Security tests failed" | |
| exit 1 | |
| fi | |
| - name: Create security summary and cleanup | |
| if: failure() | |
| shell: bash | |
| run: | | |
| # Only create summary and cleanup on failure | |
| echo "Security tests failed, creating summary..." | |
| # The security script should have created its own summary | |
| if [ -f "security-logs/security_summary_*.md" ]; then | |
| echo "Security script summary found:" | |
| ls -la security-logs/security_summary_*.md | |
| echo "::error::Security test failures detected. Check the summary for details." | |
| else | |
| echo "Warning: Security script summary not found, creating fallback summary" | |
| mkdir -p security-logs | |
| echo "# Security Testing Summary (Failure)" > security-logs/failure-summary.txt | |
| echo "Generated: $(date)" >> security-logs/failure-summary.txt | |
| echo "OS: ${{ matrix.os }}" >> security-logs/failure-summary.txt | |
| echo "Status: Security tests failed" >> security-logs/failure-summary.txt | |
| echo "::error::Security tests failed and no detailed summary was found" | |
| fi | |
| # List all generated logs for debugging | |
| if [ -d "security-logs" ]; then | |
| echo "Available security logs:" | |
| ls -la security-logs/ | |
| echo "Total log directory size: $(du -sh security-logs 2>/dev/null | cut -f1 || echo 'N/A')" | |
| fi | |
| - name: Cleanup build artifacts (on success) | |
| if: success() | |
| shell: bash | |
| run: | | |
| echo "Security tests passed! Cleaning up build artifacts..." | |
| # Remove security logs on success to save space | |
| if [ -d "security-logs" ]; then | |
| echo "Removing security logs (tests passed)" | |
| rm -rf security-logs/ | |
| fi | |
| - name: Upload security artifacts (on failure only) | |
| if: failure() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: security-logs-${{ matrix.os }}-${{ github.run_id }} | |
| path: | | |
| security-logs/ | |
| *.trace | |
| DrMemory-*.log | |
| drmemory.*.log | |
| instruments_output*.trace | |
| retention-days: 7 |