feat: initial cachekit v0.1.0-alpha oss release #2

Workflow file for this run

.github/workflows/security-fast.yml at 0c9fb2e

	name: Security Fast

	on:
	push:
	branches: [ main, develop ]
	pull_request:
	branches: [ main, develop ]

	permissions:
	contents: read
	pull-requests: read

	env:
	CARGO_TERM_COLOR: always
	RUST_BACKTRACE: 1

	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: true

	jobs:
	# Fast security checks (< 3 min) - parallel execution
	cargo-audit:
	name: Vulnerability Scan
	runs-on: ubuntu-latest
	timeout-minutes: 5
	steps:
	- uses: actions/checkout@v4

	- name: Set up Rust
	uses: dtolnay/rust-toolchain@stable

	- name: Cache Rust dependencies
	uses: Swatinem/rust-cache@v2
	with:
	workspaces: rust

	- name: Install cargo-audit
	run: cargo install --locked cargo-audit

	- name: Run vulnerability scan
	run: \|
	cd rust
	cargo audit --deny warnings

	cargo-deny:
	name: License & Supply Chain
	runs-on: ubuntu-latest
	timeout-minutes: 5
	steps:
	- uses: actions/checkout@v4

	- name: Set up Rust
	uses: dtolnay/rust-toolchain@stable

	- name: Cache Rust dependencies
	uses: Swatinem/rust-cache@v2
	with:
	workspaces: rust

	- name: Install cargo-deny
	run: cargo install --locked cargo-deny

	- name: Run cargo-deny checks
	run: \|
	cd rust
	cargo deny check

	clippy-security:
	name: Security Lints
	runs-on: ubuntu-latest
	timeout-minutes: 5
	steps:
	- uses: actions/checkout@v4

	- name: Set up Rust
	uses: dtolnay/rust-toolchain@stable
	with:
	components: clippy

	- name: Cache Rust dependencies
	uses: Swatinem/rust-cache@v2
	with:
	workspaces: rust

	- name: Run Clippy security lints
	run: \|
	cd rust
	cargo clippy --no-default-features --features compression,checksum,messagepack,encryption \
	-- -D warnings -W clippy::cargo -W clippy::pedantic

	cargo-machete:
	name: Unused Dependencies
	runs-on: ubuntu-latest
	timeout-minutes: 5
	steps:
	- uses: actions/checkout@v4

	- name: Set up Rust
	uses: dtolnay/rust-toolchain@stable

	- name: Cache Rust dependencies
	uses: Swatinem/rust-cache@v2
	with:
	workspaces: rust

	- name: Install cargo-machete
	run: cargo install --locked cargo-machete

	- name: Check for unused dependencies
	run: \|
	cd rust
	cargo machete

	pip-audit:
	name: Python Dependency CVEs
	runs-on: ubuntu-latest
	timeout-minutes: 5
	steps:
	- uses: actions/checkout@v4

	- name: Install uv
	uses: astral-sh/setup-uv@v3
	with:
	enable-cache: true

	- name: Set up Python
	run: uv python install 3.12

	- name: Cache Python virtual environment
	uses: actions/cache@v4
	with:
	path: .venv
	key: venv-${{ runner.os }}-py3.12-${{ hashFiles('/pyproject.toml', '/uv.lock') }}
	restore-keys: \|
	venv-${{ runner.os }}-py3.12-

	- name: Install dependencies
	run: \|
	uv sync --extra dev

	- name: Run pip-audit
	run: \|
	uv run pip-audit --desc --format json --output pip-audit-report.json

	- name: Upload report
	if: always()
	uses: actions/upload-artifact@v4
	with:
	name: pip-audit-report
	path: pip-audit-report.json

	# Summary job - fail if any check fails
	security-fast-success:
	name: Security Fast Success
	runs-on: ubuntu-latest
	needs: [cargo-audit, cargo-deny, clippy-security, cargo-machete, pip-audit]
	if: always()
	steps:
	- name: Check all security checks passed
	run: \|
	if [[ "${{ needs.cargo-audit.result }}" != "success" ]] \|\| \
	[[ "${{ needs.cargo-deny.result }}" != "success" ]] \|\| \
	[[ "${{ needs.clippy-security.result }}" != "success" ]] \|\| \
	[[ "${{ needs.cargo-machete.result }}" != "success" ]] \|\| \
	[[ "${{ needs.pip-audit.result }}" != "success" ]]; then
	echo "❌ One or more security checks failed"
	exit 1
	fi
	echo "✅ All fast security checks passed"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat: initial cachekit v0.1.0-alpha oss release #2

Workflow file

feat: initial cachekit v0.1.0-alpha oss release #2

Uh oh!

Jobs

Run details

Workflow file for this run