Skip to content
Security Medium

ci: fix aarch64 cross-compilation by specifying Python interpreters (#7) #24

Sign in to view logs

ci: fix aarch64 cross-compilation by specifying Python interpreters (#7)

ci: fix aarch64 cross-compilation by specifying Python interpreters (#7) #24

Workflow file for this run

.github/workflows/security-medium.yml at c0535d1
name: Security Medium
on:
push:
branches: [ main ]
permissions:
contents: read
env:
CARGO_TERM_COLOR: always
RUST_BACKTRACE: 1
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
# Medium security checks (< 15 min) - post-merge validation
cargo-geiger:
name: Unsafe Code Tracking
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@v4
- name: Set up Rust
uses: dtolnay/rust-toolchain@stable
- name: Install cargo-binstall
uses: cargo-bins/cargo-binstall@main
- name: Install cargo-geiger
run: cargo binstall --no-confirm cargo-geiger
- name: Run unsafe code analysis
run: |
cd rust
cargo geiger --output-format Json > geiger-report.json
cat geiger-report.json
- name: Check unsafe ratio (< 5%)
run: |
cd rust
# Parse total and unsafe counts from geiger JSON
TOTAL_FUNCS=$(jq '[.packages[].package.functions.safe + .packages[].package.functions.unsafe] | add' geiger-report.json)
UNSAFE_FUNCS=$(jq '[.packages[].package.functions.unsafe] | add' geiger-report.json)
if [ "$TOTAL_FUNCS" -eq 0 ]; then
echo "⚠️ No functions found in geiger report"
exit 0
fi
UNSAFE_RATIO=$(echo "scale=4; $UNSAFE_FUNCS / $TOTAL_FUNCS * 100" | bc)
echo "Total functions: $TOTAL_FUNCS"
echo "Unsafe functions: $UNSAFE_FUNCS"
echo "Unsafe ratio: $UNSAFE_RATIO%"
if (( $(echo "$UNSAFE_RATIO > 5.0" | bc -l) )); then
echo "❌ Unsafe ratio ($UNSAFE_RATIO%) exceeds 5% threshold"
exit 1
fi
echo "✅ Unsafe ratio ($UNSAFE_RATIO%) is within acceptable limits"
- name: Archive geiger report
uses: actions/upload-artifact@v4
if: always()
with:
name: geiger-report
path: rust/geiger-report.json
retention-days: 30
miri-subset:
name: Miri UB Detection (Subset)
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
- uses: actions/checkout@v4
- name: Install nightly Rust with Miri
run: |
rustup toolchain install nightly --component miri
rustup default nightly
- name: Cache Rust dependencies
uses: Swatinem/rust-cache@v2
with:
workspaces: rust
- name: Run Miri on byte_storage module
run: |
cd rust
cargo miri test --lib --no-default-features --features compression,checksum,messagepack byte_storage
- name: Run Miri on encryption module
run: |
cd rust
cargo miri test --lib --no-default-features --features encryption encryption
cargo-semver-checks:
name: API Stability
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Check for previous version
id: check-tag
run: |
if git describe --tags --abbrev=0 2>/dev/null; then
echo "has_tag=true" >> $GITHUB_OUTPUT
else
echo "⚠️ No previous version found - skipping semver check"
echo "has_tag=false" >> $GITHUB_OUTPUT
fi
- name: Check for breaking changes
if: steps.check-tag.outputs.has_tag == 'true'
uses: obi1kenobi/cargo-semver-checks-action@v2
with:
manifest-path: rust/Cargo.toml
# Summary job
security-medium-success:
name: Security Medium Success
runs-on: ubuntu-latest
needs: [cargo-geiger, miri-subset, cargo-semver-checks]
if: always()
steps:
- name: Check all security checks passed
run: |
if [[ "${{ needs.cargo-geiger.result }}" != "success" ]] || \
[[ "${{ needs.miri-subset.result }}" != "success" ]] || \
[[ "${{ needs.cargo-semver-checks.result }}" != "success" ]]; then
echo "❌ One or more medium security checks failed"
exit 1
fi
echo "✅ All medium security checks passed"