chore: update PyPI metadata to match README (#16) #30
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Medium | |
| on: | |
| push: | |
| branches: [ main ] | |
| permissions: | |
| contents: read | |
| security-events: write # Required for security tool integrations | |
| env: | |
| CARGO_TERM_COLOR: always | |
| RUST_BACKTRACE: 1 | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| # Medium security checks (< 15 min) - post-merge validation | |
| cargo-geiger: | |
| name: Unsafe Code Tracking | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| - name: Install cargo-binstall | |
| uses: cargo-bins/cargo-binstall@main | |
| - name: Install cargo-geiger | |
| run: cargo binstall --no-confirm cargo-geiger | |
| - name: Run unsafe code analysis | |
| run: | | |
| cd rust | |
| cargo geiger --output-format Json > geiger-report.json | |
| cat geiger-report.json | |
| - name: Check unsafe ratio (< 5%) | |
| run: | | |
| cd rust | |
| # Parse total and unsafe counts from geiger JSON | |
| TOTAL_FUNCS=$(jq '[.packages[].package.functions.safe + .packages[].package.functions.unsafe] | add' geiger-report.json) | |
| UNSAFE_FUNCS=$(jq '[.packages[].package.functions.unsafe] | add' geiger-report.json) | |
| if [ "$TOTAL_FUNCS" -eq 0 ]; then | |
| echo "⚠️ No functions found in geiger report" | |
| exit 0 | |
| fi | |
| UNSAFE_RATIO=$(echo "scale=4; $UNSAFE_FUNCS / $TOTAL_FUNCS * 100" | bc) | |
| echo "Total functions: $TOTAL_FUNCS" | |
| echo "Unsafe functions: $UNSAFE_FUNCS" | |
| echo "Unsafe ratio: $UNSAFE_RATIO%" | |
| if (( $(echo "$UNSAFE_RATIO > 5.0" | bc -l) )); then | |
| echo "❌ Unsafe ratio ($UNSAFE_RATIO%) exceeds 5% threshold" | |
| exit 1 | |
| fi | |
| echo "✅ Unsafe ratio ($UNSAFE_RATIO%) is within acceptable limits" | |
| - name: Archive geiger report | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: geiger-report | |
| path: rust/geiger-report.json | |
| retention-days: 30 | |
| miri-subset: | |
| name: Miri UB Detection (Subset) | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install nightly Rust with Miri | |
| run: | | |
| rustup toolchain install nightly --component miri | |
| rustup default nightly | |
| - name: Cache Rust dependencies | |
| uses: Swatinem/rust-cache@v2 | |
| with: | |
| workspaces: rust | |
| - name: Run Miri on byte_storage module | |
| run: | | |
| cd rust | |
| cargo miri test --lib --no-default-features --features compression,checksum,messagepack byte_storage | |
| - name: Run Miri on encryption module | |
| run: | | |
| cd rust | |
| cargo miri test --lib --no-default-features --features encryption encryption | |
| # Note: cargo-semver-checks removed - cachekit-rs is PyO3 bindings only, | |
| # not a public Rust API. The actual Rust library (cachekit-core) is a | |
| # separate crate published at https://crates.io/crates/cachekit-core | |
| # Summary job | |
| security-medium-success: | |
| name: Security Medium Success | |
| runs-on: ubuntu-latest | |
| needs: [cargo-geiger, miri-subset] | |
| if: always() | |
| steps: | |
| - name: Check all security checks passed | |
| run: | | |
| if [[ "${{ needs.cargo-geiger.result }}" != "success" ]] || \ | |
| [[ "${{ needs.miri-subset.result }}" != "success" ]]; then | |
| echo "❌ One or more medium security checks failed" | |
| exit 1 | |
| fi | |
| echo "✅ All medium security checks passed" |