search

freedomofpress / securedrop

GitHub repository for the SecureDrop whistleblower platform. Do not submit tips here!
https://securedrop.org/
Other
3.62k stars 685 forks source link

Migrate static-analysis-and-no-known-cves to GitHub Actions #7219

Closed legoktm closed 1 month ago

legoktm commented 1 month ago

Status

Ready for review

Description of Changes

This ports the same functionality but in a much simpler way since we just need the latest versions of the safety and semgrep packages.

We want this to run on each PR and every night, so move it into security.yml and configure that workflow to run on each PR as well. As a side-effect, rust-audit will now run on each PR, which is fine.

Testing

How should the reviewer test this PR?

Deployment

Any special considerations for deployment? n/a

Checklist

legoktm commented 1 month ago

Thanks - rebased.

Edit: Oh, also: Is it expected that CircleCI's static-analysis-and-no-known-cves-1 is stuck at Expected?

Yes, that's because it still has the Required label. Once infra moves that to the GHA job that it'll disappear. So I'll file an infra ticket now :)