chore(data): coordinate edit for 9379.02.236
#1937
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security audit | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-server | |
| cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} | |
| on: | |
| schedule: | |
| - cron: "0 0 * * *" | |
| push: | |
| branches: ["main"] | |
| pull_request: | |
| permissions: {} | |
| jobs: | |
| zizmor: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| contents: read | |
| actions: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: { persist-credentials: false } | |
| - name: Run zizmor | |
| uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 | |
| cargo-audit: | |
| # Only run on the daily schedule. Advisories still file issues, but PRs | |
| # aren't blocked when a transitive dep gets a new RUSTSEC entry. | |
| if: github.event_name == 'schedule' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| issues: write | |
| checks: write | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: { persist-credentials: false } | |
| - uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # v2.0.0 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| ignore: RUSTSEC-2023-0071,RUSTSEC-2026-0045,RUSTSEC-2026-0046,RUSTSEC-2026-0047,RUSTSEC-2026-0044,RUSTSEC-2026-0048,RUSTSEC-2026-0049,RUSTSEC-2026-0098,RUSTSEC-2026-0099,RUSTSEC-2026-0104,RUSTSEC-2024-0436,RUSTSEC-2025-0141,RUSTSEC-2026-0097 | |
| # RUSTSEC-2023-0071 = Marvin Attack: potential key recovery through timing sidechannels => not used explicitly | |
| # RUSTSEC-2026-0045 = Timing side-channel in AES-CCM tag verification in AWS-LC => transitive through aws-lc-sys and awaiting upstream dependency updates | |
| # RUSTSEC-2026-0046 = PKCS7_verify certificate chain validation bypass in AWS-LC => transitive through aws-lc-sys and awaiting upstream dependency updates | |
| # RUSTSEC-2026-0047 = PKCS7_verify signature validation bypass in AWS-LC => transitive through aws-lc-sys and awaiting upstream dependency updates | |
| # RUSTSEC-2026-0044 = AWS-LC X.509 name constraints bypass via wildcard/Unicode CN => transitive through aws-lc-sys and awaiting upstream dependency updates | |
| # RUSTSEC-2026-0048 = CRL distribution point scope check logic error in AWS-LC => transitive through aws-lc-sys and awaiting upstream dependency updates | |
| # RUSTSEC-2026-0049 = rustls-webpki CRL distribution point matching bug => transitive through rustls-webpki and awaiting upstream dependency updates | |
| # RUSTSEC-2026-0098 = rustls-webpki URI name constraints were incorrectly accepted => transitive through rustls-webpki and awaiting upstream dependency updates | |
| # RUSTSEC-2026-0099 = rustls-webpki wildcard DNS name constraints were incorrectly accepted => transitive through rustls-webpki and awaiting upstream dependency updates | |
| # RUSTSEC-2026-0104 = Reachable panic in certificate revocation list parsing in rand => transitive through testcontainers/bollard and awaiting upstream dependency updates | |
| # RUSTSEC-2026-0097 = Rand is unsound with a custom logger using rand::rng() => transitive through testcontainers/bollard and awaiting upstream dependency updates | |
| # RUSTSEC-2024-0436 = paste is unmaintained => transitive through imageproc/nalgebra/simba and rav1e, awaiting upstream updates | |
| # RUSTSEC-2025-0141 = bincode is unmaintained => transitive through polars, awaiting upstream updates | |
| codeql: | |
| name: CodeQL (${{ matrix.language }}) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # required for all workflows | |
| security-events: write | |
| # required to fetch internal or private CodeQL packs | |
| packages: read | |
| # only required for workflows in private repositories | |
| actions: read | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - language: actions | |
| - language: javascript-typescript | |
| - language: rust | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: { persist-credentials: false } | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4 | |
| with: | |
| languages: ${{ matrix.language }} | |
| build-mode: none | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4 | |
| with: | |
| category: "/language:${{matrix.language}}" | |
| # This final step is needed to mark the whole workflow as successful | |
| # Don't change its name - it is used by the merge protection rules | |
| done: | |
| name: Finished security scan | |
| runs-on: ubuntu-latest | |
| needs: [ zizmor, codeql ] | |
| if: always() | |
| permissions: {} | |
| steps: | |
| - name: Result of the needed steps | |
| run: echo "${{ toJSON(needs) }}" # zizmor: ignore[template-injection] | |
| - if: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') || contains(needs.*.result, 'skipped') }} | |
| name: CI Result | |
| run: exit 1 |