diff options
Diffstat (limited to '.github')
| -rw-r--r-- | .github/workflows/audit.yaml | 20 | ||||
| -rw-r--r-- | .github/workflows/clippy.yaml | 5 | ||||
| -rw-r--r-- | .github/workflows/update-lock.yaml (renamed from .github/workflows/update-flake.yaml) | 17 |
3 files changed, 14 insertions, 28 deletions
diff --git a/.github/workflows/audit.yaml b/.github/workflows/audit.yaml deleted file mode 100644 index ebf88d0..0000000 --- a/.github/workflows/audit.yaml +++ /dev/null @@ -1,20 +0,0 @@ -name: audit crates -# this checks our dependencies for -# security advisories every saturday - -on: - schedule: - - cron: "0 0 * * 6" - workflow_dispatch: - -jobs: - audit: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v4 - - uses: DeterminateSystems/nix-installer-action@main - - - name: run audit - run: | - nix build --accept-flake-config -L .#checks.x86_64-linux.audit diff --git a/.github/workflows/clippy.yaml b/.github/workflows/clippy.yaml index 48b1bd6..cb35d14 100644 --- a/.github/workflows/clippy.yaml +++ b/.github/workflows/clippy.yaml @@ -11,6 +11,10 @@ jobs: clippy: runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: - uses: actions/checkout@v4 - uses: DeterminateSystems/nix-installer-action@main @@ -23,6 +27,7 @@ jobs: - name: run clippy run: | + mkdir -p /tmp cargo clippy --all --all-targets --message-format=json | clippy-sarif > /tmp/clippy.sarif - name: upload results diff --git a/.github/workflows/update-flake.yaml b/.github/workflows/update-lock.yaml index 7e0d992..9e3301d 100644 --- a/.github/workflows/update-flake.yaml +++ b/.github/workflows/update-lock.yaml @@ -1,9 +1,8 @@ -name: update nix flake -# this is to make sure we can build against a -# recent version of nixos-unstable +name: update flake lock on: schedule: + # run every saturday - cron: "0 0 * * 6" workflow_dispatch: @@ -12,20 +11,22 @@ permissions: pull-requests: write jobs: - update-flake: + update: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: DeterminateSystems/nix-installer-action@main - - uses: DeterminateSystems/update-flake-lock@v20 + - name: update lockfile + uses: DeterminateSystems/update-flake-lock@v20 id: update with: - commit-msg: "deps(flake): update inputs" - pr-title: "deps(flake): update inputs" + commit-msg: "flake: update inputs" + pr-title: "flake: update inputs" + token: ${{ github.token }} - - name: auto-merge pull request + - name: enable auto-merge shell: bash run: gh pr merge --auto --rebase "$PR_ID" env: |