suricata/.github/workflows/rust-checks.yml

name: Cargo Audit and Update

on:
  schedule:
    # Run on Monday mornings, 11AM UTC.
    - cron: '0 11 * * 1'
  pull_request:
  # Enable push for testing when working on this file.
  #push:
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

permissions: read-all

jobs:

  # This job runs `cargo audit` and will exit with a failure code if
  # any warnings are raised.
  audit:
    name: Cargo Audit
    runs-on: ubuntu-latest
    container: almalinux:9
    steps:
      - name: Cache cargo registry
        uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2
        with:
          path: ~/.cargo
          key: ${{ github.job }}-cargo

      - name: Cache RPMs
        uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2
        with:
          path: /var/cache/dnf
          key: ${{ github.job }}-dnf
      - run: echo "keepcache=1" >> /etc/dnf/dnf.conf

      - name: Install system packages
        run: |
          dnf -y install dnf-plugins-core epel-release
          dnf config-manager --set-enabled crb
          dnf -y install \
                autoconf \
                automake \
                cbindgen \
                diffutils \
                numactl-devel \
                dpdk-devel \
                file-devel \
                gcc \
                gcc-c++ \
                git \
                jansson-devel \
                jq \
                libtool \
                libyaml-devel \
                libnfnetlink-devel \
                libnetfilter_queue-devel \
                libnet-devel \
                libcap-ng-devel \
                libevent-devel \
                libmaxminddb-devel \
                libpcap-devel \
                libtool \
                lz4-devel \
                make \
                pcre2-devel \
                pkgconfig \
                python3-devel \
                python3-sphinx \
                python3-yaml \
                sudo \
                which \
                zlib-devel          
      - name: Install Rust
        run: |
          curl https://sh.rustup.rs -sSf | sh -s -- -y
          echo "$HOME/.cargo/bin" >> $GITHUB_PATH          
      - name: Install Cargo Audit
        run: cargo install cargo-audit
      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
      - name: Configure Suricata
        run: |
          ./scripts/bundle.sh libhtp
          ./autogen.sh
          ./configure --enable-warnings          
      - name: Run Cargo Audit
        working-directory: rust
        run: |
          IGNORES=()

          # failure, via bendy
          IGNORES+=(--ignore RUSTSEC-2020-0036)
          # failure, via bendy
          IGNORES+=(--ignore RUSTSEC-2019-0036)

          cargo audit -D warnings "${IGNORES[@]}"          

  # This job uses our MSRV and does a `cargo update` with the idea
  # that it should catch early any dependencies that have done a patch
  # update pulling in a new MSRV. This would be an indicator that we
  # have to more tightly pin the dependency, or even attempt to pin a
  # transitive dependency.
  update:
    name: Cargo Update
    runs-on: ubuntu-latest
    container: almalinux:9
    steps:
      - name: Cache cargo registry
        uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2
        with:
          path: ~/.cargo
          key: ${{ github.job }}-cargo

      - name: Cache RPMs
        uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2
        with:
          path: /var/cache/dnf
          key: ${{ github.job }}-dnf
      - run: echo "keepcache=1" >> /etc/dnf/dnf.conf

      - name: Install system packages
        run: |
          dnf -y install dnf-plugins-core epel-release
          dnf config-manager --set-enabled crb
          dnf -y install \
                autoconf \
                automake \
                cbindgen \
                diffutils \
                numactl-devel \
                dpdk-devel \
                file-devel \
                gcc \
                gcc-c++ \
                git \
                jansson-devel \
                jq \
                libtool \
                libyaml-devel \
                libnfnetlink-devel \
                libnetfilter_queue-devel \
                libnet-devel \
                libcap-ng-devel \
                libevent-devel \
                libmaxminddb-devel \
                libpcap-devel \
                libtool \
                lz4-devel \
                make \
                pcre2-devel \
                pkgconfig \
                python3-devel \
                python3-sphinx \
                python3-yaml \
                sudo \
                which \
                zlib-devel          
      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
      - name: Install Minimum Supported Rust Version
        run: |
          curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain $(awk -F '"' '/rust-version/ { print $2 }' rust/Cargo.toml.in)
          echo "$HOME/.cargo/bin" >> $GITHUB_PATH          
      - name: Configure Suricata
        run: |
          ./scripts/bundle.sh libhtp
          ./autogen.sh
          ./configure --enable-warnings          
      - name: Cargo Update and Build
        working-directory: rust
        run: |
          cargo update
          cargo build --all-features --all-targets