Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: Prevent dependencies issue #142

Merged
merged 7 commits into from May 18, 2022
Merged

ci: Prevent dependencies issue #142

merged 7 commits into from May 18, 2022

Conversation

kazuk
Copy link
Contributor

@kazuk kazuk commented May 14, 2022

Issue number and link

Fixes: #138

Describe your changes

add deny.toml for cargo-deny
add cargo-deny install for Github Actions
add check-dependencies task for makefile
add CI job for runs it.

Checklist before requesting a review

  • I follow the Semantic Pull Requests rules (bugfix/feature)
  • I specified links to related issues (must: bugfix, want: feature)
  • I have performed a self-review of my code (bugfix/feature)
  • I have added thorough tests (bugfix/feature)
  • I have edited ## [Unreleased] section in CHANGELOG.md following keep a changelog syntax (bugfix/feature)
  • I {made/will make} a related pull request for documentation repo (feature)

kazuk added 2 commits May 14, 2022
@codecov
Copy link

codecov bot commented May 14, 2022

Codecov Report

Merging #142 (15adc1c) into main (19e2230) will increase coverage by 0.03%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main     #142      +/-   ##
==========================================
+ Coverage   87.81%   87.84%   +0.03%     
==========================================
  Files         203      203              
  Lines       12620    12620              
==========================================
+ Hits        11082    11086       +4     
+ Misses       1538     1534       -4     
Impacted Files Coverage Δ
...omous_executor/row/value/sql_value/nn_sql_value.rs 66.48% <0.00%> (-0.55%) ⬇️
springql-core/src/pipeline.rs 92.30% <0.00%> (ø)
springql-core/src/stream_engine.rs 95.65% <0.00%> (ø)
...ngql-core/tests/feat_performance_metrics_report.rs 99.37% <0.00%> (ø)
...e/src/sql_processor/sql_parser/pest_parser_impl.rs 88.00% <0.00%> (+0.28%) ⬆️
springql-core/src/expression.rs 75.44% <0.00%> (+1.19%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 19e2230...15adc1c. Read the comment docs.

@kazuk kazuk force-pushed the kazuk/issue138 branch 2 times, most recently from fd42873 to 4830a9e Compare May 14, 2022
@kazuk
Copy link
Contributor Author

kazuk commented May 14, 2022

cargo deny check runs here!

https://github.com/SpringQL/SpringQL/runs/6432517672?check_suite_focus=true#step:13:65

@kazuk
Copy link
Contributor Author

kazuk commented May 14, 2022

I skip CHANGELOG update, because this is CI job changes.
no change to CODE & Documents.

@kazuk kazuk requested a review from laysakura May 14, 2022
@kazuk kazuk marked this pull request as ready for review May 14, 2022
Copy link
Contributor

@laysakura laysakura left a comment

Thanks.
I need deeper look at deny.toml but (done) already have some change requests.

deny.toml Show resolved Hide resolved
.github/workflows/ci.yml Outdated Show resolved Hide resolved
.github/workflows/scripts/crates.io-script.bash Outdated Show resolved Hide resolved
[tasks.build]
script = ['''
#!/usr/bin/env bash -eux
RUSTFLAGS='-D warnings' cargo build --workspace --all-targets --all-features
''']
dependencies=["check-dependencies"]
Copy link
Contributor

@laysakura laysakura May 16, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems too severe.

build should run even with bad dependencies.

Copy link
Contributor Author

@kazuk kazuk May 16, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The build process executes the crate build scripts and procedural macros that came in from the dependencies.

For this reason, we need to verify that the dependencies are safe before building, which is represented by dependencies.

Copy link
Contributor

@laysakura laysakura May 16, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The build process executes the crate build scripts and procedural macros

Yes. They can be malicious.

But I don't think putting this dependency saves developers (they might use cargo build).

I think it's OK to run malicious codes in CI's containers at build time.

IMO, running check-dependencies as a required job on pull-request should be enough.
(Maybe better to run it also on creating release artifacts)

Copy link
Contributor Author

@kazuk kazuk May 17, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But I don't think putting this dependency saves developers (they might use cargo build).

The problem is certainly not solved this way.

I'm looking for a solution, but I haven't found a solution at the moment.

Copy link
Contributor

@laysakura laysakura May 18, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ref: #148

 rename get_crate_version to get_crate_latest_version
@laysakura laysakura self-assigned this May 18, 2022
@laysakura laysakura self-requested a review May 18, 2022
@laysakura laysakura removed their assignment May 18, 2022
Copy link
Contributor

@laysakura laysakura left a comment

📝 Will review again after #148 closed.

-> Merge #142 and then #148 to cover wider cases.

[tasks.build]
script = ['''
#!/usr/bin/env bash -eux
RUSTFLAGS='-D warnings' cargo build --workspace --all-targets --all-features
''']
dependencies=["check-dependencies"]
Copy link
Contributor

@laysakura laysakura May 18, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ref: #148

Copy link
Contributor

@laysakura laysakura left a comment

@laysakura laysakura merged commit c49bdcd into main May 18, 2022
14 of 16 checks passed
@laysakura laysakura deleted the kazuk/issue138 branch May 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants