ci: move security audits to nightly workflow and add dev status page#3190
Conversation
- Extract rs-crates-security, js-npm-security, and js-codeql jobs from tests.yml into a new security-audits.yml that runs nightly + manually - Create DEV_STATUS.md with badge-based audit and CI status tracking - Add Security Audits badge to README linking to DEV_STATUS.md Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (7)
📝 WalkthroughWalkthroughThis pull request refactors CI/CD workflows by extracting security audit jobs from the main tests workflow into three dedicated, scheduled security audit workflows (Rust, JS NPM, JS CodeQL). A new aggregation workflow monitors completion of all audits and reports status. Documentation is added to track security audit health. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Poem
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Better timing for team members in Asia. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…badges - Split single security-audits.yml into 3 workflows: - security-audit-rust.yml - security-audit-js-npm.yml - security-audit-js-codeql.yml - Each workflow gets its own badge in DEV_STATUS.md - Remove unnecessary sccache setup from Rust audit (cargo audit only parses Cargo.lock, no compilation occurs) - Use static shields.io badge in README linking to DEV_STATUS.md Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Wrapper workflow triggers on completion of any security audit and checks the latest run of all three. Fails if any audit is not passing, giving a single accurate badge for the README. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
Issue being fixed or feature implemented
Security audits (Rust crate audit, JS NPM audit, JS CodeQL) were running on every push and PR, adding unnecessary CI time. These checks don't need to gate individual PRs since they audit the dependency tree, not the diff.
What was done?
tests.ymlinto separate nightly workflows (11:30 PM UTC):security-audit-rust.yml— Rust crates audit viarustsec/audit-checksecurity-audit-js-npm.yml— JS NPM audit viayarn npm auditsecurity-audit-js-codeql.yml— JS CodeQL analysissecurity-audit-status.ymlaggregator workflow that triggers on completion of any audit, checks all three, and fails if any is not passing — provides a single accurate badge for the READMEDEV_STATUS.mdpage with per-audit badges for detailed statuscargo auditonly parsesCargo.lock, no compilation occurs)How Has This Been Tested?
Workflow YAML validated for correct syntax and job dependencies.
Breaking Changes
None. Security audits continue to run nightly. They are no longer blocking PR merges.
Checklist
For repository code-owners and collaborators only
🤖 Generated with Claude Code
Summary by CodeRabbit