Skip to content

ci: add dependency audits and miri #126

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dev-jodee merged 7 commits into from
May 21, 2026
Merged

ci: add dependency audits and miri #126

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
d74edc9
ci: ignore dependabot patch updates
dev-jodee May 20, 2026
c5b98dc
ci: add dependency audits and miri
dev-jodee May 21, 2026
b30a944
ci: gate pnpm audit on fixable advisories
dev-jodee May 21, 2026
5ae9d2a
ci: simplify pnpm audit policy
dev-jodee May 21, 2026
7e43e10
ci: generate clients before vercel build
dev-jodee May 21, 2026
b2344b7
ci: fix vercel client generation
dev-jodee May 21, 2026
9f67c81
Merge remote-tracking branch 'origin/main' into ci/ignore-dependabot-…
dev-jodee May 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 34 additions & 3 deletions .github/actions/setup/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,18 @@ name: 'Setup CI Environment'
description: 'Shared setup for Rust, Solana, pnpm, and optional surfpool'

inputs:
install-rust:
description: 'Install Rust toolchain'
required: false
default: 'true'
rust-toolchain:
description: 'Rust toolchain to install'
required: false
default: '1.92'
rust-components:
description: 'Rust components to install'
required: false
default: 'rustfmt, clippy'
enable-rust-cache:
description: 'Enable Rust caching (restore/save)'
required: false
Expand Down Expand Up @@ -30,18 +42,31 @@ inputs:
description: "Solana CLI version to install (e.g., 'v4.0.0')"
required: false
default: 'v4.0.0'
install-just:
description: 'Install just'
required: false
default: 'true'
install-pnpm:
description: 'Install pnpm and Node.js'
required: false
default: 'true'
install-pnpm-dependencies:
description: 'Install pnpm dependencies'
required: false
default: 'true'

runs:
using: 'composite'
steps:
- name: Setup Rust
if: inputs.install-rust == 'true'
uses: dtolnay/rust-toolchain@master
with:
toolchain: '1.92'
components: rustfmt, clippy
toolchain: ${{ inputs.rust-toolchain }}
components: ${{ inputs.rust-components }}

- name: Rust cache
if: inputs.enable-rust-cache == 'true'
if: inputs.install-rust == 'true' && inputs.enable-rust-cache == 'true'
uses: Swatinem/rust-cache@v2
with:
workspaces: '. -> target'
Expand Down Expand Up @@ -93,24 +118,29 @@ runs:
run: echo "$HOME/.local/bin" >> $GITHUB_PATH

- name: Install just
if: inputs.install-just == 'true'
uses: extractions/setup-just@v4
with:
just-version: '1.50.0'

- name: Install pnpm
if: inputs.install-pnpm == 'true'
uses: pnpm/action-setup@v4

- name: Setup Node.js
if: inputs.install-pnpm == 'true'
uses: actions/setup-node@v6
with:
node-version-file: '.nvmrc'

- name: Get pnpm store directory
if: inputs.install-pnpm == 'true'
id: pnpm-store
shell: bash
run: echo "path=$(pnpm store path)" >> $GITHUB_OUTPUT

- name: Cache pnpm store
if: inputs.install-pnpm == 'true'
id: pnpm-cache
uses: actions/cache@v4
with:
Expand All @@ -120,6 +150,7 @@ runs:
${{ runner.os }}-pnpm-

- name: Install pnpm dependencies
if: inputs.install-pnpm == 'true' && inputs.install-pnpm-dependencies == 'true'
shell: bash
run: pnpm install --frozen-lockfile

Expand Down
4 changes: 2 additions & 2 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ updates:
- package-ecosystem: cargo
directory: '/'
schedule:
interval: daily
interval: weekly
open-pull-requests-limit: 10
cooldown:
default-days: 7
Expand All @@ -20,7 +20,7 @@ updates:
- package-ecosystem: npm
directory: '/'
schedule:
interval: daily
interval: weekly
open-pull-requests-limit: 10
cooldown:
default-days: 7
Expand Down
64 changes: 64 additions & 0 deletions .github/workflows/security.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
name: Security

on:
push:
branches: [main]
pull_request:
schedule:
- cron: '0 9 * * *'
workflow_dispatch:

permissions:
contents: read

env:
CARGO_TERM_COLOR: always

jobs:
cargo-audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: ./.github/actions/setup
with:
install-solana: 'false'
install-just: 'false'
install-pnpm: 'false'
rust-cache-key: 'cargo-audit'
- uses: taiki-e/install-action@v2
with:
tool: cargo-audit
- run: cargo audit

pnpm-audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: ./.github/actions/setup
with:
install-rust: 'false'
enable-rust-cache: 'false'
install-solana: 'false'
install-just: 'false'
install-pnpm-dependencies: 'false'
- run: pnpm audit --ignore-unfixable

miri:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: ./.github/actions/setup
with:
rust-toolchain: 'nightly'
rust-components: 'miri'
install-solana: 'false'
install-just: 'false'
install-pnpm: 'false'
rust-cache-key: 'miri'
- uses: actions/cache@v5
with:
path: |
~/.cache/org.rust-lang.miri
key: miri-${{ runner.os }}-${{ hashFiles('**/Cargo.lock') }}
- run: cargo +nightly miri setup
- run: cargo +nightly miri test -p subscriptions-program
3 changes: 2 additions & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,8 @@
"flatted": "3.4.2",
"minimatch": "9.0.9",
"picomatch": "4.0.4",
"rollup": "4.60.2"
"rollup": "4.60.2",
"ws@^8.0.0": "8.20.1"
}
}
}
24 changes: 4 additions & 20 deletions pnpm-lock.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading