ci(cargo-vet): merge regeneration of exemptions for cargo-vet for dependabot into main cargo-vet job

2026-01-02 00:00:52 -08:00 · 2025-04-14 12:19:08 +02:00
parent 9aab9d2d2a
commit 4896cd6130
2 changed files with 18 additions and 62 deletions
--- a/.github/workflows/cargo-crev-exemptions-dependabot.yml
+++ b/.github/workflows/cargo-crev-exemptions-dependabot.yml
@@ -1,62 +0,0 @@
-name: Dependabot Vet Exemptions
-on:
-  pull_request:
-    branches:
-      - main
-    paths:
-      - "Cargo.toml"
-      - "Cargo.lock"
-
-jobs:
-  dependabot-cargo-crev-exceptions:
-    if: github.actor == 'dependabot[bot]' # Run only for Dependabot PRs
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ github.head_ref }}
-          token: ${{ secrets.GITHUB_TOKEN }} # Ensure push access
-
-      - uses: actions/cache@v4
-        with:
-          path: |
-            ~/.cargo/bin/
-            ~/.cargo/registry/index/
-            ~/.cargo/registry/cache/
-          key: cargo-vet-cache
-
-      - name: Install stable toolchain # Since we are running/compiling cargo-vet, we should rely on the stable toolchain.
-        run: |
-          rustup toolchain install stable
-          rustup default stable
-
-      - uses: actions/cache@v4
-        with:
-          path: ${{ runner.tool_cache }}/cargo-vet
-          key: cargo-vet-bin
-
-      - name: Add the tool cache directory to the search path
-        run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH
-
-      - name: Ensure that the tool cache is populated with the cargo-vet binary
-        run: cargo install --root ${{ runner.tool_cache }}/cargo-vet cargo-vet
-
-      - name: Regenerate vet exemptions
-        run: cargo vet regenerate exemptions
-
-      - name: Check for changes
-        run: git diff --exit-code || echo "Changes detected, committing..."
-
-      - name: Commit and push changes
-        if: success()
-        run: |
-          git config --global user.name "github-actions[bot]"
-          git config --global user.email "github-actions@github.com"
-          git add supply-chain/*
-          git commit -m "Regenerate cargo vet exemptions"
-          git push origin ${{ github.head_ref }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/supply-chain.yml
+++ b/.github/workflows/supply-chain.yml
@@ -46,6 +46,8 @@ jobs:
  cargo-vet:
    name: Vet Dependencies
    runs-on: ubuntu-latest
+    permissions:
+      contents: write
    steps:
      - uses: actions/checkout@v4
      - uses: actions/cache@v4
@@ -67,5 +69,21 @@ jobs:
        run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH
      - name: Ensure that the tool cache is populated with the cargo-vet binary
        run: cargo install --root ${{ runner.tool_cache }}/cargo-vet cargo-vet
+      - name: Regenerate vet exemptions for dependabot PRs
+        if: github.actor == 'dependabot[bot]' # Run only for Dependabot PRs
+        run: cargo vet regenerate exemptions
+      - name: Check for changes in case of dependabot PR
+        if: github.actor == 'dependabot[bot]' # Run only for Dependabot PRs
+        run: git diff --exit-code || echo "Changes detected, committing..."
+      - name: Commit and push changes for dependabot PRs
+        if: success() && github.actor == 'dependabot[bot]'
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions@github.com"
+          git add supply-chain/*
+          git commit -m "Regenerate cargo vet exemptions"
+          git push origin ${{ github.head_ref }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Invoke cargo-vet
        run: cargo vet --locked