name: Supply-Chain
on:
  pull_request:
  push:
    branches: [main]

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  cargo-deny:
    name: Deny dependencies with vulnerabilities or incompatible licenses
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: EmbarkStudios/cargo-deny-action@v2
  cargo-supply-chain:
    name: Supply Chain Report
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/bin/
            ~/.cargo/registry/index/
            ~/.cargo/registry/cache/
            ~/.cache/cargo-supply-chain/
          key: cargo-supply-chain-cache
      - uses: actions/cache@v4
        with:
          path: ${{ runner.tool_cache }}/cargo-supply-chain
          key: cargo-supply-chain-bin
      - name: Add the tool cache directory to the search path
        run: echo "${{ runner.tool_cache }}/cargo-supply-chain/bin" >> $GITHUB_PATH
      - name: Ensure that the tool cache is populated with the cargo-supply-chain binary
        run: cargo install --root ${{ runner.tool_cache }}/cargo-supply-chain cargo-supply-chain
      - name: Update data for cargo-supply-chain
        run: cargo supply-chain update
      - name: Generate cargo-supply-chain report about publishers
        run: cargo supply-chain publishers
      - name: Generate cargo-supply-chain report about crates
        run: cargo supply-chain crates
    # The setup for cargo-vet follows the recommendations in the cargo-vet documentation: https://mozilla.github.io/cargo-vet/configuring-ci.html
  cargo-vet:
    name: Vet Dependencies
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/bin/
            ~/.cargo/registry/index/
            ~/.cargo/registry/cache/
          key: cargo-vet-cache
      - name: Install stable toolchain # Since we are running/compiling cargo-vet, we should rely on the stable toolchain.
        run: |
          rustup toolchain install stable
          rustup default stable
      - uses: actions/cache@v4
        with:
          path: ${{ runner.tool_cache }}/cargo-vet
          key: cargo-vet-bin
      - name: Add the tool cache directory to the search path
        run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH
      - name: Ensure that the tool cache is populated with the cargo-vet binary
        run: cargo install --root ${{ runner.tool_cache }}/cargo-vet cargo-vet
      - name: Invoke cargo-vet
        run: cargo vet --locked