rosenpass/.github/workflows/supply-chain.yml

name: Supply-Chain
on:
  pull_request:
  push:
    branches: [main]

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  cargo-deny:
    name: Deny dependencies with vulnerabilities or incompatible licenses
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: EmbarkStudios/cargo-deny-action@v2
  cargo-supply-chain:
    name: Supply Chain Report
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/bin/
            ~/.cargo/registry/index/
            ~/.cargo/registry/cache/
            ~/.cache/cargo-supply-chain/
          key: cargo-supply-chain-cache
      - name: Install nightly toolchain # Since we are running/compiling cargo-vet, we should rely on the stable toolchain.
        run: |
          rustup toolchain install nightly
          rustup override set nightly
      - uses: actions/cache@v4
        with:
          path: ${{ runner.tool_cache }}/cargo-supply-chain
          key: cargo-supply-chain-bin
      - name: Add the tool cache directory to the search path
        run: echo "${{ runner.tool_cache }}/cargo-supply-chain/bin" >> $GITHUB_PATH
      - name: Ensure that the tool cache is populated with the cargo-supply-chain binary
        run: cargo install --root ${{ runner.tool_cache }}/cargo-supply-chain cargo-supply-chain
      - name: Update data for cargo-supply-chain
        run: cargo supply-chain update
      - name: Generate cargo-supply-chain report about publishers
        run: cargo supply-chain publishers
      - name: Generate cargo-supply-chain report about crates
        run: cargo supply-chain crates
    # The setup for cargo-vet follows the recommendations in the cargo-vet documentation: https://mozilla.github.io/cargo-vet/configuring-ci.html
  cargo-vet:
    name: Vet Dependencies
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@v4
        with:
          token: ${{ secrets.CI_BOT_PAT }}
      - uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/bin/
            ~/.cargo/registry/index/
            ~/.cargo/registry/cache/
          key: cargo-vet-cache
      - name: Install nightly toolchain # Since we are running/compiling cargo-vet, we should rely on the stable toolchain.
        run: |
          rustup toolchain install nightly
          rustup override set nightly
      - uses: actions/cache@v4
        with:
          path: ${{ runner.tool_cache }}/cargo-vet
          key: cargo-vet-bin
      - name: Add the tool cache directory to the search path
        run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH
      - name: Ensure that the tool cache is populated with the cargo-vet binary
        run: cargo install --root ${{ runner.tool_cache }}/cargo-vet cargo-vet
      - name: Check if last commit was by Dependabot
        run: |
          git fetch origin ${{ github.head_ref }}
          git switch ${{ github.head_ref }}
          COMMIT_AUTHOR=$(gh api repos/${{ github.repository }}/commits/${{ github.sha }} --jq .author.login)
          if [[ "$COMMIT_AUTHOR" == "dependabot[bot]" ]]; then
            echo "The last commit was made by dependabot"
            IS_DEPENDABOT=true
          else
            echo "The last commit was not made by dependabot"
            IS_DEPENDABOT=false
          fi
          echo "IS_DEPENDABOT=$IS_DEPENDABOT" >> $GITHUB_ENV
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Check if the last commit's message ends in "--regenerate-exemptions"
        run: |
          # Get commit message
          COMMIT_MESSAGE=$(git log -1 --pretty=format:"%s")
          if [[ "$COMMIT_MESSAGE" == *"--regenerate-exemptions" ]]; then
            echo "The last commit message ends in --regenerate-exemptions"
            REGEN_EXEMP=true
          else
            echo "The last commit message does not end in --regenerate-exemptions"
            REGEN_EXEMP=false
          fi
          echo "REGEN_EXEMP=$REGEN_EXEMP" >> $GITHUB_ENV
      - name: Regenerate vet exemptions for dependabot PRs
        if: github.actor == 'dependabot[bot]' && (env.IS_DEPENDABOT == 'true' || env.REGEN_EXEMP=='true')   # Run only for Dependabot PRs or if specifically requested
        run: cargo vet regenerate exemptions
      - name: Check for changes in case of dependabot PR
        if: github.actor == 'dependabot[bot]' && (env.IS_DEPENDABOT == 'true' || env.REGEN_EXEMP=='true') # Run only for Dependabot PRs or if specifically requested
        run: git diff --exit-code || echo "Changes detected, committing..."
      - name: Commit and push changes for dependabot PRs
        if: success() && github.actor == 'dependabot[bot]' && (env.IS_DEPENDABOT == 'true' || env.REGEN_EXEMP=='true')
        uses: stefanzweifel/git-auto-commit-action@v5
        with:
          commit_message: Regenerate cargo vet exemptions
          commit_user_name: rosenpass-ci-bot[bot]
          commit_user_email: noreply@rosenpass.eu
          commit_author: Rosenpass CI Bot <noreply@rosenpass.eu>
        env:
          GITHUB_TOKEN: ${{ secrets.CI_BOT_PAT }}
      - name: Invoke cargo-vet
        run: cargo vet --locked