topgrade-rs · niStee · Jun 12, 2024 · Jul 27, 2024 · Jul 27, 2024 · Jul 27, 2024
diff --git a/.github/workflows/check_security_vulnerability.yml b/.github/workflows/check_security_vulnerability.yml
@@ -1,32 +1,86 @@
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
-
-name: Check Security Vulnerability
+name: Code Quality and Security
 
 on:
   pull_request:
   push:
     branches:
       - main
+  schedule:
+    - cron: '0 0 * * 0' # Run every Sunday at 00:00 (midnight)
 
 jobs:
-  lint:
-    name: DevSkim
-    runs-on: ubuntu-latest
+
+  shared-setup:
+    name: Shared Setup
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
     permissions:
       actions: read
       contents: read
       security-events: write
+    outputs:
+      checkout_ref: ${{ steps.checkout.outputs.ref }}
+      os: ${{ matrix.os }}
     steps:
       - name: Checkout code
+        id: checkout
         uses: actions/checkout@v4
 
+  devskim:
+    name: DevSkim Security Scan
+    needs: shared-setup
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.shared-setup.outputs.checkout_ref }}
       - name: Run DevSkim scanner
         uses: microsoft/DevSkim-Action@v1
-
       - name: Upload DevSkim scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: devskim-results.sarif
+
+  rust-clippy:
+    name: Rust Clippy Analysis
+    needs: shared-setup
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.shared-setup.outputs.checkout_ref }}
+      - name: Cache Rust toolchain
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cargo/bin/
+            ~/.cargo/registry/index/
+            ~/.cargo/registry/cache/
+            ~/.cargo/git/db/
+            ~/.rustup/
+          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}-${{ hashFiles('**/Cargo.toml') }}-${{ github.sha }}
+      - name: Install Rust toolchain and required cargo
+        run: |
+          rustup toolchain install stable
+          cargo install clippy-sarif sarif-fmt --force
+      - name: Run rust-clippy
+        run: |
+          cargo clippy --all-features --message-format=json | clippy-sarif | tee rust-clippy-results-${{ runner.os }}.sarif | sarif-fmt
+        continue-on-error: true
+      - name: Upload Clippy analysis results to GitHub
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: rust-clippy-results-${{ runner.os }}.sarif
+          wait-for-processing: true
+
+  osv-scanner:
+    name: OSV Scanner
+    needs: shared-setup
+    uses: "google/osv-scanner-action/.github/workflows/[email protected]"