CI: Update security scanning and add rs test coverage tracking

* update security.yml to use centrally managed workflow * use grcov to record coverage of rust tests * maven tests already had coverage recording * Upload rs and kt coverage results to codecov
decentralized-identity · Sep 6, 2024 · 772b286 · 772b286
1 parent 63ef7e6
commit 772b286
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 45 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -71,7 +71,17 @@ jobs:
       - name: Set Rust 1.74.0 as default
         run: rustup default 1.74.0
       - name: Test
-        run: cargo test --package web5
+        run: |
+          rustup component add llvm-tools-preview
+          cargo install grcov
+          cargo test --package web5
+        env:
+          RUSTFLAGS: -Cinstrument-coverage
+          LLVM_PROFILE_FILE: web5-rs-%p-%m.profraw
+      - name: Upload test coverage to Codecov
+        uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 #v4.5.0
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
   build_aarch64_apple_darwin:
     runs-on: macos-latest
@@ -221,6 +231,10 @@ jobs:
         run: |
           cd bound/kt/
           mvn test --batch-mode
+      - name: Upload test coverage to Codecov
+        uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 #v4.5.0
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
   kotlin-deploy-snapshot:
     needs:

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -1,4 +1,4 @@
-name: Security Scanning
+name: Security and License Scans
 
 on:
   pull_request_target:
@@ -17,46 +17,6 @@ on:
   workflow_dispatch:
 
 jobs:
-  # Snyk does not support rustlang yet
-  # snyk:
-  #   runs-on: ubuntu-latest
-
-  #   steps:
-  #     - name: Checkout
-  #       uses: actions/checkout@v4
-  #       with:
-  #         ref: ${{ github.head_ref }}
-
-  #     - name: Install Snyk
-  #       uses: snyk/actions/setup@master
-
-  #     - name: Snyk VULN and License Check Test
-  #       run: snyk test --all-projects --sarif-file-output=snyk.sarif
-  #       env:
-  #         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-
-  #     - name: Upload SARIF result to GitHub Code Scanning
-  #       uses: github/codeql-action/upload-sarif@v2
-  #       if: always()
-  #       with:
-  #         sarif_file: snyk.sarif
-
-  fossa:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ github.head_ref }}
-
-      - name: Run FOSSA Scan
-        uses: fossas/fossa-action@main
-        with:
-          api-key: ${{ secrets.FOSSA_API_KEY }}
-
-      - name: Run FOSSA Test
-        uses: fossas/fossa-action@main
-        with:
-          api-key: ${{ secrets.FOSSA_API_KEY }}
-          run-tests: true
+  security-license-scan:
+    uses: TBD54566975/open-source-programs/.github/workflows/security.yml@main
+    secrets: inherit