ci(security): verify cargo-deny and enforce strict toolchain pin
This commit is contained in:
xj
@@ -3,6 +3,16 @@ set -euo pipefail
|
||||
|
||||
requested_toolchain="${1:-1.92.0}"
|
||||
fallback_toolchain="${2:-stable}"
|
||||
strict_mode_raw="${3:-${ENSURE_CARGO_COMPONENT_STRICT:-false}}"
|
||||
strict_mode="$(printf '%s' "${strict_mode_raw}" | tr '[:upper:]' '[:lower:]')"
|
||||
|
||||
is_truthy() {
|
||||
local value="${1:-}"
|
||||
case "${value}" in
|
||||
1 | true | yes | on) return 0 ;;
|
||||
*) return 1 ;;
|
||||
esac
|
||||
}
|
||||
|
||||
probe_cargo() {
|
||||
local toolchain="$1"
|
||||
@@ -33,6 +43,22 @@ export_toolchain_for_next_steps() {
|
||||
} >>"${GITHUB_ENV}"
|
||||
}
|
||||
|
||||
assert_rustc_version_matches() {
|
||||
local toolchain="$1"
|
||||
local expected_version="$2"
|
||||
local actual_version
|
||||
|
||||
if [[ ! "${expected_version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
actual_version="$(rustup run "${toolchain}" rustc --version | awk '{print $2}')"
|
||||
if [ "${actual_version}" != "${expected_version}" ]; then
|
||||
echo "rustc version mismatch for ${toolchain}: expected ${expected_version}, got ${actual_version}" >&2
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
selected_toolchain="${requested_toolchain}"
|
||||
|
||||
echo "Ensuring cargo component is available for toolchain: ${requested_toolchain}"
|
||||
@@ -49,6 +75,11 @@ if ! probe_cargo "${requested_toolchain}"; then
|
||||
fi
|
||||
|
||||
if ! probe_cargo "${requested_toolchain}"; then
|
||||
if is_truthy "${strict_mode}"; then
|
||||
echo "::error::Strict mode enabled; cargo is unavailable for requested toolchain ${requested_toolchain}." >&2
|
||||
rustup toolchain list || true
|
||||
exit 1
|
||||
fi
|
||||
echo "::warning::Falling back to ${fallback_toolchain} because ${requested_toolchain} cargo remains unavailable."
|
||||
rustup toolchain install "${fallback_toolchain}" --profile default
|
||||
rustup component add cargo --toolchain "${fallback_toolchain}" || true
|
||||
@@ -60,6 +91,15 @@ if ! probe_cargo "${requested_toolchain}"; then
|
||||
selected_toolchain="${fallback_toolchain}"
|
||||
fi
|
||||
|
||||
if is_truthy "${strict_mode}" && [ "${selected_toolchain}" != "${requested_toolchain}" ]; then
|
||||
echo "::error::Strict mode enabled; refusing fallback toolchain ${selected_toolchain} (requested ${requested_toolchain})." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if is_truthy "${strict_mode}"; then
|
||||
assert_rustc_version_matches "${selected_toolchain}" "${requested_toolchain}"
|
||||
fi
|
||||
|
||||
export_toolchain_for_next_steps "${selected_toolchain}"
|
||||
|
||||
echo "Using Rust toolchain: ${selected_toolchain}"
|
||||
|
||||
Reference in New Issue
Block a user