ci: move audit check to cron (#13719)

risingwavelabs · Nov 29, 2023 · 14ff124 · 14ff124
1 parent b196953
commit 14ff124
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 22 deletions.
diff --git a/.cargo/audit.toml b/.cargo/audit.toml
@@ -9,4 +9,11 @@ ignore = [
     # `chrono` also suffers from a similar vulnerability ([`RUSTSEC-2020-0159`](https://rustsec.org/advisories/RUSTSEC-2020-0159),
     # but it's already patched in `0.4.20` by rewriting vulnerable C function in Rust).
     "RUSTSEC-2020-0071",
+
+    # https://github.com/risingwavelabs/risingwave/issues/11842
+    "RUSTSEC-2023-0052",
+
+    # https://github.com/risingwavelabs/risingwave/issues/13703
+    # It's impossible to get rid of OpenSSL (or more accurately, the `rsa` crate), and no patch is yet available.
+    "RUSTSEC-2023-0071",
 ]
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
@@ -0,0 +1,12 @@
+name: Security audit
+on:
+  schedule:
+    - cron: '0 0 * * *'
+jobs:
+  audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: rustsec/[email protected]
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/ci/scripts/check.sh b/ci/scripts/check.sh
@@ -47,10 +47,3 @@ RUSTDOCFLAGS="-Clink-arg=-fuse-ld=lld" cargo test --doc
 echo "--- Show sccache stats"
 sccache --show-stats
 sccache --zero-stats
-
-# RUSTSEC-2023-0052: https://github.com/risingwavelabs/risingwave/issues/11842
-# RUSTSEC-2023-0071 https://github.com/risingwavelabs/risingwave/issues/13703
-echo "--- Run audit check"
-cargo audit \
-  --ignore RUSTSEC-2023-0052 \
-  --ignore RUSTSEC-2023-0071
diff --git a/ci/workflows/main-cron.yml b/ci/workflows/main-cron.yml
@@ -325,21 +325,6 @@ steps:
     timeout_in_minutes: 60
     retry: *auto-retry
 
-  - label: "misc check"
-    command: "ci/scripts/misc-check.sh"
-    if: |
-      !(build.pull_request.labels includes "ci/main-cron/skip-ci") && build.env("CI_STEPS") == null
-      || build.pull_request.labels includes "ci/run-misc-check"
-      || build.env("CI_STEPS") =~ /(^|,)misc-check(,|$$)/
-    plugins:
-      - docker-compose#v4.9.0:
-          run: rw-build-env
-          config: ci/docker-compose.yml
-      - shellcheck#v1.2.0:
-          files: ./**/*.sh
-    timeout_in_minutes: 5
-    retry: *auto-retry
-
   - label: "end-to-end iceberg sink test (release)"
     key: "e2e-iceberg-sink-tests"
     command: "ci/scripts/e2e-iceberg-sink-test.sh -p ci-release"