Move cargo-deny into a separate workflow on a schedule

neondatabase · Jan 7, 2025 · f83d74a · f83d74a
1 parent 30863c0
commit f83d74a
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 5 deletions.
diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml
@@ -231,11 +231,6 @@ jobs:
           cargo hakari generate --diff  # workspace-hack Cargo.toml is up-to-date
           cargo hakari manage-deps --dry-run  # all workspace crates depend on workspace-hack
 
-      # https://github.com/EmbarkStudios/cargo-deny
-      - name: Check rust licenses/bans/advisories/sources
-        if: ${{ !cancelled() }}
-        run: cargo deny check --hide-inclusion-graph
-
   build-and-test-locally:
     needs: [ tag, build-build-tools-image ]
     strategy:

diff --git a/.github/workflows/cargo-deny.yml b/.github/workflows/cargo-deny.yml
@@ -0,0 +1,33 @@
+name: cargo deny checks
+
+on:
+  pull_request:
+    paths:
+      - 'Cargo.lock'
+  schedule:
+    - cron: '0 0 * * *'
+
+jobs:
+  cargo-deny:
+    strategy:
+      matrix: ${{ fromJSON(github.event_name == 'schedule' && '{"ref":["main","release","release-proxy"]}' || format('{{"ref":["{0}"]}}', github.sha)) }}
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ matrix.ref }}
+
+      # https://github.com/EmbarkStudios/cargo-deny
+      - name: Check rust licenses/bans/advisories/sources
+        if: ${{ !cancelled() }}
+        run: cargo deny check --hide-inclusion-graph
+
+      - name: Post to a Slack channel
+        if: ${{ github.event_name == 'schedule' && failure() }}
+        uses: slackapi/slack-github-action@v1
+        with:
+          channel-id: ${{ vars.CARGO_DENY_SCHEDULE_FAILURE_CHANNEL }}
+          slack-message: |
+            Periodic cargo-deny on ${{ matrix.ref }}: ${{ job.status }}
+            <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|GitHub Run>