security.yml

name: Security

on:
  pull_request:
    branches: [main]
  push:
    branches: [main]

permissions:
  contents: read
  pull-requests: write

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  rust-security:
    name: Rust Security Scan
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: src-tauri
    steps:
      - uses: actions/checkout@v4

      - name: Install Rust stable
        uses: dtolnay/rust-toolchain@stable
        with:
          components: clippy

      - name: Install Linux dependencies
        run: |
          sudo apt-get update
          sudo apt-get install -y libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf

      - name: Rust cache
        uses: Swatinem/rust-cache@v2
        with:
          workspaces: src-tauri

      - name: Install security tools
        run: |
          cargo install cargo-audit --locked
          cargo install cargo-deny --locked

      - name: Run security checks
        id: security
        shell: bash
        run: |
          set +e

          cargo audit > /tmp/cargo-audit.txt 2>&1
          audit_exit=$?

          cargo deny check advisories > /tmp/cargo-deny.txt 2>&1
          deny_exit=$?

          cargo clippy --all-targets --all-features -- -D warnings -W clippy::unwrap_used -W clippy::expect_used -W clippy::panic > /tmp/cargo-clippy-security.txt 2>&1
          clippy_exit=$?

          echo "audit_exit=$audit_exit" >> "$GITHUB_OUTPUT"
          echo "deny_exit=$deny_exit" >> "$GITHUB_OUTPUT"
          echo "clippy_exit=$clippy_exit" >> "$GITHUB_OUTPUT"

          if [ "$audit_exit" -ne 0 ] || [ "$deny_exit" -ne 0 ] || [ "$clippy_exit" -ne 0 ]; then
            exit 1
          fi

      - name: Upload security logs
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: rust-security-logs
          path: |
            /tmp/cargo-audit.txt
            /tmp/cargo-deny.txt
            /tmp/cargo-clippy-security.txt

      - name: Comment security results on PR
        if: always() && github.event_name == 'pull_request'
        uses: actions/github-script@v7
        env:
          AUDIT_EXIT: ${{ steps.security.outputs.audit_exit }}
          DENY_EXIT: ${{ steps.security.outputs.deny_exit }}
          CLIPPY_EXIT: ${{ steps.security.outputs.clippy_exit }}
        with:
          script: |
            const fs = require("fs");
            const marker = "<!-- kore-rust-security-scan -->";
            const readTail = (file) => {
              try {
                const data = fs.readFileSync(file, "utf8");
                return data.slice(-3000);
              } catch {
                return "No output captured.";
              }
            };
            const statusLine = (name, code) => Number(code) === 0 ? `- ${name}: PASS` : `- ${name}: FAIL (exit ${code})`;
            const body = `${marker}
            ## Rust Security Scan
            ${statusLine("cargo audit", process.env.AUDIT_EXIT)}
            ${statusLine("cargo deny (advisories)", process.env.DENY_EXIT)}
            ${statusLine("cargo clippy security lints", process.env.CLIPPY_EXIT)}

            <details><summary>cargo audit (tail)</summary>

            \`\`\`
            ${readTail("/tmp/cargo-audit.txt")}
            \`\`\`
            </details>

            <details><summary>cargo deny (tail)</summary>

            \`\`\`
            ${readTail("/tmp/cargo-deny.txt")}
            \`\`\`
            </details>

            <details><summary>cargo clippy (tail)</summary>

            \`\`\`
            ${readTail("/tmp/cargo-clippy-security.txt")}
            \`\`\`
            </details>`;

            const { owner, repo } = context.repo;
            const issue_number = context.payload.pull_request.number;
            const comments = await github.paginate(github.rest.issues.listComments, {
              owner,
              repo,
              issue_number,
              per_page: 100,
            });
            const existing = comments.find((c) => c.user.type === "Bot" && c.body.includes(marker));
            if (existing) {
              await github.rest.issues.updateComment({
                owner,
                repo,
                comment_id: existing.id,
                body,
              });
            } else {
              await github.rest.issues.createComment({
                owner,
                repo,
                issue_number,
                body,
              });
            }