style: fix code formatting issues #9
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Checks | |
| on: | |
| push: | |
| branches: [ master, develop ] | |
| pull_request: | |
| branches: [ master, develop ] | |
| workflow_dispatch: | |
| jobs: | |
| security-verification: | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| matrix: | |
| os: [ubuntu-latest, macos-latest, windows-latest] | |
| include: | |
| - os: ubuntu-latest | |
| target: x86_64-unknown-linux-gnu | |
| - os: macos-latest | |
| target: x86_64-apple-darwin | |
| - os: windows-latest | |
| target: x86_64-pc-windows-msvc | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install Rust toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| toolchain: stable | |
| targets: ${{ matrix.target }} | |
| - name: Cache dependencies | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cargo/registry | |
| ~/.cargo/git | |
| target | |
| key: security-${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} | |
| - name: Build release without test-env | |
| run: | | |
| cargo build --release --no-default-features | |
| - name: Verify test-env NOT in release binary (Linux/macOS) | |
| if: runner.os != 'Windows' | |
| run: | | |
| echo "Checking for test environment variables in release binary..." | |
| if grep -r "OK_MASTER_PASSWORD\|OK_CONFIG_DIR\|OK_DATA_DIR" target/release/ok 2>/dev/null; then | |
| echo "❌ ERROR: Test environment variables leaked to release!" | |
| exit 1 | |
| fi | |
| echo "✅ Release binary verified clean" | |
| - name: Verify test-env NOT in release binary (Windows) | |
| if: runner.os == 'Windows' | |
| shell: pwsh | |
| run: | | |
| Write-Host "Checking for test environment variables in release binary..." | |
| $binaryPath = "target\release\ok.exe" | |
| if (Test-Path $binaryPath) { | |
| $content = Get-Content $binaryPath -Raw -Encoding ASCII | |
| if ($content -match "OK_MASTER_PASSWORD|OK_CONFIG_DIR|OK_DATA_DIR") { | |
| Write-Host "❌ ERROR: Test environment variables leaked to release!" | |
| exit 1 | |
| } | |
| } | |
| Write-Host "✅ Release binary verified clean" | |
| - name: Verify test-env feature works | |
| run: | | |
| cargo build --features test-env | |
| echo "✅ Build with test-env feature successful" | |
| - name: Run security audit | |
| run: | | |
| cargo install cargo-audit | |
| cargo audit || echo "⚠️ Security audit found potential issues" | |
| - name: Check MSRV in Cargo.toml | |
| run: | | |
| if grep -q "rust-version" Cargo.toml; then | |
| echo "✅ MSRV declared in Cargo.toml" | |
| grep "rust-version" Cargo.toml | |
| else | |
| echo "❌ ERROR: MSRV not declared in Cargo.toml" | |
| exit 1 | |
| fi | |
| - name: Security summary | |
| run: | | |
| echo "## Security Verification" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "✅ Release binary verified clean (no test-env strings)" >> $GITHUB_STEP_SUMMARY | |
| echo "✅ test-env feature flag working" >> $GITHUB_STEP_SUMMARY | |
| echo "✅ MSRV declared in Cargo.toml" >> $GITHUB_STEP_SUMMARY |