ci: add clippy results to GitHub code scans

In the past, we've overlooked clippy warnings that get lost in the CI build logs. This change would collect all of those warnings, put them in [SARIF] form, and list them in GitHub's code scanning view. I recently added this to `ittapi` and it looks like this: [Code Scanning]. This means warnings and errors will show up on the security tab as a notification; the UI allows one to dismiss the warnings. There might be some integration with PRs but I haven't experimented with that. I configured this to also run periodically (every Tuesday night); we can remove that if we only want commits to `main`, e.g. If we do adopt this, we should think about what to do with the `clippy` job in `main.yml`--does it stay or go? [SARIF]: https://sarifweb.azurewebsites.net [Code Scanning]: https://github.com/intel/ittapi/security/code-scanning?query=branch%3Amaster+
bytecodealliance · Sep 26, 2024 · 75571b3 · 75571b3
1 parent 110e70f
commit 75571b3
Showing 1 changed file with 48 additions and 0 deletions.
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
@@ -0,0 +1,48 @@
+# Scan the code in this repository; publish results to
+# https://github.com/bytecodealliance/wasmtime/security/code-scanning.
+
+name: Code Scan
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+  schedule:
+    - cron: "4 3 * * 2"
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze (Rust)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Install clippy
+        run: rustup component add clippy
+
+      - name: Install cargo-binstall
+        uses: cargo-bins/cargo-binstall@3a99ae3c155195e5518c9ff954bee1b90f98b82c # v1.10.6
+
+      - name: Install dependencies
+        run: cargo binstall --no-confirm clippy-sarif sarif-fmt
+
+      - name: Run clippy
+        run: |
+          cargo clippy --workspace --all-targets --message-format=json > clippy.json
+          clippy-sarif --input clippy.json --output clippy.sarif
+          sarif-fmt --input clippy.sarif
+        continue-on-error: true
+
+      - name: Upload analysis
+        uses: github/codeql-action/upload-sarif@5618c9fc1e675841ca52c1c6b1304f5255a905a0 # v2.19.0
+        with:
+          sarif_file: clippy.sarif
+          wait-for-processing: true