refactor(sca): Separate linters and sca for rust (#46)

Author: saisatishkarra

.github/workflows/luacheck.yml renamed to .github/workflows/lua-lint.yml

@@ -12,7 +12,7 @@ on:
   workflow_dispatch: {}
 
 jobs:
-  test-luacheck:
+  test-lua-lint:
     env:
       TEST_REPOSITORY: "${{github.repository_owner}}/atc-router"
     runs-on: ubuntu-latest
@@ -23,6 +23,6 @@ jobs:
         with:
           repository: ${{env.TEST_REPOSITORY}}
           path: ${{env.TEST_REPOSITORY}}
-      - uses: ./code-check-actions/luacheck
+      - uses: ./code-check-actions/lua-lint
         with:
           additional_args: '--no-default-config --config ${{env.TEST_REPOSITORY}}/.luacheckrc ${{env.TEST_REPOSITORY}}'

.github/workflows/rust-lint.yml

@@ -0,0 +1,37 @@
+name: Rust Lint Test
+
+on:
+  pull_request:
+    branches:
+    - main
+  push:
+    branches:
+    - main
+    tags:
+    - '*'
+  workflow_dispatch: {}
+
+jobs:
+  test-rust-lint:
+    permissions:
+      # required for all workflows
+      security-events: write
+      checks: write
+      pull-requests: write
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+    env:
+      TEST_REPOSITORY: "${{github.repository_owner}}/atc-router"
+    runs-on: ubuntu-latest
+    name: Rust Code Linting checks
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/checkout@v3
+        with:
+          repository: ${{env.TEST_REPOSITORY}}
+          path: ${{env.TEST_REPOSITORY}}
+      - uses: ./code-check-actions/rust-lint
+        with:
+          token: ${{secrets.GITHUB_TOKEN}}
+          manifest_dir: ${{ github.workspace }}/${{env.TEST_REPOSITORY}}

.github/workflows/rustcheck.yml renamed to .github/workflows/rust-sca.yml

@@ -1,4 +1,4 @@
-name: Rust SCA and Lint Test
+name: Rust SCA Test
 
 on:
   pull_request:
@@ -31,8 +31,8 @@ jobs:
         with:
           repository: ${{env.TEST_REPOSITORY}}
           path: ${{env.TEST_REPOSITORY}}
-      - uses: ./code-check-actions/rustcheck
+      - uses: ./security-actions/scan-rust
         with:
           asset_prefix: ${{env.TEST_REPOSITORY}}
-          token: ${{secrets.GITHUB_TOKEN}}
-          dir: ${{ github.workspace }}/${{env.TEST_REPOSITORY}}
+          dir: ${{ github.workspace }}/${{env.TEST_REPOSITORY}}
+          codeql_upload: false

.github/workflows/semgrep.yml

@@ -30,7 +30,8 @@ jobs:
           repository: ${{env.TEST_REPOSITORY}}
           token: ${{secrets.GITHUB_TOKEN}}
           path: ${{env.TEST_REPOSITORY}}
-      - uses: Scimia/public-shared-actions/code-check-actions/semgrep@main
+      - uses: ./code-check-actions/semgrep
         with:
           additional_config: '--config p/rust'
+          codeql_upload: false
 

code-check-actions/luacheck/README.md renamed to code-check-actions/lua-lint/README.md

@@ -0,0 +1,64 @@
+# Rust clippy - Github Action
+
+This action uses Rust Clippy for code quality checks
+
+
+The action runs the following:
+- Installs rust
+- Run `clippy` to identify linting and code quality checks
+
+## Inputs
+
+```yaml
+manifest_dir: 
+  description: 'Speicify a directory to be scanned'
+  required: false
+  default: '.'
+```
+
+## Outputs:
+- Push: Commit check summary
+- PR: Github check Summary and PR annotations
+
+
+## Detailed example
+
+```yaml
+name: Rust Code Quality
+
+on:
+  pull_request: {}
+  workflow_dispatch: {}
+  push:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  rust:
+    name: Rust Clippy
+    runs-on: ubuntu-20.04
+    
+    permissions:
+      # required for all workflows
+      security-events: write
+      checks: write
+      pull-requests: write
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+  
+    if: (github.actor != 'dependabot[bot]')
+    
+    steps:
+    - name: Checkout source code
+      uses: actions/checkout@v3
+
+    - name: Rust Check
+      uses: Kong/public-shared-actions/code-check-actions/rust-lint@main
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+```

code-check-actions/luacheck/action.yml renamed to code-check-actions/lua-lint/action.yml

@@ -0,0 +1,70 @@
+name:  Rust Clippy
+description: Rust Linting using Clippy
+author: 'Kong'
+inputs:
+  manifest_dir: 
+    description: 'Rust Manifest Directory'
+    required: false
+    default: '.'
+  token: 
+    description: 'Github token to annotate files with findings'
+    required: true
+
+runs:
+  using: composite
+  steps:
+  
+    - uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
+      with:
+        toolchain: stable
+        components: clippy
+
+    - name: Set Job Metadata
+      shell: bash
+      id: meta
+      env:
+        manifest_dir: ${{ inputs.manifest_dir }}
+      run: $GITHUB_ACTION_PATH/scripts/set-env.sh
+    
+    - uses: Swatinem/rust-cache@v1
+
+    - uses: actions-rs/clippy-check@v1
+      continue-on-error: true
+      with:
+        token: ${{ inputs.token }}
+        args: --manifest-path ${{ steps.meta.outputs.manifest_path }} -- -W clippy::correctness -W clippy::cargo -W clippy::pedantic
+        name: Rust Clippy Report
+
+    # - uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
+    #   continue-on-error: true
+    #   with:
+    #     command: install
+    #     args: "clippy-sarif sarif-fmt"
+
+    # - name: Run Cargo Clippy
+    #   shell: bash
+    #   continue-on-error: true
+    #   run: |
+    #     cargo clippy --manifest-path ${{ steps.meta.outputs.manifest_path }} --message-format=json -- -W clippy::correctness -W clippy::cargo -W clippy::pedantic | clippy-sarif | tee rust_clippy_${{github.sha}}.sarif | sarif-fmt
+
+    # - name: Upload Rust Linting SARIF file to CodeQL
+    #   if: ${{ github.event.repository.visibility == 'public' }}
+    #   uses: github/codeql-action/upload-sarif@v2
+    #   with:
+    #     sarif_file: rust_clippy_${{github.sha}}.sarif
+    #     category: clippy_rust
+   
+    # - name: Upload Rust Linting results to workflow
+    #   if: always()
+    #   uses: actions/upload-artifact@v3
+    #   with:
+    #     name: rust_clippy_results.sarif
+    #     path: |
+    #       rust_clippy_${{github.sha}}.sarif
+    #     if-no-files-found: warn 
+    
+    # # Rust Clippy - Linting report
+    # - name:  Rust Linting Report - SARIF
+    #   shell: bash
+    #   run: |
+    #     cat rust_clippy_${{github.sha}}.sarif

code-check-actions/rust-lint/README.md

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+if [[ -n ${manifest_dir} ]]; then
+    echo "manifest_path=${manifest_dir}/Cargo.toml" >> $GITHUB_OUTPUT
+fi

code-check-actions/rust-lint/action.yml

@@ -6,6 +6,14 @@ inputs:
     description: 'Provide additional config to semgrep ci command using --config'
     required: false
     default: ''
+  codeql_upload:
+    description: 'Toggle to upload results to Github code scanning for public repositories'
+    required: false
+    default: true
+    type: choice
+    options:
+    - 'true'
+    - 'false'
 runs:
   using: 'composite'
   steps:
@@ -27,7 +35,7 @@ runs:
         if-no-files-found: warn
 
     - name: Upload SARIF to Github Code Scanning
-      if: ${{ always() && github.event.repository.visibility == 'public' }}
+      if: ${{ always() && inputs.codeql_upload == 'true' && github.event.repository.visibility == 'public' }}
       uses: github/codeql-action/upload-sarif@v2
       with:
         # Path to SARIF file relative to the root of the repository