Release v0.4.1: security hardening #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security audit | |
| # RustSec advisory scan, per the upstream recommendation: run when the | |
| # dependency set changes, plus a daily schedule so an advisory published | |
| # between dependency bumps still surfaces (scheduled runs file an issue). | |
| # This does not gate releases - `deny` in ci.yml queries the same advisory | |
| # database on every push, PR and tag, so a known CVE still fails the build. | |
| on: | |
| push: | |
| branches: [main] | |
| paths: | |
| - "**/Cargo.toml" | |
| - "**/Cargo.lock" | |
| pull_request: | |
| paths: | |
| - "**/Cargo.toml" | |
| - "**/Cargo.lock" | |
| schedule: | |
| - cron: "0 6 * * *" | |
| permissions: | |
| contents: read | |
| # The action reports through a check run, and files an issue when a | |
| # scheduled run finds a new advisory. | |
| checks: write | |
| issues: write | |
| jobs: | |
| audit: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: rustsec/audit-check@v2.0.0 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} |