Release v0.5.1: RDAP domain expiry, latency heatmaps & CI-able test-a… #8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security audit | |
| # RustSec advisory scan, per the upstream recommendation: run when the | |
| # dependency set changes, plus a daily schedule so an advisory published | |
| # between dependency bumps still surfaces (scheduled runs file an issue). | |
| # This does not gate releases - `deny` in ci.yml queries the same advisory | |
| # database on every push, PR and tag, so a known CVE still fails the build. | |
| on: | |
| push: | |
| branches: [main] | |
| paths: | |
| - "**/Cargo.toml" | |
| - "**/Cargo.lock" | |
| pull_request: | |
| paths: | |
| - "**/Cargo.toml" | |
| - "**/Cargo.lock" | |
| schedule: | |
| - cron: "0 6 * * *" | |
| # Manual runs, e.g. to re-scan after ignoring an advisory. | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| # The action reports through a check run, and files an issue when a | |
| # scheduled run finds a new advisory. | |
| checks: write | |
| issues: write | |
| jobs: | |
| audit: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| # Pre-install cargo-audit as a prebuilt release binary (~5s): without it, | |
| # audit-check falls back to `cargo install` and recompiles the scanner | |
| # from source (~3min) on every run - 98% of the daily job for a 3s scan. | |
| # A cache is the wrong tool here: the daily cron would keep a "latest" | |
| # binary warm forever, and the advisory DB must stay fresh anyway. | |
| - uses: taiki-e/install-action@v2 | |
| with: | |
| tool: cargo-audit | |
| - uses: rustsec/audit-check@v2.0.0 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} |