Skip to content

Security audit

Security audit #37

Workflow file for this run

name: Security audit
# RustSec advisory scan, per the upstream recommendation: run when the
# dependency set changes, plus a daily schedule so an advisory published
# between dependency bumps still surfaces (scheduled runs file an issue).
# This does not gate releases - `deny` in ci.yml queries the same advisory
# database on every push, PR and tag, so a known CVE still fails the build.
on:
push:
branches: [main]
paths:
- "**/Cargo.toml"
- "**/Cargo.lock"
pull_request:
paths:
- "**/Cargo.toml"
- "**/Cargo.lock"
schedule:
- cron: "0 6 * * *"
# Manual runs, e.g. to re-scan after ignoring an advisory.
workflow_dispatch:
permissions:
contents: read
# The action reports through a check run, and files an issue when a
# scheduled run finds a new advisory.
checks: write
issues: write
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
# Pre-install cargo-audit as a prebuilt release binary (~5s): without it,
# audit-check falls back to `cargo install` and recompiles the scanner
# from source (~3min) on every run - 98% of the daily job for a 3s scan.
# A cache is the wrong tool here: the daily cron would keep a "latest"
# binary warm forever, and the advisory DB must stay fresh anyway.
- uses: taiki-e/install-action@v2
with:
tool: cargo-audit
- uses: rustsec/audit-check@v2.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}