Security audit #1913
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Security audit | |
on: | |
push: | |
branches: | |
- main | |
- release-* | |
tags: | |
# YYYYMMDD | |
- "20[0-9][0-9][0-1][0-9][0-3][0-9]*" | |
pull_request: | |
# For PRs we only want to fail if dependencies were changed. | |
paths: | |
- "**/Cargo.toml" | |
- "**/Cargo.lock" | |
workflow_dispatch: | |
# Run the audit job once a day on main. | |
schedule: | |
- cron: "0 0 * * *" | |
jobs: | |
security_audit: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
# See https://github.com/rustsec/audit-check for docs | |
# TODO: re-enable if https://github.com/rustsec/audit-check/pull/20 is merged | |
# - uses: rustsec/audit-check@v1 | |
# with: | |
# token: ${{ secrets.GITHUB_TOKEN }} | |
# Currently the rustsec/audit-check action regenerates the Cargo.lock | |
# file. Our binaries are built using the committed lock file. | |
# Re-generating the lock file can hide vulnerabilities. We therefore run | |
# cargo audit directly which respects our lock file. | |
- run: cargo audit |