-
Notifications
You must be signed in to change notification settings - Fork 69
35 lines (33 loc) · 1.02 KB
/
audit.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
name: Security audit
on:
push:
branches:
- main
- release-*
tags:
# YYYYMMDD
- "20[0-9][0-9][0-1][0-9][0-3][0-9]*"
pull_request:
# For PRs we only want to fail if dependencies were changed.
paths:
- "**/Cargo.toml"
- "**/Cargo.lock"
workflow_dispatch:
# Run the audit job once a day on main.
schedule:
- cron: "0 0 * * *"
jobs:
security_audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
# See https://github.com/rustsec/audit-check for docs
# TODO: re-enable if https://github.com/rustsec/audit-check/pull/20 is merged
# - uses: rustsec/audit-check@v1
# with:
# token: ${{ secrets.GITHUB_TOKEN }}
# Currently the rustsec/audit-check action regenerates the Cargo.lock
# file. Our binaries are built using the committed lock file.
# Re-generating the lock file can hide vulnerabilities. We therefore run
# cargo audit directly which respects our lock file.
- run: cargo audit