diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml new file mode 100644 index 00000000..4d63f76b --- /dev/null +++ b/.github/workflows/audit.yml @@ -0,0 +1,30 @@ +name: "Audit Dependencies" +on: + push: + paths: + # Run if workflow changes + - '.github/workflows/audit.yml' + # Run on changed dependencies + - '**/Cargo.toml' + - '**/Cargo.lock' + # Run if the configuration file changes + - '**/audit.toml' + # Rerun periodicly to pick up new advisories + # schedule: + # - cron: '0 0 * * *' + # Run manually + workflow_dispatch: + +jobs: + audit: + runs-on: ubuntu-latest + permissions: + contents: read + issues: write + steps: + - uses: actions/checkout@v4 + - uses: actions-rust-lang/audit@v1 + name: Audit Rust Dependencies + with: + # Comma separated list of issues to ignore + ignore: RUSTSEC-2024-0370, RUSTSEC-2023-0071 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d11f5455..5a15e205 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -36,7 +36,4 @@ jobs: - name: Check consensus-spec-tests coverage (Linux) if: runner.os == 'Linux' run: scripts/ci/consensus-spec-tests-coverage.rb - # Ignore RUSTSEC-2023-0071 because we don't use RSA in `jwt-simple` - - name: Run cargo audit (Linux) - if: runner.os == 'Linux' - run: cargo audit --ignore RUSTSEC-2024-0370 --ignore RUSTSEC-2023-0071 +