Skip to content

lint

lint #1189

Workflow file for this run

name: Security audit
on:
push:
branches:
- main
- release-*
tags:
# YYYYMMDD
- "20[0-9][0-9][0-1][0-9][0-3][0-9]*"
pull_request:
# For PRs we only want to fail if dependencies were changed.
paths:
- "**/Cargo.toml"
- "**/Cargo.lock"
workflow_dispatch:
# Run the audit job once a day on main.
schedule:
- cron: "0 0 * * *"
jobs:
security_audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
# See https://github.com/rustsec/audit-check for docs
# TODO: re-enable if https://github.com/rustsec/audit-check/pull/20 is merged
# - uses: rustsec/audit-check@v1
# with:
# token: ${{ secrets.GITHUB_TOKEN }}
# Currently the rustsec/audit-check action regenerates the Cargo.lock
# file. Our binaries are built using the committed lock file.
# Re-generating the lock file can hide vulnerabilities. We therefore run
# cargo audit directly which respects our lock file.
- run: cargo audit