fix(ci): switch from cargo-audit to cargo-deny for advisory scanning (#7032)

Signed-off-by: Adrian Cole <adrian@tetrate.io>
This commit is contained in:
Adrian Cole
2026-02-09 23:28:57 +08:00
committed by GitHub
parent 3d562f8000
commit 9544570b16
3 changed files with 34 additions and 32 deletions
-32
View File
@@ -1,32 +0,0 @@
name: "Cargo Audit"
on:
push:
paths:
# Run if workflow changes
- '.github/workflows/cargo-audit.yml'
# Run on changed dependencies
- '**/Cargo.toml'
- '**/Cargo.lock'
# Run if the configuration file changes
- '**/audit.toml'
# Rerun periodically to pick up new advisories
schedule:
- cron: '0 0 * * *'
# Run manually
workflow_dispatch:
jobs:
audit:
runs-on: ubuntu-latest
permissions:
contents: read
issues: write
steps:
- uses: actions/checkout@v4
# https://github.com/marketplace/actions/cargo-audit-your-rust-dependencies
- uses: actions-rust-lang/audit@72c09e02f132669d52284a3323acdb503cfc1a24
name: Audit Rust Dependencies
with:
# sqlx-mysql pulls in rsa, but goose only uses sqlite. cargo-audit
# can't distinguish used from unused deps (rustsec/rustsec#1119).
ignore: RUSTSEC-2023-0071
+28
View File
@@ -0,0 +1,28 @@
name: "Cargo Deny"
on:
push:
paths:
# Run if workflow changes
- '.github/workflows/cargo-deny.yml'
# Run on changed dependencies
- '**/Cargo.toml'
- '**/Cargo.lock'
# Run if the configuration file changes
- 'deny.toml'
# Rerun periodically to pick up new advisories
schedule:
- cron: '0 0 * * *'
# Run manually
workflow_dispatch:
jobs:
deny:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v4
# https://github.com/EmbarkStudios/cargo-deny-action v2.0.15
- uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979
with:
command: check advisories
+6
View File
@@ -0,0 +1,6 @@
[advisories]
# Deny yanked crates to catch supply chain issues early.
yanked = "deny"
# Emulate cargo-audit which only checks vulnerabilities and yanked crates, not unmaintained/unsound.
unmaintained = "none"
unsound = "none"