name: Security
on:
push:
branches: [main]
paths:
- Cargo.toml
- Cargo.lock
- deny.toml
- .github/workflows/security.yml
pull_request:
branches: [main]
paths:
- Cargo.toml
- Cargo.lock
- deny.toml
schedule:
- cron: "0 6 * * 1"
jobs:
detect:
runs-on: ubuntu-latest
outputs:
has_lockfile: ${{ steps.check.outputs.has_lockfile }}
steps:
- uses: actions/checkout@v6
- id: check
run: |
if [ -f Cargo.lock ]; then
echo "has_lockfile=true" >> "$GITHUB_OUTPUT"
else
echo "has_lockfile=false" >> "$GITHUB_OUTPUT"
fi
audit:
needs: detect
if: needs.detect.outputs.has_lockfile == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions-rust-lang/setup-rust-toolchain@v1
with:
toolchain: stable
- uses: taiki-e/install-action@v2
with:
tool: cargo-audit
- run: cargo audit --deny warnings
deny:
needs: detect
if: needs.detect.outputs.has_lockfile == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions-rust-lang/setup-rust-toolchain@v1
with:
toolchain: stable
- uses: taiki-e/install-action@v2
with:
tool: cargo-deny
- run: cargo deny check