cargo-matrix 0.4.2

Run feature matrices against cargo commands that support feature lists
on:
  workflow_dispatch:
  push:
    branches:
      - master
    tags-ignore:
      - "*"
  pull_request:
  schedule:
    - cron: "22 3 * * *"

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

env:
  GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

name: 💣 Audit 💣

jobs:
  audit-check:
    runs-on: ubuntu-latest
    name: 💣 Audit 💣
    permissions:
      contents: read
      issues: write
    steps:
      - name: ✅ Checkout ✅
        # v6.0.2
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

      - name: 📦 Install cargo-binstall 📦
        # v1.19.1
        uses: cargo-bins/cargo-binstall@aaa84a43aec4955a42c5ffc65d258961e39f276e

      - name: 📦 Install cargo-audit 📦
        run: cargo binstall --no-confirm --maximum-resolution-timeout 20 cargo-audit

      - name: 💣 cargo audit 💣
        id: audit
        run: cargo audit -D warnings

      - name: 📝 Open issue for advisories 📝
        if: failure() && steps.audit.conclusion == 'failure' && github.event_name != 'pull_request'
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          cargo audit --json > audit.json 2>/dev/null || true

          TITLE=$(jq -r '
            [
              (.vulnerabilities.list[]? | .advisory.id),
              (.warnings | to_entries[]? | .value[]? | .advisory.id // empty)
            ] | unique | sort | join(", ")
          ' audit.json)
          [ -z "$TITLE" ] && TITLE="cargo-audit: security advisories found"

          BODY=$(jq -r '
            (if (.vulnerabilities.list | length) > 0 then
              "## Vulnerabilities\n\n" +
              ([ .vulnerabilities.list[] |
                "### ‼️ \(.advisory.id) ‼️\n" +
                "<\(.advisory.url)>\n\n" +
                "| Field | Value |\n|---|---|\n" +
                "| Crate | `\(.package.name)` |\n" +
                "| Version | `\(.package.version)` |\n" +
                "| Title | \(.advisory.title) |\n" +
                "| Date | \(.advisory.date) |\n" +
                (if (.versions.patched | length) > 0
                 then "| Fix | upgrade to `\(.versions.patched | join("`, `"))` |"
                 else "| Fix | no fix available |"
                 end)
              ] | join("\n\n"))
            else "" end) +
            (if (.warnings | to_entries | map(.value | length) | add // 0) > 0 then
              "\n\n## Warnings\n\n" +
              ([ .warnings | to_entries[]? | .value[]? |
                "### ⚠️ \(.advisory.id // "Warning") — \(.kind // "unknown") ⚠️\n" +
                "- **Crate:** `\(.package.name)` \(.package.version)\n" +
                (if .advisory != null then "- **URL:** <\(.advisory.url)>" else "" end)
              ] | join("\n\n"))
            else "" end)
          ' audit.json)

          gh issue create --title "$TITLE" --body "$BODY"