name: Security
on:
schedule:
- cron: "0 6 * * *"
push:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch:
jobs:
security_audit:
name: Security Audit
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Install Rust
uses: dtolnay/rust-toolchain@stable
- name: Install cargo-audit
uses: taiki-e/install-action@v2
with:
tool: cargo-audit
- name: Run cargo-audit
run: cargo audit
- name: Run cargo-audit with JSON output
run: cargo audit --json > audit-results.json
continue-on-error: true
- name: Upload audit results
uses: actions/upload-artifact@v7
with:
name: security-audit-results
path: audit-results.json
dependency_review:
name: Dependency Review
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Dependency Review
uses: actions/dependency-review-action@v4
with:
fail-on-severity: moderate
supply_chain_security:
name: Supply Chain Security
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Install Rust
uses: dtolnay/rust-toolchain@stable
- name: Install cargo-deny
uses: taiki-e/install-action@v2
with:
tool: cargo-deny
- name: Check licenses and security
run: cargo deny check