1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# Security audit for dependencies
# Runs daily and on dependency changes
name: Security Audit
on:
schedule:
- cron: '0 6 * * *'
push:
paths:
- 'Cargo.lock'
- 'deny.toml'
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- name: Install cargo-deny
run: cargo install --locked cargo-deny
- name: Run cargo-deny
run: cargo deny check
- name: Run cargo-audit
# cargo-audit 0.22 does NOT read config files — only CLI flags.
# Build --ignore flags from .cargo/audit.toml so exemption list
# stays in sync with deny.toml without duplicating the list in
# this workflow. Mirrors the aprender sovereign-ci.yml pattern.
run: |
cargo install --locked cargo-audit
IGNORE_FLAGS=""
if [ -f .cargo/audit.toml ]; then
for id in $(sed -n 's/.*\(RUSTSEC-[0-9]*-[0-9]*\).*/\1/p' .cargo/audit.toml); do
IGNORE_FLAGS="$IGNORE_FLAGS --ignore $id"
done
echo "Audit ignores: $IGNORE_FLAGS"
fi
cargo audit $IGNORE_FLAGS