forjar 1.4.2

Rust-native Infrastructure as Code — bare-metal first, BLAKE3 state, provenance tracing
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

# Security audit for dependencies
# Runs daily and on dependency changes

name: Security Audit

on:
  schedule:
    - cron: '0 6 * * *'
  push:
    paths:
      - 'Cargo.lock'
      - 'deny.toml'

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2

      - name: Checkout provable-contracts (path dep)
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
        with:
          repository: paiml/provable-contracts
          path: provable-contracts

      - name: Symlink provable-contracts for Cargo path deps
        run: ln -sf "$GITHUB_WORKSPACE/provable-contracts" "$GITHUB_WORKSPACE/../provable-contracts"

      - name: Install cargo-deny
        run: cargo install --locked cargo-deny

      - name: Run cargo-deny
        run: cargo deny check

      - name: Run cargo-audit
        # cargo-audit 0.22 does NOT read config files — only CLI flags.
        # Build --ignore flags from .cargo/audit.toml so exemption list
        # stays in sync with deny.toml without duplicating the list in
        # this workflow. Mirrors the aprender sovereign-ci.yml pattern.
        run: |
          cargo install --locked cargo-audit
          IGNORE_FLAGS=""
          if [ -f .cargo/audit.toml ]; then
            for id in $(sed -n 's/.*\(RUSTSEC-[0-9]*-[0-9]*\).*/\1/p' .cargo/audit.toml); do
              IGNORE_FLAGS="$IGNORE_FLAGS --ignore $id"
            done
            echo "Audit ignores: $IGNORE_FLAGS"
          fi
          cargo audit $IGNORE_FLAGS