name: Security Audit
on:
push:
branches: [ main, master ]
pull_request:
branches: [ main, master ]
schedule:
- cron: '0 2 * * *'
permissions:
contents: read
jobs:
security_audit_pr:
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
steps:
- name: Checkout sources
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 with:
persist-credentials: false
- name: Install stable toolchain
uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6
- name: Install cargo-audit
run: cargo install cargo-audit --locked
- name: Run security audit
run: cargo audit
security_audit:
if: github.event_name != 'pull_request'
runs-on: ubuntu-latest
permissions:
contents: read
checks: write
steps:
- name: Checkout sources
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 with:
persist-credentials: false
- name: Run security audit
uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 with:
token: ${{ secrets.GITHUB_TOKEN }}
dependency_check:
runs-on: ubuntu-latest
steps:
- name: Checkout sources
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 with:
persist-credentials: false
- name: Install stable toolchain
uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6
- name: Install cargo-machete
run: cargo install cargo-machete --locked
- name: Check for unused dependencies
run: cargo machete