name: Security audit
# Runs daily plus on demand. NOT in the per-PR critical path: a PR
# rarely changes the audit verdict unless it touches Cargo.toml /
# Cargo.lock, and the audit signal (is anything in the resolved dep
# graph currently advisory-flagged?) is fundamentally about elapsed
# time vs the advisory database, not about which PR is open. Daily
# catches the common case (an existing dep gets a new advisory)
# without gating any commit.
on:
schedule:
# 06:17 UTC daily -- off-peak, off-the-hour to avoid GitHub's
# cron load spike at minute 0.
- cron: '17 6 * * *'
workflow_dispatch:
jobs:
audit:
name: Security audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: rustsec/audit-check@v2.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}