rustberg 0.0.4 - Docs.rs

name: Security Audit

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    # Run security audit daily at 6:00 AM UTC
    - cron: '0 6 * * *'
  workflow_dispatch:

permissions:
  contents: read
  security-events: write

env:
  CARGO_TERM_COLOR: always

jobs:
  # ===========================================================================
  # Rust Security Audit
  # ===========================================================================
  cargo-audit:
    name: Cargo Audit
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install cargo-audit
        run: cargo install cargo-audit

      - name: Run security audit
        run: cargo audit --deny warnings

  # ===========================================================================
  # Cargo Deny (License & Vulnerability Check)
  # ===========================================================================
  cargo-deny:
    name: Cargo Deny
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: dtolnay/rust-toolchain@stable

      - uses: EmbarkStudios/cargo-deny-action@v2
        with:
          log-level: warn
          command: check
          arguments: --all-features

  # ===========================================================================
  # MSRV (Minimum Supported Rust Version) Check
  # ===========================================================================
  msrv:
    name: MSRV Check
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install MSRV toolchain
        uses: dtolnay/rust-toolchain@1.89.0  # MSRV

      - uses: Swatinem/rust-cache@v2

      - name: Build with MSRV
        run: cargo build --all-features

  # ===========================================================================
  # Secret Scanning
  # ===========================================================================
  secrets:
    name: Secret Scanning
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: TruffleHog OSS
        uses: trufflesecurity/trufflehog@main
        with:
          path: ./
          base: ""
          head: ${{ github.ref_name }}
          extra_args: --only-verified

  # ===========================================================================
  # Dependency Review (PRs only)
  # ===========================================================================
  dependency-review:
    name: Dependency Review
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request'
    steps:
      - uses: actions/checkout@v4

      - name: Dependency Review
        uses: actions/dependency-review-action@v4
        with:
          fail-on-severity: moderate
          deny-licenses: GPL-3.0, AGPL-3.0