sigstore 0.14.0

name: Security audit
on:
  schedule:
    - cron: "0 0 * * *"
  push:
    paths:
      - "**/Cargo.toml"
      - "**/Cargo.lock"

permissions: {}

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

jobs:
  audit:
    name: Audit for vulnerable crates
    permissions:
      checks: write # for rustsec/audit-check to create check
      contents: read # for actions/checkout to fetch code
      issues: write # for rustsec/audit-check to create issues
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Generate lockfile
        run: cargo generate-lockfile
      - uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # v2.0.0
        with:
          token: ${{ secrets.GITHUB_TOKEN }}