name: Security Audit
on:
schedule:
- cron: "0 0 * * *"
push:
branches:
- main
pull_request:
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: ${{ github.ref_name != github.event.repository.default_branch }}
env:
CARGO_TERM_COLOR: always
permissions: {}
jobs:
security-audit:
name: Security Audit
runs-on: ubuntu-latest
permissions:
issues: write
steps:
- uses: actions/checkout@v6
- uses: Swatinem/rust-cache@v2
- uses: actions-rust-lang/audit@v1
cargo-deny:
runs-on: ubuntu-latest
strategy:
matrix:
checks:
- advisories
- bans licenses sources
continue-on-error: ${{ matrix.checks == 'advisories' }}
steps:
- uses: actions/checkout@v6
- uses: Swatinem/rust-cache@v2
- uses: EmbarkStudios/cargo-deny-action@v2
with:
command: check ${{ matrix.checks }}
audit-complete:
needs:
- security-audit
- cargo-deny
runs-on: ubuntu-latest
if: ${{ always() }}
steps:
- name: Audit complete
run: |
if ${{ !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}; then
echo "Audit succeeded"
else
echo "Audit failed"
exit 1
fi
shell: bash