name: Security audit
on:
push:
paths:
- "**/Cargo.toml"
- "**/Cargo.lock"
- ".github/workflows/audit.yml"
pull_request:
paths:
- "**/Cargo.toml"
- "**/Cargo.lock"
schedule:
# Re-run weekly so newly published advisories are caught even when the
# dependency set has not changed.
- cron: "0 6 * * 1"
jobs:
audit:
runs-on: ubuntu-latest
# rustsec/audit-check reports findings as a check run (and opens issues on
# the scheduled run); without these write scopes it fails with
# "Resource not accessible by integration" when posting results.
permissions:
contents: read
checks: write
issues: write
steps:
- uses: actions/checkout@v5
- uses: rustsec/audit-check@v2.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}