name: Security Audit
on:
schedule:
- cron: "0 0 * * *"
push:
branches:
- main
pull_request:
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: ${{ github.ref_name != github.event.repository.default_branch }}
env:
CARGO_TERM_COLOR: always
permissions: {}
jobs:
security-audit:
name: cargo-audit / issue reporting
runs-on: ubuntu-latest
permissions:
issues: write
steps:
- uses: actions/checkout@v6
- uses: Swatinem/rust-cache@v2
- uses: actions-rust-lang/audit@v1
cargo-deny-advisories:
name: cargo-deny / advisories
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: Swatinem/rust-cache@v2
- uses: EmbarkStudios/cargo-deny-action@v2
with:
command: check advisories
cargo-deny-policy:
name: cargo-deny / bans licenses sources
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: Swatinem/rust-cache@v2
- uses: EmbarkStudios/cargo-deny-action@v2
with:
command: check bans licenses sources
audit-complete:
needs:
- security-audit
- cargo-deny-advisories
- cargo-deny-policy
runs-on: ubuntu-latest
if: ${{ always() }}
steps:
- name: Audit complete
run: |
if [[ "${{ needs['cargo-deny-policy'].result }}" == "success" ]]; then
echo "Audit succeeded"
else
echo "Audit failed"
exit 1
fi
shell: bash