Skip to content

Security audit

Security audit #1591

Workflow file for this run

# SPDX-FileCopyrightText: 2023 MTRNord
#
# SPDX-License-Identifier: CC0-1.0
name: Security audit
on:
push:
paths:
- "**/Cargo.toml"
- "**/Cargo.lock"
pull_request:
workflow_dispatch:
schedule:
- cron: "0 0 * * *"
permissions:
contents: read
jobs:
audit:
runs-on: ubuntu-latest
permissions:
issues: write
checks: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423
with:
egress-policy: block
allowed-endpoints: >
api.github.com:443
artifactcache.actions.githubusercontent.com:443
frsnacprodeus2file1.blob.core.windows.net:443
github.com:443
gitlab.com:443
static.rust-lang.org:443
index.crates.io:443
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
- uses: Swatinem/rust-cache@81d053bdb0871dcd3f10763c8cc60d0adc41762b
- uses: actions-rs/audit-check@35b7b53b1e25b55642157ac01b4adceb5b9ebef3
with:
token: ${{ secrets.GITHUB_TOKEN }}
cargo-deny:
runs-on: ubuntu-latest
strategy:
matrix:
checks:
- advisories
- bans licenses sources
# Prevent sudden announcement of a new advisory from failing ci:
continue-on-error: ${{ matrix.checks == 'advisories' }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423
with:
egress-policy: block
allowed-endpoints: >
crates.io:443
index.crates.io:443
api.github.com:443
github.com:443
gitlab.com:443
static.crates.io:443
static.rust-lang.org:443
index.crates.io:443
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
- uses: EmbarkStudios/cargo-deny-action@1e59595bed8fc55c969333d08d7817b36888f0c5
with:
command: check ${{ matrix.checks }}