From e6d9003d09098ea1a107492e3ea6d2b94d9973bf Mon Sep 17 00:00:00 2001 From: Tony Arcieri Date: Tue, 17 Dec 2019 07:26:44 -0800 Subject: [PATCH] .github: split security_audit.yml; ignore spin advisory Splits the security audit into a separate file which only runs on Cargo.toml changes or on a regular schedule. Ignores the RUSTSEC-2019-0031 warning advisory. --- .github/workflows/rust.yml | 23 -------------- .github/workflows/security_audit.yml | 45 ++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+), 23 deletions(-) create mode 100644 .github/workflows/security_audit.yml diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index e48b8c8..c6aebe2 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -150,26 +150,3 @@ jobs: with: command: clippy args: --all --all-features -- -D warnings - - # TODO: use actions-rs/audit-check - security_audit: - name: Security Audit - runs-on: ubuntu-latest - steps: - - name: Checkout sources - uses: actions/checkout@v1 - - - name: Install stable toolchain - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - override: true - - - name: Install cargo audit - run: cargo install cargo-audit - - - name: Run cargo audit - uses: actions-rs/cargo@v1 - with: - command: audit - args: --deny-warnings diff --git a/.github/workflows/security_audit.yml b/.github/workflows/security_audit.yml new file mode 100644 index 0000000..faaf741 --- /dev/null +++ b/.github/workflows/security_audit.yml @@ -0,0 +1,45 @@ +name: Security Audit +on: + pull_request: + paths: Cargo.lock + push: + branches: develop + paths: Cargo.lock + schedule: + - cron: '0 0 * * *' + +jobs: + # TODO: use actions-rs/audit-check + security_audit: + name: Security Audit + runs-on: ubuntu-latest + steps: + - name: Checkout sources + uses: actions/checkout@v1 + + - name: Cache cargo registry + uses: actions/cache@v1 + with: + path: ~/.cargo/registry + key: ${{ runner.os }}-cargo-registry-${{ hashFiles('Cargo.lock') }} + + - name: Cache cargo index + uses: actions/cache@v1 + with: + path: ~/.cargo/git + key: ${{ runner.os }}-cargo-index-${{ hashFiles('Cargo.lock') }} + + - name: Install stable toolchain + uses: actions-rs/toolchain@v1 + with: + toolchain: stable + override: true + + - name: Install cargo audit + run: cargo install cargo-audit + + - name: Run cargo audit + uses: actions-rs/cargo@v1 + with: + command: audit + args: --deny-warnings --ignore RUSTSEC-2019-0031 # spin