From e6e9802f3ef5bbec2d83656be4e55be2235ee8b1 Mon Sep 17 00:00:00 2001 From: Uwe Klotz Date: Tue, 3 Oct 2023 16:06:50 +0200 Subject: [PATCH] GitHub CI: Replace security-audit with dependency-audit workflow (#223) --- .deny.toml | 41 +++++++++++++++++++ ...urity-audit.yaml => dependency-audit.yaml} | 22 ++++------ 2 files changed, 50 insertions(+), 13 deletions(-) create mode 100644 .deny.toml rename .github/workflows/{security-audit.yaml => dependency-audit.yaml} (50%) diff --git a/.deny.toml b/.deny.toml new file mode 100644 index 00000000..1943d6a5 --- /dev/null +++ b/.deny.toml @@ -0,0 +1,41 @@ +# SPDX-FileCopyrightText: Copyright (c) 2017-2023 slowtec GmbH +# SPDX-License-Identifier: CC0-1.0 + +all-features = false +no-default-features = false +feature-depth = 1 + +[advisories] +db-path = "~/.cargo/advisory-db" +db-urls = ["https://github.com/rustsec/advisory-db"] +vulnerability = "deny" +unmaintained = "warn" +yanked = "warn" +notice = "warn" + +[licenses] +unlicensed = "deny" +allow = [ + "Apache-2.0", + "BSD-2-Clause", + "MIT", + "MPL-2.0", + "Unicode-DFS-2016", +] +copyleft = "warn" +allow-osi-fsf-free = "neither" +default = "deny" +confidence-threshold = 0.8 + +[bans] +multiple-versions = "warn" +wildcards = "allow" +highlight = "all" +workspace-default-features = "allow" +external-default-features = "allow" + +[sources] +unknown-registry = "warn" +unknown-git = "warn" +allow-registry = ["https://github.com/rust-lang/crates.io-index"] +allow-git = [] diff --git a/.github/workflows/security-audit.yaml b/.github/workflows/dependency-audit.yaml similarity index 50% rename from .github/workflows/security-audit.yaml rename to .github/workflows/dependency-audit.yaml index 56ee5630..7d9a5cc7 100644 --- a/.github/workflows/security-audit.yaml +++ b/.github/workflows/dependency-audit.yaml @@ -3,7 +3,7 @@ # yaml-language-server: $schema=https://json.schemastore.org/github-workflow -name: security-audit +name: dependency-audit permissions: contents: read @@ -22,18 +22,14 @@ jobs: runs-on: ubuntu-latest steps: - - uses: dtolnay/rust-toolchain@stable - - - name: Install cargo-audit - run: cargo install cargo-audit - - uses: actions/checkout@v4 - - name: Cache Rust toolchain and build artifacts - uses: Swatinem/rust-cache@v2 - with: - # The cache should not be shared between different workflows and jobs. - shared-key: ${{ github.workflow }}-${{ github.job }} + - name: Generate Cargo.lock + run: cargo generate-lockfile - - name: Run security audit - run: cargo audit --deny unsound --deny yanked + - uses: EmbarkStudios/cargo-deny-action@v1 + with: + command: check + arguments: >- + --all-features + --locked