.github/workflows/security-audit.yml at 77172c51a4121ee14d0d9caa4e9cc687f6b32641

patrick.jackson.dev / cmprss

fork

this repo has no description

fork

cmprss / .github / workflows / security-audit.yml

at 77172c51a4121ee14d0d9caa4e9cc687f6b32641 100 lines 3.1 kB view raw

wrap content

Patrick Jackson build: replace cargo-audit with cargo-deny for comprehensive dependency checks 5w ago

c3855745

  1# Weekly check of cargo dependencies against the RustSec Advisory Database.
  2# Creates/updates a GitHub issue with the "security" label on failure,
  3# and auto-closes it when all advisories are resolved.
  4
  5name: Security Audit
  6
  7on:
  8  schedule:
  9    - cron: "43 14 * * 1"
 10  workflow_dispatch:
 11
 12concurrency:
 13  group: security-audit
 14  cancel-in-progress: true
 15
 16jobs:
 17  audit:
 18    name: Advisory Check
 19    runs-on: ubuntu-latest
 20    if: github.repository_owner == 'arcuru'
 21    permissions:
 22      issues: write
 23      contents: read
 24    steps:
 25      - name: Checkout
 26        uses: actions/checkout@v4
 27
 28      - name: Install Nix
 29        uses: DeterminateSystems/nix-installer-action@v12
 30
 31      - name: Nix Cache
 32        uses: DeterminateSystems/magic-nix-cache-action@v7
 33
 34      - name: Check advisories
 35        id: audit
 36        run: |
 37          set +e
 38          OUTPUT=$(nix develop --command cargo deny check advisories 2>&1)
 39          EXIT_CODE=$?
 40          echo "$OUTPUT"
 41          {
 42            echo "output<<AUDIT_EOF"
 43            echo "$OUTPUT"
 44            echo "AUDIT_EOF"
 45          } >> "$GITHUB_OUTPUT"
 46          echo "exit_code=$EXIT_CODE" >> "$GITHUB_OUTPUT"
 47          exit 0
 48
 49      - name: Find existing issue
 50        id: find_issue
 51        run: |
 52          ISSUE_NUMBER=$(gh issue list --label security --state open --search "Security Advisory Alert" --json number --jq '.[0].number // empty')
 53          echo "number=${ISSUE_NUMBER}" >> "$GITHUB_OUTPUT"
 54        env:
 55          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 56
 57      - name: Create or update issue on failure
 58        if: steps.audit.outputs.exit_code != '0'
 59        run: |
 60          TITLE="Security Advisory Alert"
 61          TIMESTAMP=$(date -u +%Y-%m-%dT%H:%M:%SZ)
 62          BODY=$(cat <<'ISSUE_EOF'
 63          ## Security Advisory Found
 64
 65          `cargo deny check advisories` found active advisories in dependencies.
 66
 67          <details>
 68          <summary>Full output</summary>
 69
 70          ```
 71          __AUDIT_OUTPUT__
 72          ```
 73
 74          </details>
 75
 76          **Action required:** Review the advisories above and update affected dependencies or add ignore entries to `deny.toml` if appropriate.
 77
 78          _Last checked: __TIMESTAMP___
 79          ISSUE_EOF
 80          )
 81          BODY="${BODY//__TIMESTAMP__/$TIMESTAMP}"
 82          BODY="${BODY//__AUDIT_OUTPUT__/$AUDIT_OUTPUT}"
 83
 84          if [ -n "$ISSUE_NUMBER" ]; then
 85            gh issue edit "$ISSUE_NUMBER" --body "$BODY"
 86          else
 87            gh issue create --title "$TITLE" --body "$BODY" --label security
 88          fi
 89        env:
 90          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 91          AUDIT_OUTPUT: ${{ steps.audit.outputs.output }}
 92          ISSUE_NUMBER: ${{ steps.find_issue.outputs.number }}
 93
 94      - name: Close issue on success
 95        if: steps.audit.outputs.exit_code == '0' && steps.find_issue.outputs.number != ''
 96        run: |
 97          gh issue close "$ISSUE_NUMBER" --comment "All advisories resolved. Closing automatically."
 98        env:
 99          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
100          ISSUE_NUMBER: ${{ steps.find_issue.outputs.number }}

Configure Feed

Configure Feed