+2 -2

.github/workflows/nix.yml

reviewed

··· 23 23 - name: Format non-Rust 24 24 run: nix build .#checks.x86_64-linux.treefmt 25 25 26 26 - - name: Audit 27 27 - run: nix build .#audit 26 26 + - name: Deny (audit + licenses + bans) 27 27 + run: nix build .#deny 28 28 29 29 - name: Clippy 30 30 run: nix build .#clippy

+100

.github/workflows/security-audit.yml

reviewed

··· 1 1 + # Weekly check of cargo dependencies against the RustSec Advisory Database. 2 2 + # Creates/updates a GitHub issue with the "security" label on failure, 3 3 + # and auto-closes it when all advisories are resolved. 4 4 + 5 5 + name: Security Audit 6 6 + 7 7 + on: 8 8 + schedule: 9 9 + - cron: "43 14 * * 1" 10 10 + workflow_dispatch: 11 11 + 12 12 + concurrency: 13 13 + group: security-audit 14 14 + cancel-in-progress: true 15 15 + 16 16 + jobs: 17 17 + audit: 18 18 + name: Advisory Check 19 19 + runs-on: ubuntu-latest 20 20 + if: github.repository_owner == 'arcuru' 21 21 + permissions: 22 22 + issues: write 23 23 + contents: read 24 24 + steps: 25 25 + - name: Checkout 26 26 + uses: actions/checkout@v4 27 27 + 28 28 + - name: Install Nix 29 29 + uses: DeterminateSystems/nix-installer-action@v12 30 30 + 31 31 + - name: Nix Cache 32 32 + uses: DeterminateSystems/magic-nix-cache-action@v7 33 33 + 34 34 + - name: Check advisories 35 35 + id: audit 36 36 + run: | 37 37 + set +e 38 38 + OUTPUT=$(nix develop --command cargo deny check advisories 2>&1) 39 39 + EXIT_CODE=$? 40 40 + echo "$OUTPUT" 41 41 + { 42 42 + echo "output<<AUDIT_EOF" 43 43 + echo "$OUTPUT" 44 44 + echo "AUDIT_EOF" 45 45 + } >> "$GITHUB_OUTPUT" 46 46 + echo "exit_code=$EXIT_CODE" >> "$GITHUB_OUTPUT" 47 47 + exit 0 48 48 + 49 49 + - name: Find existing issue 50 50 + id: find_issue 51 51 + run: | 52 52 + ISSUE_NUMBER=$(gh issue list --label security --state open --search "Security Advisory Alert" --json number --jq '.[0].number // empty') 53 53 + echo "number=${ISSUE_NUMBER}" >> "$GITHUB_OUTPUT" 54 54 + env: 55 55 + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} 56 56 + 57 57 + - name: Create or update issue on failure 58 58 + if: steps.audit.outputs.exit_code != '0' 59 59 + run: | 60 60 + TITLE="Security Advisory Alert" 61 61 + TIMESTAMP=$(date -u +%Y-%m-%dT%H:%M:%SZ) 62 62 + BODY=$(cat <<'ISSUE_EOF' 63 63 + ## Security Advisory Found 64 64 + 65 65 + `cargo deny check advisories` found active advisories in dependencies. 66 66 + 67 67 + <details> 68 68 + <summary>Full output</summary> 69 69 + 70 70 + ``` 71 71 + __AUDIT_OUTPUT__ 72 72 + ``` 73 73 + 74 74 + </details> 75 75 + 76 76 + **Action required:** Review the advisories above and update affected dependencies or add ignore entries to `deny.toml` if appropriate. 77 77 + 78 78 + _Last checked: __TIMESTAMP___ 79 79 + ISSUE_EOF 80 80 + ) 81 81 + BODY="${BODY//__TIMESTAMP__/$TIMESTAMP}" 82 82 + BODY="${BODY//__AUDIT_OUTPUT__/$AUDIT_OUTPUT}" 83 83 + 84 84 + if [ -n "$ISSUE_NUMBER" ]; then 85 85 + gh issue edit "$ISSUE_NUMBER" --body "$BODY" 86 86 + else 87 87 + gh issue create --title "$TITLE" --body "$BODY" --label security 88 88 + fi 89 89 + env: 90 90 + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} 91 91 + AUDIT_OUTPUT: ${{ steps.audit.outputs.output }} 92 92 + ISSUE_NUMBER: ${{ steps.find_issue.outputs.number }} 93 93 + 94 94 + - name: Close issue on success 95 95 + if: steps.audit.outputs.exit_code == '0' && steps.find_issue.outputs.number != '' 96 96 + run: | 97 97 + gh issue close "$ISSUE_NUMBER" --comment "All advisories resolved. Closing automatically." 98 98 + env: 99 99 + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} 100 100 + ISSUE_NUMBER: ${{ steps.find_issue.outputs.number }}

+18

deny.toml

reviewed

··· 1 1 + [advisories] 2 2 + 3 3 + [bans] 4 4 + multiple-versions = "warn" 5 5 + 6 6 + [licenses] 7 7 + allow = [ 8 8 + "Apache-2.0", 9 9 + "BSD-3-Clause", 10 10 + "bzip2-1.0.6", 11 11 + "CC0-1.0", 12 12 + "MIT", 13 13 + "MIT-0", 14 14 + "Unicode-3.0", 15 15 + "Unlicense", 16 16 + "Zlib", 17 17 + ] 18 18 + confidence-threshold = 0.95

-17

flake.lock

reviewed

··· 1 1 { 2 2 "nodes": { 3 3 - "advisory-db": { 4 4 - "flake": false, 5 5 - "locked": { 6 6 - "lastModified": 1774590906, 7 7 - "narHash": "sha256-tit8dEqdlNzGGDyV+veL47RKeG4Utp27nixn1U8tycg=", 8 8 - "owner": "rustsec", 9 9 - "repo": "advisory-db", 10 10 - "rev": "d15c149a7d336aec8c187b640a262c5385cb68cb", 11 11 - "type": "github" 12 12 - }, 13 13 - "original": { 14 14 - "owner": "rustsec", 15 15 - "repo": "advisory-db", 16 16 - "type": "github" 17 17 - } 18 18 - }, 19 3 "crane": { 20 4 "locked": { 21 5 "lastModified": 1774313767, ··· 90 74 }, 91 75 "root": { 92 76 "inputs": { 93 93 - "advisory-db": "advisory-db", 94 77 "crane": "crane", 95 78 "fenix": "fenix", 96 79 "flake-parts": "flake-parts",

+5 -11

flake.nix

reviewed

··· 15 15 inputs.rust-analyzer-src.follows = ""; 16 16 }; 17 17 18 18 - advisory-db = { 19 19 - # Rust dependency security advisories 20 20 - url = "github:rustsec/advisory-db"; 21 21 - flake = false; 22 22 - }; 23 23 - 24 18 # Flake helper for better organization with modules. 25 19 flake-parts = { 26 20 url = "github:hercules-ci/flake-parts"; ··· 116 110 # Run tests with cargo-nextest 117 111 test = craneLib.cargoNextest commonArgs; 118 112 119 119 - # Audit dependencies 120 120 - # This only runs when Cargo.lock files change 121 121 - audit = craneLib.cargoAudit (commonArgs 113 113 + # Audit dependencies, check licenses, and detect duplicate crates 114 114 + deny = craneLib.cargoDeny (commonArgs 122 115 // { 123 123 - inherit (inputs) advisory-db; 116 116 + # advisories excluded: needs network access (blocked by nix sandbox) 117 117 + cargoDenyChecks = "bans licenses sources"; 124 118 }); 125 119 }; 126 120 ··· 128 122 inherit cmprss; 129 123 # Build almost every package in checks, with exceptions: 130 124 # - coverage: It requires a full rebuild, and only needs to be run occasionally 131 131 - inherit (self.packages.${system}) clippy doc fmt test audit; 125 125 + inherit (self.packages.${system}) clippy doc fmt test deny; 132 126 }; 133 127 134 128 # This also sets up `nix fmt` to run all formatters