Skip to content

Commit a8229fa

Browse files
committed
Merge #200: ci(audit): add new nightly cargo audit job
4675271 ci(audit): add new `cargo audit` job (Leonardo Lima) Pull request description: ### Description As I was going through the recent audit issues in `bdk` and `bdk_wallet` I noticed this nightly job was missing here. I've added the new `audit.yml` job in CI and also added the `.cargo/audit.toml` in case we need to ignore any unapplicable advisories in the future. ### Changelog notice ``` ### Added - ci(audit): add new nightly `cargo audit` job - chore: add new `.cargo/audit.toml` ``` ### Checklists #### All Submissions: * [x] I followed the [contribution guidelines](https://github.com/bitcoindevkit/bdk/blob/master/CONTRIBUTING.md) ACKs for top commit: luisschwab: ACK 4675271 notmandatory: ACK 4675271 Tree-SHA512: 642829ba59fb6b04f0f23d3aff7297a0835ba92e94bec758fa16c486cd336928d552561c88c02002428733f2df1d957d570446267c3e8d4d66be9b28e4691c9f
2 parents 19a7084 + 4675271 commit a8229fa

2 files changed

Lines changed: 51 additions & 0 deletions

File tree

.cargo/audit.toml

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
# `cargo audit` config file
2+
#
3+
# All of the options which can be passed via CLI arguments can also be
4+
# permanently specified in this file.
5+
#
6+
# See original example: https://raw.githubusercontent.com/rustsec/rustsec/refs/heads/main/cargo-audit/audit.toml.example
7+
8+
[advisories]
9+
ignore = [] # advisory IDs to ignore e.g. ["RUSTSEC-2019-0001", ...]
10+
11+
# Output Configuration
12+
[output]
13+
quiet = false # Only print information on error
14+
show_tree = true # Show inverse dependency trees along with advisories (default: true)
15+
16+
[yanked]
17+
enabled = true # Warn for yanked crates in Cargo.lock (default: true)
18+
update_index = true # Auto-update the crates.io index (default: true)

.github/workflows/audit.yml

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
name: Audit
2+
3+
# Performs a security audit of Rust dependencies using `cargo-audit` through the `actions-rust-lang/audit` action.
4+
# Runs nightly on schedule and when Cargo.toml, Cargo.lock, or audit.toml files are modified.
5+
# Helps identify known security vulnerabilities in the dependency tree.
6+
7+
on:
8+
push:
9+
paths:
10+
# Run if workflow changes
11+
- '.github/workflows/audit.yml'
12+
# Run on changed dependencies
13+
- '**/Cargo.toml'
14+
# Run if the configuration file changes
15+
- '**/audit.toml'
16+
# Rerun periodically to pick up new advisories
17+
schedule:
18+
- cron: '0 0 * * *' # Nightly
19+
# Run manually
20+
workflow_dispatch:
21+
22+
jobs:
23+
audit:
24+
runs-on: ubuntu-latest
25+
permissions:
26+
contents: read
27+
issues: write
28+
steps:
29+
- uses: actions/checkout@v6
30+
with:
31+
persist-credentials: false
32+
- uses: actions-rust-lang/audit@v1
33+
name: Audit Rust Dependencies

0 commit comments

Comments
 (0)