ci: add cargo audit workflow#867
Conversation
Signed-off-by: Pau Capdevila <pau@githedgehog.com>
05a8a30 to
f954801
Compare
|
I'm not sure you have this covered somewhere else. So far it could show 2 unmaintained crates: https://github.com/githedgehog/dataplane/actions/runs/17985301616/job/51161859356?pr=867 |
| - uses: actions/checkout@v4 | ||
| - uses: dtolnay/rust-toolchain@stable | ||
| - name: Install cargo-audit | ||
| run: cargo install cargo-audit |
There was a problem hiding this comment.
Is there an image we can use with cargo audit installed instead of installing and building it each time?
There was a problem hiding this comment.
Is there an image we can use with cargo audit installed instead of installing and building it each time?
Found an image but it's very old: https://github.com/simonhyll/cargo-audit/pkgs/container/cargo-audit
I guess we could build our own runner image but instead I propose to use another Action which is officially maintained and uses caching, which skips the redundant scan:
- initial run (2m 44s): https://github.com/githedgehog/dataplane/actions/runs/17992695074/attempts/1
- cache hit (13s): https://github.com/githedgehog/dataplane/actions/runs/17992695074/job/51186165551
Additionally, we may consider running dependabot for rust. I can raise a separate PR for it
uses actions-rust-lang/audit, which has caching Signed-off-by: Pau Capdevila <pau@githedgehog.com>
|
Thanks @pau-hedgehog, I think we're already covered for this repo. We've got We also have Dependabot setup for the repo, along with our own workflow to bump dependencies with |
Ok, then I'm closing this. Sorry for wasting your time
After updating the govulncheck in our Go repos I was doing my first incursion in the Rust world to see if there was something equivalent. Next time I'll spend some more time researching and/or asking. Thanks |
|
No problem at all, thanks for looking into this! |
No description provided.