Conversation
|
cc @satsfy |
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| lockfile: [Cargo.lock, Cargo-minimal.lock, Cargo-recent.lock] |
There was a problem hiding this comment.
Why is Cargo.lock part of the matrix?
There was a problem hiding this comment.
against all three checked-in lock files
Yeah there should only be two. Did I commit one in electrsd accidentally or something?
There was a problem hiding this comment.
Ah, right, dropped it.
There was a problem hiding this comment.
Actually, it might make sense to add a step to generate a clean-slate Cargo.lock for this and then have the audit job check it? Otherwise we could theoretically miss advisories that don't pertain to the specific versions checked-in via Cargo-{minimal, recent}.lock, but would still be present if users would just cargo build regularly?
There was a problem hiding this comment.
Now added a generate-lockfile step in 52e3dad, so we don't just check our checked-in versions over and over again.
|
As it stands no-one is ever going to look at the auction run (well I definitely won't remember to do it). Can we have the action raise an issue if there are warnings? Or is that going to be too noisy? I don't have a lot of experience with |
|
The GitHub bot will usually open an issue when there is a new RUSTSEC (see bitcoindevkit/bdk#2178). |
|
Does that bot hit projects to use |
|
Actually, I think we need to use the This is name: Audit
on:
push:
paths:
# Run if workflow changes
- '.github/workflows/audit.yml'
# Run on changed dependencies
- '**/Cargo.toml'
- '**/Cargo.lock'
# Run if the configuration file changes
- '**/audit.toml'
# Rerun periodically to pick up new advisories
schedule:
- cron: '0 0 * * *' # Nightly
# Run manually
workflow_dispatch:
jobs:
audit:
runs-on: ubuntu-latest
permissions:
contents: read
issues: write
steps:
- uses: actions/checkout@v6
with:
persist-credentials: false
- uses: actions-rust-lang/audit@v1
name: Audit Rust DependenciesI could be talking out of my ass, I'm not certain about this. |
|
Sounds legit :) |
tnull
force-pushed
the
2026-04-audit-ci
branch
3 times, most recently
from
c425756 to
2dc1257
Compare
This will already do this, hence the
No, "The action does not raise issues when it is not triggered from a "cron" scheduled workflow." (see https://github.com/rustsec/audit-check#granular-permissions) If we want to validate that it works as expected, we could split out the fixes / bump commits to a second PR and first ensure the job opens an issue for the advisories found. Should we do that? |
Run security audits against all three checked-in lock files using the official rustsec/audit-check action. Triggers on push, PRs, and daily via cron to catch newly published advisories. Co-Authored-By: HAL 9000 Signed-off-by: Elias Rohrer <dev@tnull.de>
Addresses RUSTSEC-2026-0007 (bytes), RUSTSEC-2026-0067/0068 (tar), and RUSTSEC-2026-0097 (rand). Co-Authored-By: HAL 9000 Signed-off-by: Elias Rohrer <dev@tnull.de>
Bump ring to 0.17.14 to address RUSTSEC-2025-0009. Co-Authored-By: HAL 9000 Signed-off-by: Elias Rohrer <dev@tnull.de>
The checked-in Cargo-minimal.lock and Cargo-recent.lock are only as fresh as their last manual update, so advisories affecting versions that the resolver would pick right now can slip through between lock refreshes. Add a matrix leg that runs `cargo generate-lockfile` before auditing, giving us clean-slate coverage on every scheduled run. Co-Authored-By: HAL 9000 Signed-off-by: Elias Rohrer <dev@tnull.de>
|
@tcharding can you re-trigger the failing job? |
5 participants
Run security audits against all three checked-in lock files using the official rustsec/audit-check action. Triggers on push, PRs, and daily via cron to catch newly published advisories.
Co-Authored-By: HAL 9000