-
-
Notifications
You must be signed in to change notification settings - Fork 39
generate-lockfile
overwrites a checked-in Cargo.lock
#163
Comments
|
Sorry for the thrash here; this is in fact real. I've put up a repro at https://github.com/mullr/cargo-audit-action-repro/.
|
Rather than |
I also ran into this for a binary crate with checked in |
Another problem this behavior incurres:
And it doesn't need to, because a working |
Description
I have a repo where I've checked in Cargo.lock, since it's producing a binary which I'm shipping. I've just started getting audit violations in CI for this that I cannot reproduce locally. I've tracked this down to the
generate-lockfile
call at the beginning; this updates the checked-inCargo-lock
. In my case, it brings in a new vulnerability due to a transitive dependency update.Workflow code
Expected behavior
If a Cargo.lock is in source control, it should be used as-is.
The text was updated successfully, but these errors were encountered: