From af9935afd6ef94d65f18e5d3efc22b98a6997f73 Mon Sep 17 00:00:00 2001 From: Adrian Cole Date: Fri, 6 Feb 2026 15:36:34 +0800 Subject: [PATCH 1/2] fix(ci): switch from cargo-audit to cargo-deny for advisory scanning cargo-deny uses the actual dependency graph, eliminating false positives like RUSTSEC-2023-0071 (rsa via unused sqlx-mysql). Signed-off-by: Adrian Cole --- .github/workflows/cargo-audit.yml | 12 ++++-------- deny.toml | 6 ++++++ 2 files changed, 10 insertions(+), 8 deletions(-) create mode 100644 deny.toml diff --git a/.github/workflows/cargo-audit.yml b/.github/workflows/cargo-audit.yml index 22e15f0f4c15..38363653a3b4 100644 --- a/.github/workflows/cargo-audit.yml +++ b/.github/workflows/cargo-audit.yml @@ -8,7 +8,7 @@ on: - '**/Cargo.toml' - '**/Cargo.lock' # Run if the configuration file changes - - '**/audit.toml' + - 'deny.toml' # Rerun periodically to pick up new advisories schedule: - cron: '0 0 * * *' @@ -20,13 +20,9 @@ jobs: runs-on: ubuntu-latest permissions: contents: read - issues: write steps: - uses: actions/checkout@v4 - # https://github.com/marketplace/actions/cargo-audit-your-rust-dependencies - - uses: actions-rust-lang/audit@72c09e02f132669d52284a3323acdb503cfc1a24 - name: Audit Rust Dependencies + # https://github.com/EmbarkStudios/cargo-deny-action v2.0.15 + - uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 with: - # sqlx-mysql pulls in rsa, but goose only uses sqlite. cargo-audit - # can't distinguish used from unused deps (rustsec/rustsec#1119). - ignore: RUSTSEC-2023-0071 + command: check advisories diff --git a/deny.toml b/deny.toml new file mode 100644 index 000000000000..bd3d86ca2363 --- /dev/null +++ b/deny.toml @@ -0,0 +1,6 @@ +[advisories] +# Deny yanked crates to catch supply chain issues early. +yanked = "deny" +# Emulate cargo-audit which only checks vulnerabilities and yanked crates, not unmaintained/unsound. +unmaintained = "none" +unsound = "none" From b981e64bee13301e3bd4f938f22b8446b679668c Mon Sep 17 00:00:00 2001 From: Adrian Cole Date: Sat, 7 Feb 2026 09:06:20 +0800 Subject: [PATCH 2/2] feedback Signed-off-by: Adrian Cole --- .github/workflows/{cargo-audit.yml => cargo-deny.yml} | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) rename .github/workflows/{cargo-audit.yml => cargo-deny.yml} (80%) diff --git a/.github/workflows/cargo-audit.yml b/.github/workflows/cargo-deny.yml similarity index 80% rename from .github/workflows/cargo-audit.yml rename to .github/workflows/cargo-deny.yml index 38363653a3b4..5dfa1c924f3b 100644 --- a/.github/workflows/cargo-audit.yml +++ b/.github/workflows/cargo-deny.yml @@ -1,9 +1,9 @@ -name: "Cargo Audit" +name: "Cargo Deny" on: push: paths: # Run if workflow changes - - '.github/workflows/cargo-audit.yml' + - '.github/workflows/cargo-deny.yml' # Run on changed dependencies - '**/Cargo.toml' - '**/Cargo.lock' @@ -16,13 +16,13 @@ on: workflow_dispatch: jobs: - audit: + deny: runs-on: ubuntu-latest permissions: contents: read steps: - uses: actions/checkout@v4 - # https://github.com/EmbarkStudios/cargo-deny-action v2.0.15 + # https://github.com/EmbarkStudios/cargo-deny-action v2.0.15 - uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 with: command: check advisories