diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml new file mode 100644 index 0000000..699f3b6 --- /dev/null +++ b/.github/workflows/audit.yml @@ -0,0 +1,51 @@ +# Weekly dependency vulnerability scan. +# +# This runs separately from check.yml so a newly published advisory +# surfaces as its own failing run (easy to spot, easy to track) +# without blocking unrelated PR work. Manually triggerable via +# workflow_dispatch for ad-hoc checks after dependency bumps. +name: audit + +on: + schedule: + # Mondays 06:00 UTC — early in the week so any advisory has the + # whole week to be triaged rather than landing on a Friday. + - cron: "0 6 * * 1" + workflow_dispatch: + +jobs: + cargo-audit: + name: cargo audit + runs-on: ubuntu-22.04 + timeout-minutes: 10 + steps: + - uses: actions/checkout@v4 + + # rustsec/audit-check runs cargo-audit against the RustSec + # advisory DB. Fails the job on any unignored advisory. + - name: Run cargo audit + uses: rustsec/audit-check@v2 + with: + token: ${{ secrets.GITHUB_TOKEN }} + + npm-audit: + name: npm audit + runs-on: ubuntu-22.04 + timeout-minutes: 10 + steps: + - uses: actions/checkout@v4 + + - name: Install Node + uses: actions/setup-node@v4 + with: + node-version: 20 + cache: npm + + - name: Install JS deps + run: npm ci + + # --audit-level=high ignores low/moderate noise — we care about + # high and critical advisories, which are the ones that warrant + # an actual bump. + - name: Run npm audit + run: npm audit --audit-level=high