From 59209bd181b1e86ea8f26232bba9a88273e04c04 Mon Sep 17 00:00:00 2001 From: Jake Date: Tue, 21 Apr 2026 17:32:34 +0100 Subject: [PATCH] ci(audit): add weekly cargo-audit + npm-audit workflow Runs Mondays 06:00 UTC (plus workflow_dispatch) so any freshly published advisory surfaces as its own failing run rather than slipping into an unrelated PR's check.yml noise. npm audit is gated to --audit-level=high to skip the low/moderate chatter that doesn't warrant a bump. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/audit.yml | 51 +++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 .github/workflows/audit.yml diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml new file mode 100644 index 0000000..699f3b6 --- /dev/null +++ b/.github/workflows/audit.yml @@ -0,0 +1,51 @@ +# Weekly dependency vulnerability scan. +# +# This runs separately from check.yml so a newly published advisory +# surfaces as its own failing run (easy to spot, easy to track) +# without blocking unrelated PR work. Manually triggerable via +# workflow_dispatch for ad-hoc checks after dependency bumps. +name: audit + +on: + schedule: + # Mondays 06:00 UTC — early in the week so any advisory has the + # whole week to be triaged rather than landing on a Friday. + - cron: "0 6 * * 1" + workflow_dispatch: + +jobs: + cargo-audit: + name: cargo audit + runs-on: ubuntu-22.04 + timeout-minutes: 10 + steps: + - uses: actions/checkout@v4 + + # rustsec/audit-check runs cargo-audit against the RustSec + # advisory DB. Fails the job on any unignored advisory. + - name: Run cargo audit + uses: rustsec/audit-check@v2 + with: + token: ${{ secrets.GITHUB_TOKEN }} + + npm-audit: + name: npm audit + runs-on: ubuntu-22.04 + timeout-minutes: 10 + steps: + - uses: actions/checkout@v4 + + - name: Install Node + uses: actions/setup-node@v4 + with: + node-version: 20 + cache: npm + + - name: Install JS deps + run: npm ci + + # --audit-level=high ignores low/moderate noise — we care about + # high and critical advisories, which are the ones that warrant + # an actual bump. + - name: Run npm audit + run: npm audit --audit-level=high