ci(audit): add weekly cargo-audit + npm-audit workflow
Runs Mondays 06:00 UTC (plus workflow_dispatch) so any freshly published advisory surfaces as its own failing run rather than slipping into an unrelated PR's check.yml noise. npm audit is gated to --audit-level=high to skip the low/moderate chatter that doesn't warrant a bump. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
51
.github/workflows/audit.yml
vendored
Normal file
51
.github/workflows/audit.yml
vendored
Normal file
@@ -0,0 +1,51 @@
|
|||||||
|
# Weekly dependency vulnerability scan.
|
||||||
|
#
|
||||||
|
# This runs separately from check.yml so a newly published advisory
|
||||||
|
# surfaces as its own failing run (easy to spot, easy to track)
|
||||||
|
# without blocking unrelated PR work. Manually triggerable via
|
||||||
|
# workflow_dispatch for ad-hoc checks after dependency bumps.
|
||||||
|
name: audit
|
||||||
|
|
||||||
|
on:
|
||||||
|
schedule:
|
||||||
|
# Mondays 06:00 UTC — early in the week so any advisory has the
|
||||||
|
# whole week to be triaged rather than landing on a Friday.
|
||||||
|
- cron: "0 6 * * 1"
|
||||||
|
workflow_dispatch:
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
cargo-audit:
|
||||||
|
name: cargo audit
|
||||||
|
runs-on: ubuntu-22.04
|
||||||
|
timeout-minutes: 10
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
|
||||||
|
# rustsec/audit-check runs cargo-audit against the RustSec
|
||||||
|
# advisory DB. Fails the job on any unignored advisory.
|
||||||
|
- name: Run cargo audit
|
||||||
|
uses: rustsec/audit-check@v2
|
||||||
|
with:
|
||||||
|
token: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
|
||||||
|
npm-audit:
|
||||||
|
name: npm audit
|
||||||
|
runs-on: ubuntu-22.04
|
||||||
|
timeout-minutes: 10
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: Install Node
|
||||||
|
uses: actions/setup-node@v4
|
||||||
|
with:
|
||||||
|
node-version: 20
|
||||||
|
cache: npm
|
||||||
|
|
||||||
|
- name: Install JS deps
|
||||||
|
run: npm ci
|
||||||
|
|
||||||
|
# --audit-level=high ignores low/moderate noise — we care about
|
||||||
|
# high and critical advisories, which are the ones that warrant
|
||||||
|
# an actual bump.
|
||||||
|
- name: Run npm audit
|
||||||
|
run: npm audit --audit-level=high
|
||||||
Reference in New Issue
Block a user