ci(audit): add weekly cargo-audit + npm-audit workflow
Runs Mondays 06:00 UTC (plus workflow_dispatch) so any freshly published advisory surfaces as its own failing run rather than slipping into an unrelated PR's check.yml noise. npm audit is gated to --audit-level=high to skip the low/moderate chatter that doesn't warrant a bump. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
51
.github/workflows/audit.yml
vendored
Normal file
51
.github/workflows/audit.yml
vendored
Normal file
@@ -0,0 +1,51 @@
|
||||
# Weekly dependency vulnerability scan.
|
||||
#
|
||||
# This runs separately from check.yml so a newly published advisory
|
||||
# surfaces as its own failing run (easy to spot, easy to track)
|
||||
# without blocking unrelated PR work. Manually triggerable via
|
||||
# workflow_dispatch for ad-hoc checks after dependency bumps.
|
||||
name: audit
|
||||
|
||||
on:
|
||||
schedule:
|
||||
# Mondays 06:00 UTC — early in the week so any advisory has the
|
||||
# whole week to be triaged rather than landing on a Friday.
|
||||
- cron: "0 6 * * 1"
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
cargo-audit:
|
||||
name: cargo audit
|
||||
runs-on: ubuntu-22.04
|
||||
timeout-minutes: 10
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
# rustsec/audit-check runs cargo-audit against the RustSec
|
||||
# advisory DB. Fails the job on any unignored advisory.
|
||||
- name: Run cargo audit
|
||||
uses: rustsec/audit-check@v2
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
npm-audit:
|
||||
name: npm audit
|
||||
runs-on: ubuntu-22.04
|
||||
timeout-minutes: 10
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Install Node
|
||||
uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: 20
|
||||
cache: npm
|
||||
|
||||
- name: Install JS deps
|
||||
run: npm ci
|
||||
|
||||
# --audit-level=high ignores low/moderate noise — we care about
|
||||
# high and critical advisories, which are the ones that warrant
|
||||
# an actual bump.
|
||||
- name: Run npm audit
|
||||
run: npm audit --audit-level=high
|
||||
Reference in New Issue
Block a user