# Weekly dependency vulnerability scan. # # This runs separately from check.yml so a newly published advisory # surfaces as its own failing run (easy to spot, easy to track) # without blocking unrelated PR work. Manually triggerable via # workflow_dispatch for ad-hoc checks after dependency bumps. name: audit on: schedule: # Mondays 06:00 UTC — early in the week so any advisory has the # whole week to be triaged rather than landing on a Friday. - cron: "0 6 * * 1" workflow_dispatch: jobs: cargo-audit: name: cargo audit runs-on: ubuntu-22.04 timeout-minutes: 10 steps: - uses: actions/checkout@v4 # rustsec/audit-check runs cargo-audit against the RustSec # advisory DB. Fails the job on any unignored advisory. - name: Run cargo audit uses: rustsec/audit-check@v2 with: token: ${{ secrets.GITHUB_TOKEN }} npm-audit: name: npm audit runs-on: ubuntu-22.04 timeout-minutes: 10 steps: - uses: actions/checkout@v4 - name: Install Node uses: actions/setup-node@v4 with: node-version: 20 cache: npm - name: Install JS deps run: npm ci # --audit-level=high ignores low/moderate noise — we care about # high and critical advisories, which are the ones that warrant # an actual bump. - name: Run npm audit run: npm audit --audit-level=high