chore(ci): Enforce cargo-deny in CI

We skip failure for advisories on the step, rather than the job, to not distract contributors in thinking they broke something as that bubbles up into the PR job summary.
rust-lang · Feb 24, 2023 · f08bcd9 · f08bcd9
1 parent aada2f3
commit f08bcd9
Showing 1 changed file with 30 additions and 0 deletions.
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
@@ -0,0 +1,30 @@
+name: Security audit
+
+permissions:
+  contents: read
+
+on:
+  pull_request:
+    paths:
+      - '**/Cargo.toml'
+      - '**/Cargo.lock'
+  push:
+    branches:
+    - master
+
+jobs:
+  cargo_deny:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        checks:
+          - advisories
+          - bans licenses sources
+    steps:
+    - uses: actions/checkout@v3
+    - uses: EmbarkStudios/cargo-deny-action@v1
+      # Prevent sudden announcement of a new advisory from failing ci:
+      continue-on-error: ${{ matrix.checks == 'advisories' }}
+      with:
+        command: check ${{ matrix.checks }}
+        rust-version: stable