# Copyright 2024 RustFS Team # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. name: Security Audit on: push: branches: [ main ] paths: - '**/Cargo.toml' - '**/Cargo.lock' - '.github/workflows/audit.yml' pull_request: branches: [ main ] paths: - '**/Cargo.toml' - '**/Cargo.lock' - '.github/workflows/audit.yml' schedule: - cron: '0 0 * * 0' # Weekly on Sunday at midnight UTC workflow_dispatch: permissions: contents: read env: CARGO_TERM_COLOR: always jobs: security-audit: name: Security Audit runs-on: ubicloud-standard-2 timeout-minutes: 15 steps: - name: Checkout repository uses: actions/checkout@v6 - name: Install cargo-audit uses: taiki-e/install-action@v2 with: tool: cargo-audit - name: Run security audit run: | cargo audit -D warnings --json | tee audit-results.json - name: Upload audit results if: always() uses: actions/upload-artifact@v6 with: name: security-audit-results-${{ github.run_number }} path: audit-results.json retention-days: 30 dependency-review: name: Dependency Review runs-on: ubicloud-standard-2 if: github.event_name == 'pull_request' permissions: contents: read pull-requests: write steps: - name: Checkout repository uses: actions/checkout@v6 - name: Dependency Review uses: actions/dependency-review-action@v4 with: fail-on-severity: moderate comment-summary-in-pr: true