Skip to content

ci: cargo-audit + cargo-deny + cargo-machete on every PR (+ daily audit cron)#400

Merged
BryanFRD merged 3 commits intomainfrom
ci/cargo-security-jobs
Apr 29, 2026
Merged

ci: cargo-audit + cargo-deny + cargo-machete on every PR (+ daily audit cron)#400
BryanFRD merged 3 commits intomainfrom
ci/cargo-security-jobs

Conversation

@BryanFRD
Copy link
Copy Markdown
Contributor

@BryanFRD BryanFRD commented Apr 28, 2026

Summary

Closes the security/quality gap on the Rust pipeline. Existing CI already covers fmt + clippy + tests + tarpaulin coverage; this adds the supply-chain layer:

  • `cargo audit` — RustSec advisory database check on every PR. Fails on any open advisory (warnings denied).
  • `cargo deny` — license allowlist + banned crates + duplicate detection + source pinning (only crates.io). Config in `deny.toml` at the repo root.
  • `cargo machete` — flags unused dependencies declared in `Cargo.toml`.

Plus a separate daily audit workflow (`.github/workflows/audit.yml`) that runs `rustsec/audit-check` on cron. When a new advisory is published for a dependency we already use, this opens a GitHub issue automatically — no waiting for the next PR to find out.

Why a separate audit cron

`cargo audit` in the PR pipeline catches advisories at code-change time. The cron catches advisories that are published between PRs (e.g. an OpenSSL CVE drops on a Tuesday but no one opens a PR until Friday). The two are complementary, both gratuit.

What's NOT changed

  • Release pipeline (`needs: [test, fixture-*, benchmark]`) deliberately doesn't gate on the new `security` job. A new RustSec advisory should not block shipping a release that's otherwise green — it should open an issue and force a follow-up. The existing `test` gate (which still runs clippy) ensures code quality on every release.
  • No changes to clippy, fmt, tarpaulin, or coverage upload.

Test plan

  • CI's new `security` job passes on this PR (signals deny.toml is permissive enough for the current tree)
  • If `cargo deny` fails, adjust the licenses allowlist or add specific `skip` entries for known duplicates and re-run
  • After merge, the daily cron triggers (visible in Actions tab) and produces no new issues unless there's an actual advisory

Follow-up (other Rust repos)

Same pattern applies to `Kit`, `FerrLabs-Cloud/api`, `FerrTrack-Cloud/api`, `FerrAgents/api`. Worth replicating once this lands and the deny.toml proves stable here.

github-actions[bot]
github-actions Bot reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions Bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Benchmark

Details
Benchmark suite Current: b7ae51a Previous: 0b5fe57 Ratio
git_collect_tags/single_tag 47038 ns/iter (± 422)

This comment was automatically generated by workflow using github-action-benchmark.

@BryanFRD BryanFRD force-pushed the ci/cargo-security-jobs branch from 2a9668b to c1973ea Compare April 29, 2026 10:45
@BryanFRD BryanFRD force-pushed the ci/cargo-security-jobs branch from 16d1b35 to b7ae51a Compare April 29, 2026 11:55
@BryanFRD BryanFRD merged commit 7afe53f into main Apr 29, 2026
30 checks passed
@BryanFRD BryanFRD deleted the ci/cargo-security-jobs branch April 29, 2026 12:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BryanFRD