fix(audit): replace archived actions-rs/audit-check with rustsec fork#29
Open
littledino2112 wants to merge 1 commit into
Open
fix(audit): replace archived actions-rs/audit-check with rustsec fork#29littledino2112 wants to merge 1 commit into
littledino2112 wants to merge 1 commit into
Conversation
The Rust audit GitHub workflow used actions-rs/audit-check@v1. The actions-rs org was archived in 2021; the action ships a pinned, stale cargo-audit + advisory-db, so it silently misses newly-published advisories. This drifted from the Concourse `cargo audit` job, which pulls the latest RustSec advisory-db at run time — e.g. the postgres DoS advisories published 2026-06-12 (RUSTSEC-2026-0178/0179/0180) passed the GitHub check but failed Concourse. Swap to the maintained rustsec/audit-check@v2 fork (drop-in, same `token` input) so both CIs audit against the same fresh advisory-db. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The synced Rust audit workflow (
shared/actions/rust-audit.yml) usesactions-rs/audit-check@v1. Theactions-rsorg was archived in 2021 — the action bundles a pinned, stalecargo-audit+ advisory database, so it silently misses newly-published advisories.This drifted from the Concourse
cargo auditjob (make audit-code), which pulls the latest RustSec advisory-db at run time. Concrete recent example inblink-card: the postgres DoS advisories published 2026-06-12 (RUSTSEC-2026-0178 / -0179 / -0180) passed the GitHub "Audit" check but failed Concourse — false-green on GitHub.Change
Swap to the maintained fork
rustsec/audit-check@v2. It's a drop-in replacement (sametoken:input) that runs currentcargo-auditagainst a freshly-pulled advisory-db, so the GitHub check and the Concourse job audit against the same data.Blast radius
This file auto-syncs into every Rust repo's
.github/workflows/audit.yml(+vendor/rust-audit.yml), so all of them pick up the maintained action on next sync. Behaviour is unchanged except that fresh advisories are now actually caught.Follow-up (not in this PR)
actions/checkout@v3here (and in the other shared workflows:check-code.yml,spelling.yml) runs on the deprecated Node 16 runtime and should be bumped to@v4repo-wide — left out to keep this PR scoped to the audit drift.🤖 Generated with Claude Code