Skip to content

CI: Add cargo-audit workflow#557

Open
tnull wants to merge 2 commits intorust-bitcoin:masterfrom
tnull:2026-04-audit-ci
Open

CI: Add cargo-audit workflow#557
tnull wants to merge 2 commits intorust-bitcoin:masterfrom
tnull:2026-04-audit-ci

Conversation

@tnull
Copy link
Copy Markdown
Collaborator

@tnull tnull commented Apr 17, 2026

Run security audits against all three checked-in lock files using the official rustsec/audit-check action. Triggers on push, PRs, and daily via cron to catch newly published advisories.

Co-Authored-By: HAL 9000

@tnull
CI: Add cargo-audit workflow
60aa27a 
Run security audits against all three checked-in lock files using the
official rustsec/audit-check action. Triggers on push, PRs, and daily
via cron to catch newly published advisories.

Co-Authored-By: HAL 9000
Signed-off-by: Elias Rohrer <dev@tnull.de>
@tnull tnull requested a review from tcharding as a code owner April 17, 2026 09:35
@tnull
Bump bytes, rand, and tar to fix cargo-audit findings
2e56f00 
Addresses RUSTSEC-2026-0007 (bytes), RUSTSEC-2026-0067/0068 (tar),
and RUSTSEC-2026-0097 (rand).

Co-Authored-By: HAL 9000
@tnull
Copy link
Copy Markdown
Collaborator Author

tnull commented Apr 17, 2026

Also bumped some dependencies, rest should be done in #556 or #536.

@tnull tnull mentioned this pull request Apr 17, 2026
Merged
luisschwab
luisschwab approved these changes Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown

@luisschwab luisschwab left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK 2e56f00

@luisschwab
Copy link
Copy Markdown

luisschwab commented Apr 17, 2026

cc @satsfy

satsfy
satsfy reviewed Apr 17, 2026
View reviewed changes
Comment thread .github/workflows/audit.yml
strategy:
fail-fast: false
matrix:
lockfile: [Cargo.lock, Cargo-minimal.lock, Cargo-recent.lock]
Copy link
Copy Markdown
Contributor

@satsfy satsfy Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is Cargo.lock part of the matrix?

Copy link
Copy Markdown
Member

@tcharding tcharding Apr 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

against all three checked-in lock files

Yeah there should only be two. Did I commit one in electrsd accidentally or something?

@tcharding
Copy link
Copy Markdown
Member

tcharding commented Apr 18, 2026

As it stands no-one is ever going to look at the auction run (well I definitely won't remember to do it). Can we have the action raise an issue if there are warnings? Or is that going to be too noisy? I don't have a lot of experience with cargo audit. (We do this already in rust-bitcoin for mutation testing when zombies survive.)

@luisschwab
Copy link
Copy Markdown

luisschwab commented Apr 18, 2026

The GitHub bot will usually open an issue when there is a new RUSTSEC (see bitcoindevkit/bdk#2178).

@tcharding
Copy link
Copy Markdown
Member

tcharding commented Apr 18, 2026
edited
Loading

Does that bot hit projects to use cargo audit?

@luisschwab
Copy link
Copy Markdown

luisschwab commented Apr 18, 2026

Actually, I think we need to use the actions-rust-lang/audit action for it to open issues. On my personal repos I only use the bare cargo audit and it does not open any issues there.

This is bdk's audit job:

name: Audit

on:
  push:
    paths:
      # Run if workflow changes
      - '.github/workflows/audit.yml'
      # Run on changed dependencies
      - '**/Cargo.toml'
      - '**/Cargo.lock'
      # Run if the configuration file changes
      - '**/audit.toml'
  # Rerun periodically to pick up new advisories
  schedule:
    - cron: '0 0 * * *' # Nightly
  # Run manually
  workflow_dispatch:

jobs:
  audit:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      issues: write
    steps:
      - uses: actions/checkout@v6
        with:
          persist-credentials: false
      - uses: actions-rust-lang/audit@v1
        name: Audit Rust Dependencies

I could be talking out of my ass, I'm not certain about this.

@tcharding
Copy link
Copy Markdown
Member

tcharding commented Apr 18, 2026

Sounds legit :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tcharding tcharding Awaiting requested review from tcharding tcharding is a code owner

2 more reviewers

@satsfy satsfy satsfy left review comments

@luisschwab luisschwab luisschwab approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tnull @luisschwab @tcharding @satsfy