From 2580b1400ad69ea103d0e972632537bce5996a5c Mon Sep 17 00:00:00 2001 From: PythonGermany <97847597+PythonGermany@users.noreply.github.com> Date: Sat, 22 Feb 2025 17:27:20 +0100 Subject: [PATCH 1/4] Add example showing how to use prebuilt binary --- README.md | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/README.md b/README.md index 538bc0d..2c3111f 100644 --- a/README.md +++ b/README.md @@ -43,6 +43,32 @@ Note that informational advisories are not affecting the check status. ![Check screenshot](.github/check_screenshot.png) +### Use prebuilt binary + +To furter speed up the CI pipeline the action [taiki-e/install-action](https://github.com/marketplace/actions/install-development-tools) can be used. This will save time by using a prebuilt binary from cargo-audit's [release](https://github.com/rustsec/rustsec/releases) page instead of installing it from source each time this action is triggered. + +```yaml +name: Security audit +on: + push: + paths: + - '**/Cargo.toml' + - '**/Cargo.lock' +jobs: + security_audit: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: taiki-e/install-action@v2 + with: + tool: cargo-audit + fallback: none + - uses: rustsec/audit-check@v1.4.1 + with: + token: ${{ secrets.GITHUB_TOKEN }} +``` + + #### Granular Permissions These are the typically used permissions: From ad7e2d2567f44d3a6be656a038e4062071d4d6b7 Mon Sep 17 00:00:00 2001 From: PythonGermany <97847597+PythonGermany@users.noreply.github.com> Date: Sat, 22 Feb 2025 19:31:52 +0100 Subject: [PATCH 2/4] Cache binary after building from source --- README.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 2c3111f..7d5ff6a 100644 --- a/README.md +++ b/README.md @@ -43,9 +43,9 @@ Note that informational advisories are not affecting the check status. ![Check screenshot](.github/check_screenshot.png) -### Use prebuilt binary +## Cache prebuilt binary -To furter speed up the CI pipeline the action [taiki-e/install-action](https://github.com/marketplace/actions/install-development-tools) can be used. This will save time by using a prebuilt binary from cargo-audit's [release](https://github.com/rustsec/rustsec/releases) page instead of installing it from source each time this action is triggered. +To further speed up the CI pipeline the binary can be cached after it has been build: ```yaml name: Security audit @@ -59,16 +59,15 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: taiki-e/install-action@v2 + - uses: actions/cache@v4 with: - tool: cargo-audit - fallback: none - - uses: rustsec/audit-check@v1.4.1 + path: ~/.cargo/bin/cargo-audit + key: ${{ runner.os }}-cargo-audit + - uses: rustsec/audit-check@v2.0.0 with: token: ${{ secrets.GITHUB_TOKEN }} ``` - #### Granular Permissions These are the typically used permissions: From cc7bbdd783915f8dd5e27c7950f60e942c85ef68 Mon Sep 17 00:00:00 2001 From: PythonGermany <97847597+PythonGermany@users.noreply.github.com> Date: Sat, 22 Feb 2025 19:37:46 +0100 Subject: [PATCH 3/4] Move new section --- README.md | 50 +++++++++++++++++++++++++------------------------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/README.md b/README.md index 7d5ff6a..b438906 100644 --- a/README.md +++ b/README.md @@ -43,31 +43,6 @@ Note that informational advisories are not affecting the check status. ![Check screenshot](.github/check_screenshot.png) -## Cache prebuilt binary - -To further speed up the CI pipeline the binary can be cached after it has been build: - -```yaml -name: Security audit -on: - push: - paths: - - '**/Cargo.toml' - - '**/Cargo.lock' -jobs: - security_audit: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: actions/cache@v4 - with: - path: ~/.cargo/bin/cargo-audit - key: ${{ runner.os }}-cargo-audit - - uses: rustsec/audit-check@v2.0.0 - with: - token: ${{ secrets.GITHUB_TOKEN }} -``` - #### Granular Permissions These are the typically used permissions: @@ -97,6 +72,31 @@ see [actions-rs/clippy-check#2](https://github.com/actions-rs/clippy-check/issue As a fallback this Action will output all found advisories to the stdout.\ It is expected that this behavior will be fixed later by GitHub. +### Cache prebuilt binary + +To further speed up the CI pipeline the binary can be cached after it has been build: + +```yaml +name: Security audit +on: + push: + paths: + - '**/Cargo.toml' + - '**/Cargo.lock' +jobs: + security_audit: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/cache@v4 + with: + path: ~/.cargo/bin/cargo-audit + key: ${{ runner.os }}-cargo-audit + - uses: rustsec/audit-check@v2.0.0 + with: + token: ${{ secrets.GITHUB_TOKEN }} +``` + ## Scheduled audit Another option is to use [`schedule`](https://help.github.com/en/articles/events-that-trigger-workflows#scheduled-events-schedule) event From 9e425f529e6cdd4a8c523b2a2b7932fca24e6ebb Mon Sep 17 00:00:00 2001 From: PythonGermany <97847597+PythonGermany@users.noreply.github.com> Date: Sun, 23 Feb 2025 11:08:47 +0100 Subject: [PATCH 4/4] Fix typo Co-authored-by: Tony Arcieri --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b438906..fa667b8 100644 --- a/README.md +++ b/README.md @@ -74,7 +74,7 @@ It is expected that this behavior will be fixed later by GitHub. ### Cache prebuilt binary -To further speed up the CI pipeline the binary can be cached after it has been build: +To further speed up the CI pipeline the binary can be cached after it has been built: ```yaml name: Security audit