name: Security Audit on: push: branches: [main] pull_request: branches: [main] schedule: - cron: "0 6 * * 1" # Weekly on Monday 6am UTC concurrency: group: security-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true permissions: contents: read security-events: write actions: read security-events: write actions: read env: CARGO_TERM_COLOR: always jobs: audit: name: Security Audit runs-on: blacksmith-2vcpu-ubuntu-2404 timeout-minutes: 20 steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2 - name: Install cargo-audit run: cargo install --locked cargo-audit --version 0.22.1 - name: Run cargo-audit run: cargo audit deny: name: License & Supply Chain runs-on: blacksmith-2vcpu-ubuntu-2404 timeout-minutes: 20 steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2 with: command: check advisories licenses sources codeql: name: CodeQL Analysis runs-on: blacksmith-2vcpu-ubuntu-2404 timeout-minutes: 30 steps: - name: Checkout repository uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Initialize CodeQL uses: github/codeql-action/init@v4 with: languages: rust - name: Set up Rust uses: dtolnay/rust-toolchain@stable - name: Build run: cargo build --workspace --all-targets - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4