From 4ed4c73d6b071232cd6ea67170b6d6a2e382d1fa Mon Sep 17 00:00:00 2001 From: Josh McKinney Date: Mon, 24 Nov 2025 12:20:55 -0800 Subject: [PATCH] chore(ci): add cargo audit workflow and policy (#7108) - add to ignore current unmaintained advisories (derivative, fxhash, paste) so audits gate new issues only - introduce GitHub Actions workflow to run on push/PR using to install cargo-audit Existing advisories (all "unmaintained"): - https://rustsec.org/advisories/RUSTSEC-2024-0388 - https://rustsec.org/advisories/RUSTSEC-2025-0057 - https://rustsec.org/advisories/RUSTSEC-2024-0436 --- codex-rs/.cargo/audit.toml | 6 +++++ codex-rs/.github/workflows/cargo-audit.yml | 26 ++++++++++++++++++++++ 2 files changed, 32 insertions(+) create mode 100644 codex-rs/.cargo/audit.toml create mode 100644 codex-rs/.github/workflows/cargo-audit.yml diff --git a/codex-rs/.cargo/audit.toml b/codex-rs/.cargo/audit.toml new file mode 100644 index 0000000000..143e64163a --- /dev/null +++ b/codex-rs/.cargo/audit.toml @@ -0,0 +1,6 @@ +[advisories] +ignore = [ + "RUSTSEC-2024-0388", # derivative 2.2.0 via starlark; upstream crate is unmaintained + "RUSTSEC-2025-0057", # fxhash 0.2.1 via starlark_map; upstream crate is unmaintained + "RUSTSEC-2024-0436", # paste 1.0.15 via starlark/ratatui; upstream crate is unmaintained +] diff --git a/codex-rs/.github/workflows/cargo-audit.yml b/codex-rs/.github/workflows/cargo-audit.yml new file mode 100644 index 0000000000..e75c841ab4 --- /dev/null +++ b/codex-rs/.github/workflows/cargo-audit.yml @@ -0,0 +1,26 @@ +name: Cargo audit + +on: + pull_request: + push: + branches: + - main + +permissions: + contents: read + +jobs: + audit: + runs-on: ubuntu-latest + defaults: + run: + working-directory: codex-rs + steps: + - uses: actions/checkout@v4 + - uses: dtolnay/rust-toolchain@stable + - name: Install cargo-audit + uses: taiki-e/install-action@v2 + with: + tool: cargo-audit + - name: Run cargo audit + run: cargo audit --deny warnings