fix(ci): resolve security audit job failure#44
Conversation
…and ignore paste advisory Co-authored-by: bashandbone <89049923+bashandbone@users.noreply.github.com> Agent-Logs-Url: https://github.com/bashandbone/submod/sessions/c20905af-2852-47a7-9a49-a6f428e19086
There was a problem hiding this comment.
Pull request overview
Fixes the failing Security Audit CI job by granting the minimal GitHub token permissions needed for rustsec/audit-check to publish Check Run annotations, and suppressing a newly surfaced RustSec advisory that has no available patched version.
Changes:
- Add job-level
permissions(checks: write,contents: read) to thesecurity_auditjob to resolveResource not accessible by integration. - Ignore
RUSTSEC-2024-0436in therustsec/audit-checkworkflow configuration and indeny.toml. - Switch
security_audit’sactions/checkoutusage to@v4.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
.github/workflows/ci.yml |
Grants required token permissions for audit annotations and updates the audit ignore list used by the CI security audit job. |
deny.toml |
Keeps cargo-deny advisory handling aligned with CI by ignoring RUSTSEC-2024-0436 with rationale. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
.github/workflows/ci.yml
Outdated
| - uses: actions/checkout@v4 | ||
| - uses: rustsec/audit-check@v1.4.1 |
There was a problem hiding this comment.
This workflow still contains other actions/checkout@v6 usages (e.g., the coverage job later in this same file). If the intent is to standardize on v4 (as in test and security_audit), update those remaining occurrences as well to avoid inconsistent behavior across jobs (and potential failures if the major version differs).
| with: | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
| ignore: RUSTSEC-2024-0364 | ||
| ignore: RUSTSEC-2024-0364,RUSTSEC-2024-0436 |
There was a problem hiding this comment.
rustsec/audit-check is configured to ignore RUSTSEC-2024-0436 here, but the repo also has an audit.toml (used for cargo audit) that currently only ignores RUSTSEC-2024-0364. Consider adding RUSTSEC-2024-0436 to audit.toml too so local cargo audit runs and any future CI usage of the config file stay consistent with this workflow ignore list.
Codecov Report✅ All modified and coverable lines are covered by tests. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
The Security Audit CI job was failing with
Resource not accessible by integrationbecauserustsec/audit-check@v1.4.1needschecks: writeto post Check Run annotations — the job had no permissions block. Additionally,RUSTSEC-2024-0436(pasteunmaintained) was surfacing as an unhandled advisory.Changes
.github/workflows/ci.ymlpermissions: checks: write+contents: readtosecurity_auditjobRUSTSEC-2024-0436torustsec/audit-checkignore listactions/checkoutto@v4(was@v6, inconsistent with rest of workflow)deny.tomlRUSTSEC-2024-0436to[advisories] ignorewith rationale commentpasteis an informational-only (unmaintained, no CVE) transitive dep viagix→curl-sys→rustls-ffi→macro_rules_attribute→paste. No patched version exists; ignoring is appropriate.Original prompt
⚡ Quickly spin up Copilot coding agent tasks from anywhere on your macOS or Windows machine with Raycast.