New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add cargo vet for auditing dependencies and SIP #1023
Conversation
Signed-off-by: Radu Matei <radu.matei@fermyon.com>
Signed-off-by: Radu Matei <radu.matei@fermyon.com>
Co-authored-by: Vaughn Dice <vaughn.dice@fermyon.com> Signed-off-by: Radu Matei <radu@matei.ai>
name: Run Rust audits | ||
on: | ||
schedule: | ||
- cron: '0 0 * * *' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like this runs nightly. What happens if an audit fails? Does a github issue get opened up?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From #1023 (comment)
The main reason it's not on PRs is that we should only trust an audit coming from a maintainer, not from someone submitting a PR.
Ideally, when maintainers would submit a PR, any changes in dependencies would be included in the PR. But that should not be the case with non-maintainers — hence running this every day, and maintainers should ensure the check is passing.
rendered SIP — https://github.com/radu-matei/spin/blob/cargo-vet/docs/content/sips/009-auditing-third-party-dependencies.md
The main question I have for this PR is: should it be expanded to support
cargo audit
, orcargo deny
as well?The reason I felt this one should be a SIP is because it involves a new process from maintainers, whereas
cargo audit
orcargo deny
, while extremely useful, are mostly automated checks.Happy to amend the SIP and include them if we think adding them together makes more sense.
Signed-off-by: Radu Matei radu.matei@fermyon.com