Merge pull request #2902 from input-output-hk/audit-workflow

Move security audit workflow from CircleCI to GitHub Actions
input-output-hk · Jan 11, 2021 · 63cf127 · 63cf127
2 parents 3d51b65 + 6df4954
commit 63cf127
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 39 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -51,42 +51,6 @@ jobs:
           paths:
             - .circleci/crates.io-index.head
 
-  cargo_audit:
-    executor: rust-stable
-    steps:
-      - checkout
-      - attach_workspace:
-          at: .
-      - restore_cache:
-          name: Restore cargo registry index from cache
-          keys:
-            - cargo-index-v1-{{ checksum ".circleci/crates.io-index.head" }}
-      - run:
-          name: Get top commit hash of RustSec advisory database
-          command: |
-            git ls-remote --heads https://github.com/RustSec/advisory-db.git master |
-              cut -f 1 | tee .circleci/advisory-db.head
-      - restore_cache:
-          name: Restore advisory database from cache
-          keys:
-            - cargo-advisory-db-v2-{{ checksum ".circleci/advisory-db.head" }}
-            - cargo-advisory-db-v2-
-      - run:
-          name: Print Cargo Audit Version
-          command: cargo audit --version
-      - run:
-          name: Check Cargo Audit
-          command: |
-            cargo audit
-            git -C /usr/local/cargo/advisory-db \
-                show-ref -s refs/remotes/origin/master \
-              > .circleci/advisory-db.head
-      - save_cache:
-          name: Save advisory database into cache
-          key: cargo-advisory-db-v2-{{ checksum ".circleci/advisory-db.head" }}
-          paths:
-            - /usr/local/cargo/advisory-db
-
   test_debug:
     executor: rust-stable
     environment:
@@ -160,9 +124,6 @@ workflows:
   test_all:
     jobs:
       - cargo_fetch
-      - cargo_audit:
-          requires:
-            - cargo_fetch
       - test_debug:
           requires:
             - cargo_fetch
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
@@ -0,0 +1,30 @@
+name: Security audit
+on:
+  push:
+    paths:
+      - Cargo.lock
+jobs:
+  security_audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - id: ls-crates-io-index
+        name: Get head commit hash of crates.io registry index
+        run: |
+          commit=$(
+            git ls-remote --heads https://github.com/rust-lang/crates.io-index.git master |
+            cut -f 1
+          )
+          echo "::set-output name=head::$commit"
+      - name: Cache cargo registry index
+        uses: actions/cache@v2
+        with:
+          path: ~/.cargo/registry/index
+          key: cargo-index-${{ steps.ls-crates-io-index.outputs.head }}
+          restore-keys: |
+            cargo-index-
+
+      - uses: actions-rs/audit-check@v1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}