audit-check
audit-check copied to clipboard
actions-rs
Support auditing changes only in a PR
Do the checklist before filing an issue:
- [x] Is this related to the
actions-rsActions? If you think it's a problem related to Github Actions in general, use GitHub Community forum instead: https://github.community - [x] You've read the Contributing section about feature requests: https://github.com/actions-rs/.github/blob/master/CONTRIBUTING.md#feature-requests
- [ ] Is this something you can debug and fix? Send a pull request! Bug fixes and documentation fixes are welcome.
Motivation
onefetch currently has many PRs that are failing due to the audit check (discussed in o2sh/onefetch#534). However, these PRs are not introducing dependencies with audit findings. The PRs should probably pass, as the audit findings aren't caused by the PRs themselves, but by the existing dependencies in the main branch that the PRs branched off of.
Workflow example
I would assume that, depending on how this would be implemented, it would require a fetch depth of at least 2 to be able to compare with the previous commit. Although more commits would have to be fetched for multi-commit PRs.
name: Security audit
on:
pull_request:
paths:
- '**/Cargo.toml'
- '**/Cargo.lock'
jobs:
security_audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0 # fetch all commits (if needed, depends on implementation)
- uses: actions-rs/audit-check@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
diff-only: true
Additional context
One way to do this might be to fail only if the PR introduces new audit findings that weren't found in the main branch, perhaps by caching the main branch's audit findings somehow. The other way I can think of would be to compare the diff between the main branch and the PR, and audit only the dependencies that show up in the diff.
