audit-check
audit-check copied to clipboard
rustsec
Version 1.4.1 still gives Node16 warning
I'm feeling dopey: I changed a project (https://github.com/richb-hanover/prql/blob/main/.github/workflows/nightly.yaml) to use rustsec/[email protected]. I did this to get away from the "Node16" warning from my previous action.
But I'm still getting this warning:
cargo-audit
Node.js 16 actions are deprecated. Please update the following actions to use Node.js 20: rustsec/[email protected]. For more information see: https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/.
What am I missing? Thanks
PS @clechasseur - any thoughts on this? I see you made the PR to update to Node20... Thanks again.
It seems my PR was merged but no new releases were published - they'd need to do a new release.
That problem bit me as well. I couldn't figure out how to update a Github Action of my own...
Would you give me a hint about how to "publish a new release" on a Github Action? Many thanks
I think I answered my own question: Is this the documentation? https://docs.github.com/en/actions/creating-actions/publishing-actions-in-github-marketplace
I don't know either. So I asked a question at: https://github.com/orgs/community/discussions/129097
I'll let you know if I hear something...
Here's what I know: I got an answer about publishing an update at https://github.com/orgs/community/discussions/129097#discussioncomment-9821029
The answer for my repo is that there's a .github/workflow/ci.yml file that runs when there's a commit/push. (My repo is currently failing because of ancient npm depencency conflicts.)
I don't see any problems for the Actions in this repo. Perhaps @clechasseur could weigh in - he created the PR for Node20... Thanks!
I don't see any problems for the Actions in this repo. Perhaps @clechasseur could weigh in - he created the PR for Node20... Thanks!
To do a new release, this is what I suggest:
- Checkout latest
mainbranch - Update the version number in
package.json - Run
npm install - Run
npm run refresh; this should update the file in thedist/folder - Commit all changes and push them
- Create a new release the usual way (perhaps a version 2.0, since changing the Node version is technically a breaking change)
As an aside: before releasing a new version, I suggest merging my latest PR (see #23); it fixes a high-severity vulnerability in the braces library which is a dependency.
@tarcieri Heya, would you be able to find time to do the above?
I'm also curious to find out if my repos would automatically pick a compatible version up -- I updated a lot of them (by hand 🫠) to depend on 1.4.1, and hopefully they just pick up a 1.4.2 without needing to be told
Failed on npm install:
npm error code E401
npm error 401 Unauthorized - GET https://npm.pkg.github.com/download/@clechasseur/rs-actions-core/3.0.5/b35ae1eb71c59dd75c7db9ecccba1bd7f3a2fc99 - authentication token not provided
(I've done npm login, FWIW)
npm v10.7.0
Failed on
npm install:npm error code E401 npm error 401 Unauthorized - GET https://npm.pkg.github.com/download/@clechasseur/rs-actions-core/3.0.5/b35ae1eb71c59dd75c7db9ecccba1bd7f3a2fc99 - authentication token not provided(I've done
npm login, FWIW)npm v10.7.0
Strange, as the package should be public. Did you authenticate with just npm login? The instructions to use the GitHub package registry mention that you need to do this:
npm login --scope=@NAMESPACE --auth-type=legacy --registry=https://npm.pkg.github.com
Here, @NAMESPACE should be @clechasseur.
I thought you didn't need this to simply read packages, however...
I wasn't able to login at all with that. I attempted to use my GitHub credentials, and got the following:
npm error code E403
npm error 403 403 Forbidden - PUT https://npm.pkg.github.com/-/user/org.couchdb.user:tarcieri - Permission denied
npm error 403 In most cases, you or one of your dependencies are requesting
npm error 403 a package version that is forbidden by your security policy, or
npm error 403 on a server you do not have access to.
Okay, the issue with the above is the "password" is actually a personal access token. I was able to login successfully but:
npm error code E403
npm error 403 403 Forbidden - GET https://npm.pkg.github.com/download/@clechasseur/rs-actions-core/3.0.5/b35ae1eb71c59dd75c7db9ecccba1bd7f3a2fc99 - Permission permission_denied: The token provided does not match expected scopes.
Right back where we started. Does npm install work for anyone else? Is there an issue with that particular dependency for some reason?
Edit: okay, this was permissions on the token. Ugh, this is annoying as hell.
Okay, I attempted to publish a new release here: https://github.com/rustsec/audit-check/releases/tag/v2.0.0
@tarcieri thanks for working on this. It's not working for us, apparently due to a lacking Cargo.lock file.
2024-09-23T14:31:06.5076364Z ##[group]Calling cargo-audit (JSON output)
2024-09-23T14:31:06.5089344Z [command]/home/runner/.cargo/bin/cargo audit --json --file ./Cargo.lock
2024-09-23T14:31:09.0744703Z error: not found: Couldn't load ./Cargo.lock
2024-09-23T14:31:09.0745675Z Caused by:
2024-09-23T14:31:09.0746708Z -> I/O operation failed: I/O operation failed: entity not found
2024-09-23T14:31:09.0775439Z
2024-09-23T14:31:09.0776822Z ##[endgroup]
2024-09-23T14:31:09.0804531Z ##[error]Unexpected end of JSON input
(Full output here.)
Is it now required to have Cargo.lock? We didn't use to have one and older releases of audit-check worked OK.
Looks like Cargo.lock gen was removed in https://github.com/rustsec/audit-check/pull/20. I worked around this by adding a - run: cargo generate-lockfile step.
