From 08b235990fb28f80cb57c453543d76d0a8c70484 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Linus=20F=C3=A4rnstrand?= Date: Tue, 11 Jun 2024 16:54:23 +0200 Subject: [PATCH] Remove cargo audit CI job again We realized that libraries should probably not check for CVEs. It will generate too many false positives and provide very little value. It's up to downstream *program* developers to select exact versions of transitive dependencies. If it ends up being that no version of one of our dependencies is safe/works, then that program developer must report to this library that we should probably consider upgrading/replacing that dependency with something better. --- .github/workflows/cargo-audit.yml | 35 ------------------------------- 1 file changed, 35 deletions(-) delete mode 100644 .github/workflows/cargo-audit.yml diff --git a/.github/workflows/cargo-audit.yml b/.github/workflows/cargo-audit.yml deleted file mode 100644 index bfe548f..0000000 --- a/.github/workflows/cargo-audit.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -name: Audit dependencies -on: - pull_request: - paths: - - .github/workflows/cargo-audit.yml - - Cargo.toml - - Cargo.lock - schedule: - # At 06:20 UTC every day. Will create an issue if a CVE is found. - - cron: '20 6 * * *' - workflow_dispatch: -jobs: - audit: - runs-on: ubuntu-latest - permissions: - issues: write - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - # We don't need to check CVEs against the checked in lockfile, - # but only against the newest compatible dependencies. - # This avoids significant maintenance work that provide no benefits. - # We only need to make sure there is any compatible dependency without a known issue - - run: cargo update - - - uses: actions-rust-lang/audit@160ac8b6edd32f74656cabba9d1de3fc8339f676 # v1.2 - name: Audit Rust Dependencies - with: - denyWarnings: true - # Ignored audit issues. This list should be kept short, and effort should be - # put into removing items from the list. - ignore: