From acdcd9336b2d52b565c92a9c129376411467a3ae Mon Sep 17 00:00:00 2001 From: richardanyalai Date: Tue, 12 May 2026 18:22:12 +0200 Subject: [PATCH] chore(ci): added dependabot, cargo-audit, cargo-deny --- .github/dependabot.yml | 28 ++++++++++++++++++++++++ .github/workflows/security.yml | 40 ++++++++++++++++++++++++++++++++++ 2 files changed, 68 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/security.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..6aa4079 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,28 @@ +version: 2 +updates: + - package-ecosystem: cargo + directory: / + schedule: + interval: monthly + open-pull-requests-limit: 10 + commit-message: + prefix: "chore(deps)" + groups: + cargo-minor-and-patch: + update-types: + - minor + - patch + + - package-ecosystem: github-actions + directory: / + schedule: + interval: monthly + open-pull-requests-limit: 5 + commit-message: + prefix: "chore(ci)" + groups: + actions-all: + update-types: + - major + - minor + - patch diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 0000000..296c9b0 --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,40 @@ +name: Security + +on: + push: + branches: [main, master] + pull_request: + workflow_dispatch: + +jobs: + cargo-audit: + name: Cargo Audit + runs-on: ubuntu-latest + permissions: + checks: write + contents: read + steps: + - uses: actions/checkout@v6 + - uses: rustsec/audit-check@v2.0.0 + with: + token: ${{ secrets.GITHUB_TOKEN }} + + cargo-deny: + name: Cargo Deny + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + - name: Capture github.com host keys + id: keyscan + run: | + { + echo 'known-hosts<> "$GITHUB_OUTPUT" + - uses: EmbarkStudios/cargo-deny-action@v2 + with: + command: check advisories + ssh-key: ${{ secrets.BOT_SSH_PRIVATE_KEY }} + ssh-known-hosts: ${{ steps.keyscan.outputs.known-hosts }} + use-git-cli: true