cargo-deny #217
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: cargo-deny | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| # Re-run daily so new advisories against unchanged dep trees still | |
| # surface — the runtime tree won't change but the advisory database | |
| # will. | |
| - cron: "0 6 * * *" | |
| # Prevent redundant runs on rapid pushes to the same branch. | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} | |
| # Deny-all by default; the deny job only needs read access for checkout. | |
| permissions: {} | |
| jobs: | |
| deny: | |
| name: cargo deny check | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 | |
| - uses: EmbarkStudios/cargo-deny-action@bb137d7af7e4fb67e5f82a49c4fce4fad40782fe # v2.0.20 | |
| with: | |
| # Matches `[graph] all-features = true` in deny.toml so every | |
| # feature combination is policy-checked. | |
| command: check | |
| arguments: --all-features |