Skip to content

cargo-deny

cargo-deny #217

Workflow file for this run

name: cargo-deny
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
# Re-run daily so new advisories against unchanged dep trees still
# surface — the runtime tree won't change but the advisory database
# will.
- cron: "0 6 * * *"
# Prevent redundant runs on rapid pushes to the same branch.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
# Deny-all by default; the deny job only needs read access for checkout.
permissions: {}
jobs:
deny:
name: cargo deny check
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- uses: EmbarkStudios/cargo-deny-action@bb137d7af7e4fb67e5f82a49c4fce4fad40782fe # v2.0.20
with:
# Matches `[graph] all-features = true` in deny.toml so every
# feature combination is policy-checked.
command: check
arguments: --all-features