From c4a9e56613a118ce1fd7527f99fe0be6f8f6ce28 Mon Sep 17 00:00:00 2001 From: wdecoster Date: Mon, 15 Jun 2026 08:36:06 +0200 Subject: [PATCH] ci: stop weekly security-audit failures from unmaintained transitive deps The Security Audit workflow failed every week because cargo-deny flagged new "unmaintained" advisories on deep transitive build dependencies (proc-macro-error2, paste, fxhash, custom_derive via getset -> bio) that have no safe upgrade and pose no real risk for a CLI. Each new advisory required adding another RUSTSEC id to the ignore list. Fix the class instead of individual ids: - deny.toml: set advisories.unmaintained = "workspace" so only direct dependencies are checked for unmaintained status; drop the per-id ignore list. Vulnerabilities and unsound advisories still fail the check. - security.yml: run on schedule + manual dispatch only (no longer on every push/PR, so an unmaintained advisory can't block a merge), and use a single `cargo deny check` instead of the overlapping cargo-audit step plus the slow, non-failing cargo-outdated step. Verified locally with cargo-deny 0.19.7: advisories ok, bans ok, licenses ok, sources ok. Co-Authored-By: Claude Opus 4.8 --- .github/workflows/security.yml | 38 +++++++--------------------------- deny.toml | 14 ++++++------- 2 files changed, 15 insertions(+), 37 deletions(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 2cc581d..3815f4f 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -5,44 +5,22 @@ on: # Run weekly on Sundays at 2:00 AM UTC - cron: '0 2 * * 0' workflow_dispatch: # Allow manual trigger - push: - branches: [ "main" ] - pull_request: - branches: [ "main" ] jobs: audit: runs-on: ubuntu-latest - + steps: - uses: actions/checkout@v4 - + - name: Install Rust toolchain uses: dtolnay/rust-toolchain@stable - with: - components: rustfmt, clippy - - - name: Install cargo-audit - run: cargo install cargo-audit - - - name: Run security audit - run: | - # Ignore known unmaintained crates that are transitive dependencies - # These are also ignored in deny.toml for cargo-deny - cargo audit \ - --ignore RUSTSEC-2025-0058 \ - --ignore RUSTSEC-2025-0057 \ - --ignore RUSTSEC-2024-0436 - - - name: Check for outdated dependencies - run: | - # Install cargo-outdated with locked dependencies to avoid version conflicts - cargo install cargo-outdated --locked || echo "cargo-outdated installation failed, skipping outdated check" - if command -v cargo-outdated >/dev/null 2>&1; then - cargo outdated --root-deps-only || echo "cargo-outdated failed, but this is non-critical" - fi - - name: Install and run cargo deny + # cargo-deny's advisories check covers vulnerabilities, unsound, yanked, and + # unmaintained advisories. Policy (allowed licenses, ignored advisories, + # unmaintained = "workspace") lives in deny.toml so it is reviewable in one + # place instead of being scattered across inline --ignore flags. + - name: Install and run cargo-deny run: | - cargo install cargo-deny --version "0.19.7" + cargo install cargo-deny --version "0.19.7" --locked cargo deny check diff --git a/deny.toml b/deny.toml index d33b988..0953056 100644 --- a/deny.toml +++ b/deny.toml @@ -59,13 +59,13 @@ db-path = "~/.cargo/advisory-db" # The url(s) of the advisory databases to use db-urls = ["https://github.com/rustsec/advisory-db"] -# Handle known unmaintained crates that are still widely used -ignore = [ - # Bio crate dependencies that are unmaintained but still functional - "RUSTSEC-2025-0058", # custom_derive - widely used in bio ecosystem - "RUSTSEC-2025-0057", # fxhash - used by bio, has replacement but not critical - "RUSTSEC-2024-0436", # paste - used by nalgebra/simba and minimap2-sys, archived but stable -] +# Only flag "unmaintained" advisories for crates we depend on directly, not for +# deep transitive build-time dependencies (e.g. proc-macro-error2, paste, +# fxhash, custom_derive pulled in via getset -> bio). Those are unmaintained +# upstream with no safe upgrade and are not a security risk for a CLI, and they +# were causing a new red build every week as fresh advisories were published. +# Actual vulnerabilities (and unsound advisories) still fail the check. +unmaintained = "workspace" [sources] # Lint level for what to happen when a crate from a git repository is encountered