fix(audit-workflow): update audit workflow

tvpeter · tvpeter · commit c42180a68ca2 · 2025-11-25T12:28:02.000+01:00
- remove master branch filter
- fix invalid pinned SHA
- remove Swatinem/rust-cache action
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
@@ -1,54 +1,65 @@
 name: Security Audit
 
 on:
-  pull_request:
+  push:
     paths:
       - '**/Cargo.toml'
       - '**/Cargo.lock'
-  merge_group:
-  push:
-    branches: [master]
+  pull_request:
     paths:
       - '**/Cargo.toml'
       - '**/Cargo.lock'
   schedule:
     # weekly
     - cron: '0 0 * * 0'
+  workflow_dispatch:
 
 env:
   CARGO_TERM_COLOR: always
 
 permissions:
-  contents: read               
-  security-events: write      
-  issues: write                
+  contents: read
+  security-events: write   
+  issues: write            
 
 jobs:
   cargo-audit:
     name: RustSec Audit (vulnerabilities)
     runs-on: ubuntu-latest
     timeout-minutes: 15
+
     steps:
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 
 
       - name: Install Rust toolchain
-        uses: dtolnay/rust-toolchain@stable
+        id: toolchain
+        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9
+        with:
+          toolchain: stable
 
-      - name: Cache cargo registry/index/target
-        uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1
+      - name: Cache Cargo registry + target
+        uses: actions/cache@v4
         with:
-          cache-on-failure: true
+          path: |
+            ~/.cargo/bin
+            ~/.cargo/registry/index
+            ~/.cargo/registry/cache
+            ~/.cargo/git/db
+            target
+          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}-${{ steps.toolchain.outputs.cachekey }}
+          restore-keys: |
+            ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}-
+            ${{ runner.os }}-cargo-
 
       - name: Install cargo-audit
         run: cargo install cargo-audit --locked
 
-      - name: Run cargo audit (raw output — you will see this clearly)
-        run: cargo audit --deny warnings   
-        
-      - name: Run cargo audit again for GitHub Security tab upload
-        uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212ae3e3c0d700
+      - name: Run cargo audit 
+        run: cargo audit --deny warnings
+
+      - name: Upload SARIF to GitHub Security tab
+        uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           deny: warnings
-          
