fix(ci): add daily full audit job to track when ignored advisories get fixes

zircote · zircote · commit 5377875b2c12 · 2026-03-09T11:58:41.000-04:00
The audit-full job runs daily without --ignore flags so we are notified
when RUSTSEC-2023-0071 (or any future ignored advisory) gets a fix.
It uses continue-on-error so it does not block PRs.
diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml
@@ -21,6 +21,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
+        # yamllint disable-line rule:line-length
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Setup Rust with caching
@@ -41,3 +42,30 @@ jobs:
         run: >-
           cargo audit --deny warnings
           --ignore RUSTSEC-2023-0071
+
+  # Separate job: run audit WITHOUT ignores to surface when
+  # fixes become available. Failures here are informational
+  # (do not block PRs).
+  audit-full:
+    name: Full Audit (informational)
+    runs-on: ubuntu-latest
+    if: github.event_name == 'schedule'
+    continue-on-error: true
+    steps:
+      - name: Checkout repository
+        # yamllint disable-line rule:line-length
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+
+      - name: Setup Rust with caching
+        uses: ./.github/actions/setup-rust-cached
+        with:
+          toolchain: stable
+          cache-key: audit-full
+
+      - name: Install cargo-audit
+        uses: ./.github/actions/install-cargo-tool
+        with:
+          tool: cargo-audit
+
+      - name: Run full audit (no ignores)
+        run: cargo audit --deny warnings
diff --git a/deny.toml b/deny.toml
@@ -23,8 +23,10 @@ version = 2
 # All advisory types (vulnerability, unmaintained, unsound, notice, yanked) default to deny
 ignore = [
     # rsa crate timing side-channel — we only use HMAC-SHA256 via jsonwebtoken,
-    # never RSA. Transitive dep from rust_crypto feature.
-    "RUSTSEC-2023-0071",
+    # never RSA. Transitive dep from rust_crypto feature. No upstream fix yet.
+    # Tracked by: daily audit-full job (runs without ignores, surfaces when fix lands)
+    # Review: remove this ignore when rsa >= 0.10 or jsonwebtoken drops rsa dep
+    { id = "RUSTSEC-2023-0071", reason = "transitive dep; we only use HMAC-SHA256, never RSA" },
 ]
 
 [licenses]
