Phase 4: Sandbox — All Three Platforms (macOS/Linux/Windows) #15
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Nightly security audit | |
| on: | |
| schedule: | |
| - cron: '17 4 * * *' # 04:17 UTC daily — stagger to avoid the 00:00 thundering herd | |
| # Also run on every PR that touches dep manifests — catches advisory-affected | |
| # bumps at review time instead of up-to-23h later on the next nightly run. | |
| pull_request: | |
| paths: | |
| - Cargo.toml | |
| - Cargo.lock | |
| - crates/**/Cargo.toml | |
| - deny.toml | |
| push: | |
| branches: [main] | |
| paths: | |
| - Cargo.toml | |
| - Cargo.lock | |
| - crates/**/Cargo.toml | |
| - deny.toml | |
| workflow_dispatch: | |
| # rustsec/audit-check@v2 needs issues: write to post advisory issues. | |
| permissions: | |
| contents: read | |
| issues: write | |
| jobs: | |
| audit: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| - uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # v2.0.0 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} |