audit.yml

name: Security audit

on:
  schedule:
    # Runs at 00:00 UTC everyday
    - cron: '0 0 * * *'
  push:
    paths:
      - '**/Cargo.toml'
      - '**/Cargo.lock'
  pull_request:

permissions:
  contents: read

jobs:
  audit:
    runs-on: ubuntu-latest
    permissions:
      checks: write
      issues: write
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@dece11172ed6b762b5421b294513d628edad7f7d
        with:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

      - name: Checkout repository
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
      - name: Install Rust
        uses: dtolnay/rust-toolchain@be73d7920c329f220ce78e0234b8f96b7ae60248
        with:
          toolchain: stable
      - uses: Swatinem/rust-cache@378c8285a4eaf12899d11bea686a763e906956af
      - uses: actions-rs/audit-check@35b7b53b1e25b55642157ac01b4adceb5b9ebef3
        with:
          token: ${{ secrets.GITHUB_TOKEN }}