audit.yml

name: Security audit

on:
  schedule:
    # Runs at 00:00 UTC everyday
    - cron: '0 0 * * *'
  push:
    paths:
      - '**/Cargo.toml'
      - '**/Cargo.lock'
  pull_request:

permissions:
  contents: read

jobs:
  audit:
    runs-on: ubuntu-latest
    permissions:
      checks: write
      issues: write
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@0a5820a2ec510d2521c1715d24860fc8cd06400a
        with:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

      - name: Checkout repository
        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
      - name: Install Rust
        uses: dtolnay/rust-toolchain@e645b0cf01249a964ec099494d38d2da0f0b349f
        with:
          toolchain: stable
      - uses: Swatinem/rust-cache@359a70e43a0bb8a13953b04a90f76428b4959bb6
      - uses: actions-rs/audit-check@35b7b53b1e25b55642157ac01b4adceb5b9ebef3
        with:
          token: ${{ secrets.GITHUB_TOKEN }}