From b553d8436250e90e6149169ccbac6000e4c65244 Mon Sep 17 00:00:00 2001
From: Alex Crichton <alex@alexcrichton.com>
Date: Tue, 19 Oct 2021 10:12:36 -0500
Subject: [PATCH] Change how security advisories work on CI (#3461)

Before this commit we actually have two builders checking for security
advisories on CI, one is `cargo audit` and one is `cargo deny`. The
`cargo deny` builder is slightly different in that it checks a few other
things about our dependency tree such as licenses, duplicates, etc. This
commit removes the advisory check from `cargo deny` on CI and then moves
the `cargo audit` check to a separate workflow.

The `cargo audit` check will now run nightly and will open an issue on
the Wasmtime repository when an advisory is found. This should help make
it such that our CI is never broken by the publication of an advisory
but we're still promptly notified whenever an advisory is made. I've
updated the release process notes to indicate that the open issues
should be double-checked to ensure that there are no open advisories
that we need to take care of.
---
 .github/workflows/cargo-audit.yml    | 12 ++++++++++++
 .github/workflows/main.yml           | 17 +----------------
 deny.toml                            |  7 -------
 docs/contributing-release-process.md |  4 ++++
 4 files changed, 17 insertions(+), 23 deletions(-)
 create mode 100644 .github/workflows/cargo-audit.yml

diff --git a/.github/workflows/cargo-audit.yml b/.github/workflows/cargo-audit.yml
new file mode 100644
index 0000000000..69e1381b5b
--- /dev/null
+++ b/.github/workflows/cargo-audit.yml
@@ -0,0 +1,12 @@
+name: Run cargo-audit
+on:
+  schedule:
+    - cron: '0 0 * * *'
+jobs:
+  security_audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - uses: actions-rs/audit-check@v1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index c38b7cc1a3..896bf764d0 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -47,7 +47,7 @@ jobs:
         curl -L https://github.com/EmbarkStudios/cargo-deny/releases/download/0.8.5/cargo-deny-0.8.5-x86_64-unknown-linux-musl.tar.gz | tar xzf -
         mv cargo-deny-*-x86_64-unknown-linux-musl/cargo-deny cargo-deny
         echo `pwd` >> $GITHUB_PATH
-    - run: cargo deny check
+    - run: cargo deny check bans licenses
 
   doc:
     name: Doc build
@@ -458,21 +458,6 @@ jobs:
         files: "dist/*"
         token: ${{ secrets.GITHUB_TOKEN }}
 
-  cargo-audit:
-    env:
-      CARGO_AUDIT_VERSION: 0.11.2
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v2
-    - uses: actions/cache@v1
-      with:
-        path: ${{ runner.tool_cache }}/cargo-audit
-        key: cargo-audit-bin-${{ env.CARGO_AUDIT_VERSION }}
-    - run: echo "${{ runner.tool_cache }}/cargo-audit/bin" >> $GITHUB_PATH
-    - run: |
-        cargo install --root ${{ runner.tool_cache }}/cargo-audit --version ${{ env.CARGO_AUDIT_VERSION }} cargo-audit
-        cargo audit
-
   verify-publish:
     runs-on: ubuntu-latest
     steps:
diff --git a/deny.toml b/deny.toml
index 0b6df1e954..1bfbbf46c8 100644
--- a/deny.toml
+++ b/deny.toml
@@ -8,13 +8,6 @@ targets = [
     { triple = "aarch64-linux-android" },
 ]
 
-# https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html
-[advisories]
-vulnerability = "deny"
-unmaintained = "deny"
-yanked = "deny"
-ignore = []
-
 # https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html
 [licenses]
 allow = [
diff --git a/docs/contributing-release-process.md b/docs/contributing-release-process.md
index fad3eaa02e..89b428e5f1 100644
--- a/docs/contributing-release-process.md
+++ b/docs/contributing-release-process.md
@@ -10,6 +10,8 @@ made (there's also not really a body governing these decisions, it's more
 whimsical currently, or on request from others) then the following steps need to
 be executed to make the release:
 
+1. Double-check that there are no open [rustsec advisory
+   issues][rustsec-issues] on the Wasmtime repository.
 1. `git pull` - make sure you've got the latest changes
 1. Run `rustc scripts/publish.rs`
 1. Run `./publish bump`
@@ -31,3 +33,5 @@ be executed to make the release:
     a bit between runs of the script.
 
 And that's it, then you've done a Wasmtime release.
+
+[rustsec-issues]: https://github.com/bytecodealliance/wasmtime/issues?q=RUSTSEC+is%3Aissue+is%3Aopen+