Change how security advisories work on CI (#3461)

Before this commit we actually have two builders checking for security advisories on CI, one is `cargo audit` and one is `cargo deny`. The `cargo deny` builder is slightly different in that it checks a few other things about our dependency tree such as licenses, duplicates, etc. This commit removes the advisory check from `cargo deny` on CI and then moves the `cargo audit` check to a separate workflow. The `cargo audit` check will now run nightly and will open an issue on the Wasmtime repository when an advisory is found. This should help make it such that our CI is never broken by the publication of an advisory but we're still promptly notified whenever an advisory is made. I've updated the release process notes to indicate that the open issues should be double-checked to ensure that there are no open advisories that we need to take care of.
2021-10-19 10:12:36 -05:00
parent 13feef7bb8
commit b553d84362
4 changed files with 17 additions and 23 deletions
--- a/.github/workflows/cargo-audit.yml
+++ b/.github/workflows/cargo-audit.yml
@@ -0,0 +1,12 @@
+name: Run cargo-audit
+on:
+  schedule:
+    - cron: '0 0 * * *'
+jobs:
+  security_audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - uses: actions-rs/audit-check@v1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -47,7 +47,7 @@ jobs:
        curl -L https://github.com/EmbarkStudios/cargo-deny/releases/download/0.8.5/cargo-deny-0.8.5-x86_64-unknown-linux-musl.tar.gz | tar xzf -
        mv cargo-deny-*-x86_64-unknown-linux-musl/cargo-deny cargo-deny
        echo `pwd` >> $GITHUB_PATH
-    - run: cargo deny check
+    - run: cargo deny check bans licenses

  doc:
    name: Doc build
@@ -458,21 +458,6 @@ jobs:
        files: "dist/*"
        token: ${{ secrets.GITHUB_TOKEN }}

-  cargo-audit:
-    env:
-      CARGO_AUDIT_VERSION: 0.11.2
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v2
-    - uses: actions/cache@v1
-      with:
-        path: ${{ runner.tool_cache }}/cargo-audit
-        key: cargo-audit-bin-${{ env.CARGO_AUDIT_VERSION }}
-    - run: echo "${{ runner.tool_cache }}/cargo-audit/bin" >> $GITHUB_PATH
-    - run: |
-        cargo install --root ${{ runner.tool_cache }}/cargo-audit --version ${{ env.CARGO_AUDIT_VERSION }} cargo-audit
-        cargo audit
-
  verify-publish:
    runs-on: ubuntu-latest
    steps: