Replace actions-rs/audit-check with direct cargo audit invocation

Unfortunately we can't pass an `--ignore` option to cargo-audit via `actions-rs/audit-check` to ignore the request smuggling vulnerability in `tiny_http` due to this issue: actions-rs/audit-check#132 This PR switches to invoking `cargo audit` directly so we can.
iqlusioninc · Sep 23, 2020 · abfe724 · abfe724
1 parent 45bcbd6
commit abfe724
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 6 deletions.
diff --git a/.github/workflows/security_audit.yml b/.github/workflows/security_audit.yml
@@ -18,8 +18,12 @@ jobs:
         uses: actions/cache@v1
         with:
           path: ~/.cargo/bin
-          key: ${{ runner.os }}-cargo-audit-v0.11.2
-      - uses: actions-rs/audit-check@v1
+          key: ${{ runner.os }}-cargo-audit-v0.12.1
+      - uses: actions-rs/toolchain@v1
         with:
-          args: --ignore RUSTSEC-2019-0031
-          token: ${{ secrets.GITHUB_TOKEN }}
+          toolchain: stable
+          override: true
+      - name: Install cargo audit
+        run: cargo install cargo-audit
+      - name: Run cargo audit
+        run: cargo audit --deny-warnings --ignore RUSTSEC-2020-0031
diff --git a/Cargo.lock b/Cargo.lock