Replace actions-rs/audit-check with direct cargo audit invocation

Unfortunately we can't pass an `--ignore` option to cargo-audit via `actions-rs/audit-check` to ignore the request smuggling vulnerability in `tiny_http` due to this issue: actions-rs/audit-check#132 This PR switches to invoking `cargo audit` directly so we can.
iqlusioninc · Sep 23, 2020 · f76657c · f76657c
1 parent 45bcbd6
commit f76657c
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 10 deletions.
diff --git a/.github/workflows/security_audit.yml b/.github/workflows/security_audit.yml
@@ -14,12 +14,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v1
-      - name: Cache cargo bin
-        uses: actions/cache@v1
+      - uses: actions-rs/toolchain@v1
         with:
-          path: ~/.cargo/bin
-          key: ${{ runner.os }}-cargo-audit-v0.11.2
-      - uses: actions-rs/audit-check@v1
-        with:
-          args: --ignore RUSTSEC-2019-0031
-          token: ${{ secrets.GITHUB_TOKEN }}
+          toolchain: stable
+          override: true
+      - name: Install cargo audit
+        run: cargo install cargo-audit
+      - name: Run cargo audit
+        run: cargo audit --deny-warnings --ignore RUSTSEC-2020-0031
diff --git a/Cargo.lock b/Cargo.lock