diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 0000000..f098fab --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,38 @@ +name: Security + +on: + pull_request: + merge_group: + push: + branches: [main] + +env: + CARGO_TERM_COLOR: always + +permissions: {} + +jobs: + supply-chain: + name: Run `cargo-audit` + runs-on: ubuntu-latest + timeout-minutes: 30 + steps: + - uses: actions/checkout@v4 + with: + persist-credentials: false + + - uses: dtolnay/rust-toolchain@clippy + + - uses: Swatinem/rust-cache@v2 + with: + cache-on-failure: true + + - name: Install cargo-audit + run: cargo install cargo-audit --force --locked + + - name: Check for audit warnings + run: cargo audit -D warnings + continue-on-error: true + + - name: Check for vulnerabilities + run: cargo audit diff --git a/.github/workflows/update_flake_lock.yml b/.github/workflows/update_flake_lock.yml index 4ecc444..691e8fb 100644 --- a/.github/workflows/update_flake_lock.yml +++ b/.github/workflows/update_flake_lock.yml @@ -9,6 +9,9 @@ permissions: {} jobs: lockfile: runs-on: ubuntu-latest + permissions: + contents: write # Needed to create commits + pull-requests: write # Needed to create a PR steps: - name: Checkout repository uses: actions/checkout@v4 diff --git a/flake.lock b/flake.lock index 0a7d463..b0ad065 100644 --- a/flake.lock +++ b/flake.lock @@ -57,32 +57,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1735563628, - "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=", + "lastModified": 1737165118, + "narHash": "sha256-s40Kk/OulP3J/1JvC3VT16U4r/Xw6Qdi7SRw3LYkPWs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798", + "rev": "6a3ae7a5a12fb8cac2d59d7df7cbd95f9b2f0566", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable": { - "locked": { - "lastModified": 1730741070, - "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", + "ref": "nixos-24.11", "repo": "nixpkgs", "type": "github" } @@ -107,15 +91,14 @@ "inputs": { "flake-compat": "flake-compat", "gitignore": "gitignore", - "nixpkgs": "nixpkgs_2", - "nixpkgs-stable": "nixpkgs-stable" + "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1734797603, - "narHash": "sha256-ulZN7ps8nBV31SE+dwkDvKIzvN6hroRY8sYOT0w+E28=", + "lastModified": 1737043064, + "narHash": "sha256-I/OuxGwXwRi5gnFPsyCvVR+IfFstA+QXEpHu1hvsgD8=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "f0f0dc4920a903c3e08f5bdb9246bb572fcae498", + "rev": "94ee657f6032d913fe0ef49adaa743804635b0bb", "type": "github" }, "original": { @@ -139,11 +122,11 @@ ] }, "locked": { - "lastModified": 1735612067, - "narHash": "sha256-rsjojgfPUf9tWuMXuuo2KAIoUZ49XGZQJSjFGOO8Cq4=", + "lastModified": 1737253755, + "narHash": "sha256-T1FIl8yuQ0cJx2DBMvWH73O/igJGaumNNyZkea2m3a0=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "d199142e84bfaae476ffb4e09a70879d7918784d", + "rev": "9e4b97a04063ff39a37b63e8fb31cc2b4adf9227", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index daf165e..84afa97 100644 --- a/flake.nix +++ b/flake.nix @@ -1,7 +1,7 @@ { description = "Rust no-BS Dead Man's Switch"; inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; rust-overlay = { url = "github:oxalica/rust-overlay";