ci(audit): replace rustsec/audit-check with cached cargo-audit install and 'cargo audit --deny warnings' on pinned 1.90.0

flyingrobots · flyingrobots · commit 5ea8a8f09194 · 2025-10-29T19:02:31.000-07:00
diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml
@@ -17,6 +17,17 @@ jobs:
         with:
           submodules: false
       - uses: dtolnay/rust-toolchain@1.90.0
-      - uses: rustsec/audit-check@v2
+      - uses: actions/cache@v4
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            ~/.cargo/bin/cargo-audit
+          key: audit-${{ runner.os }}-${{ hashFiles('**/Cargo.lock') }}
+      - name: Install cargo-audit
+        run: |
+          if ! command -v cargo-audit >/dev/null; then
+            cargo install cargo-audit --locked
+          fi
+      - name: Run cargo audit
+        run: cargo audit --deny warnings
