enricobuehler
837b6fabb1
- spec: narrow ExclusiveArch to x86_64 — no aarch64 build is produced/published (NVENC is desktop-NVIDIA), so claiming aarch64 advertised an arch we never ship. - build-deb.sh: ship punktfunk-kde-session.service (ExecStart repointed to the packaged run-headless-kde.sh) + host.env.kde, matching the RPM/Arch — the deb README's "mirrors the Fedora RPM" claim now holds. - audit.yml: weekly + Cargo.lock-change `cargo audit` over the network-facing crypto dep tree (RustSec advisories); ignore unfixables via .cargo/audit.toml. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
34 lines
1.2 KiB
YAML
34 lines
1.2 KiB
YAML
# Supply-chain advisory scan for the (network-facing, crypto-heavy) Rust dependency tree.
|
|
# Runs `cargo audit` against the RustSec advisory DB: weekly (catch newly-disclosed CVEs in
|
|
# pinned deps), on every Cargo.lock change (catch a bad dep the moment it lands), and on demand.
|
|
# To silence a known-unfixable advisory, add it to `.cargo/audit.toml` ([advisories] ignore = [...]).
|
|
name: audit
|
|
|
|
on:
|
|
schedule:
|
|
- cron: '0 6 * * 1' # Mondays 06:00 UTC
|
|
push:
|
|
branches: [main]
|
|
paths: ['Cargo.lock', '.gitea/workflows/audit.yml']
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
cargo-audit:
|
|
runs-on: ubuntu-24.04
|
|
container:
|
|
image: git.unom.io/unom/punktfunk-rust-ci:latest
|
|
timeout-minutes: 30
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
# Cache /usr/local/cargo so the cargo-audit binary (and the advisory DB clone) persist.
|
|
- uses: actions/cache@v4
|
|
with:
|
|
path: /usr/local/cargo
|
|
key: cargo-audit-${{ hashFiles('Cargo.lock') }}
|
|
restore-keys: cargo-audit-
|
|
- name: cargo audit
|
|
run: |
|
|
git config --global --add safe.directory "$PWD"
|
|
command -v cargo-audit >/dev/null 2>&1 || cargo install --locked cargo-audit
|
|
cargo audit
|