Denis Pisarev
1 week ago
committed by
GitHub
GitHub
1 changed files with 41 additions and 0 deletions
@ -0,0 +1,41 @@ |
|||
name: Scheduled Advisory Scan |
|||
permissions: {} |
|||
|
|||
concurrency: |
|||
group: ${{ github.workflow }} |
|||
cancel-in-progress: false |
|||
|
|||
on: |
|||
schedule: |
|||
# Daily at 11:17 UTC — offset from Trivy (11:08) to spread advisory DB load. |
|||
- cron: '17 11 * * *' |
|||
|
|||
workflow_dispatch: |
|||
|
|||
defaults: |
|||
run: |
|||
shell: bash |
|||
|
|||
jobs: |
|||
cargo-deny-advisories: |
|||
name: cargo deny advisories |
|||
# Only run on the upstream repo, not forks — avoids hammering the RustSec DB. |
|||
if: ${{ github.repository == 'dani-garcia/vaultwarden' }} |
|||
runs-on: ubuntu-24.04 |
|||
timeout-minutes: 30 |
|||
permissions: |
|||
contents: read |
|||
|
|||
steps: |
|||
- name: Checkout |
|||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
|||
with: |
|||
persist-credentials: false |
|||
|
|||
# Run only the advisories check so duplicate/license noise doesn't obscure |
|||
# newly published CVEs. The full `cargo deny check` runs in build.yml on |
|||
# every push/PR; this job exists solely to catch new advisories between pushes. |
|||
- name: Run cargo deny (advisories only) |
|||
uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2 |
|||
with: |
|||
command: check advisories |
|||
Loading…
Reference in new issue