Merge pull request #89 from actions-rust-lang/remove-locked

updates:
- [github.com/asottile/pyupgrade: v3.16.0 → v3.17.0](https://github.com/asottile/pyupgrade/compare/v3.16.0...v3.17.0)
- [github.com/python-jsonschema/check-jsonschema: 0.29.0 → 0.29.1](https://github.com/python-jsonschema/check-jsonschema/compare/0.29.0...0.29.1)

.pre-commit-config.yaml

@@ -1,10 +1,10 @@
 repos:
   - repo: https://github.com/psf/black
-    rev: 24.1.1
+    rev: 24.4.2
     hooks:
       - id: black
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.5.0
+    rev: v4.6.0
     hooks:
       - id: check-ast
       - id: check-case-conflict
@@ -20,18 +20,18 @@ repos:
       - id: isort
         args: ["--profile=black"]
   - repo: https://github.com/asottile/pyupgrade
-    rev: v3.15.0
+    rev: v3.17.0
     hooks:
       - id: pyupgrade
         args: ["--py37-plus"]
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.8.0
+    rev: v1.11.0
     hooks:
       - id: mypy
         additional_dependencies:
           - types-requests
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.28.0
+    rev: 0.29.1
     hooks:
       - id: check-dependabot
       - id: check-github-actions

CHANGELOG.md

@@ -7,6 +7,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.2.1] - 2024-07-31
+
+* Temporarily remove `--locked` from the install instructions again, since cargo-audit relies on an old version of `time` that is incompatible with Rust 1.80.
+
+## [1.2.0] - 2024-03-05
+
+* feat: add --locked to cargo install cargo-audit by @lwshang in #72
+* Add working directory input to configure where cargo audit executes by @jonasbb in #78
+
 ## [1.1.14] - 2024-02-18
 
 * Update `cargo-audit` to 0.20.0

README.md

@@ -1,6 +1,6 @@
 # Audit Rust dependencies using the RustSec Advisory DB
 
-Audit your Rust dependencies using [cargo audit] and the [RustSec Advisory DB]. The action creates a summary with all vulnerabilieties. It can create issues for each of the found vulnerabilities.
+Audit your Rust dependencies using [cargo audit] and the [RustSec Advisory DB]. The action creates a summary with all vulnerabilities. It can create issues for each of the found vulnerabilities.
 
 Execution Summary:
 
@@ -44,18 +44,19 @@ jobs:
 ## Inputs
 
 All inputs are optional.
-Consider adding a [`audit.toml` configuration file] to your repository for further configurations.
+Consider adding an [`audit.toml` configuration file] to your repository for further configurations.
 cargo audit supports multiple warning types, such as unsound code or yanked crates.
 Configuration is only possible via the `informational_warnings` parameter in the configuration file ([#318](https://github.com/rustsec/rustsec/issues/318)).
 Setting `denyWarnings` to true will also enable these warnings, but each warning is upgraded to an error.
 
-| Name           | Description                                                                                      | Default                                                                  |
-| -------------- | ------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------ |
-| `TOKEN`        | The GitHub access token to allow us to retrieve, create and update issues (automatically set).   | `github.token`                                                           |
-| `denyWarnings` | Any warnings generated will be treated as an error and fail the action.                          | false                                                                    |
-| `file`         | The path to the Cargo.lock file.                                                                 |                                                                          |
-| `ignore`       | A comma separated list of Rustsec IDs to ignore.                                                 |                                                                          |
-| `createIssues` | Create/Update issues for each found vulnerability. By default only on `main` or `master` branch. | `github.ref == 'refs/heads/master' \|\| github.ref == 'refs/heads/main'` |
+| Name               | Description                                                                                      | Default                                                                  |
+| ------------------ | ------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------ |
+| `TOKEN`            | The GitHub access token to allow us to retrieve, create and update issues (automatically set).   | `github.token`                                                           |
+| `denyWarnings`     | Any warnings generated will be treated as an error and fail the action.                          | false                                                                    |
+| `file`             | The path to the Cargo.lock file to inspect file.                                                 |                                                                          |
+| `ignore`           | A comma separated list of Rustsec IDs to ignore.                                                 |                                                                          |
+| `createIssues`     | Create/Update issues for each found vulnerability. By default only on `main` or `master` branch. | `github.ref == 'refs/heads/master' \|\| github.ref == 'refs/heads/main'` |
+| `workingDirectory` | Run `cargo audit` from the given working directory                                               |                                                                          |
 
 ## License
 

action.yml

@@ -15,7 +15,7 @@ inputs:
     required: false
     default: "false"
   file:
-    description: "Cargo lockfile to inspect"
+    description: "The path to the Cargo.lock file to inspect"
     required: false
     default: ""
   ignore:
@@ -26,6 +26,10 @@ inputs:
     description: Create/Update issues for each found vulnerability.
     required: false
     default: "${{ github.ref == 'refs/heads/master' || github.ref == 'refs/heads/main' }}"
+  workingDirectory:
+    description: "Run `cargo audit` from the given working directory"
+    required: false
+    default: ""
 
 runs:
   using: composite
@@ -59,5 +63,6 @@ runs:
         INPUT_FILE: ${{ inputs.file }}
         INPUT_IGNORE: ${{ inputs.ignore }}
         INPUT_TOKEN: ${{ inputs.TOKEN }}
+        INPUT_WORKING_DIRECTORY: ${{ inputs.workingDirectory }}
         PYTHONPATH: ${{ github.action_path }}
         REPO: ${{ github.repository }}

audit.py

@@ -404,10 +404,15 @@ def run() -> None:
         extra_args.append("--file")
         extra_args.append(os.environ["INPUT_FILE"])
 
+    working_directory = None
+    if os.environ["INPUT_WORKING_DIRECTORY"] != "":
+        working_directory = os.environ["INPUT_WORKING_DIRECTORY"]
+
     audit_cmd = ["cargo", "audit", "--json"] + extra_args + ignore_args
     debug(f"Running command: {audit_cmd}")
     completed = subprocess.run(
         audit_cmd,
+        cwd=working_directory,
         capture_output=True,
         text=True,
         check=False,