Merge pull request #126 from actions-rust-lang/bump-version

updates:
- [github.com/psf/black-pre-commit-mirror: 25.9.0 → 25.11.0](https://github.com/psf/black-pre-commit-mirror/compare/25.9.0...25.11.0)
- [github.com/asottile/pyupgrade: v3.21.0 → v3.21.1](https://github.com/asottile/pyupgrade/compare/v3.21.0...v3.21.1)
- [github.com/python-jsonschema/check-jsonschema: 0.34.1 → 0.35.0](https://github.com/python-jsonschema/check-jsonschema/compare/0.34.1...0.35.0)

.github/dependabot.yml

@@ -8,4 +8,4 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "monthly"
+      interval: "weekly"

.github/workflows/autotag-releases.yml

@@ -15,7 +15,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
       - name: Get version from tag
         id: tag_name
         run: |

.pre-commit-config.yaml

@@ -1,10 +1,10 @@
 repos:
-  - repo: https://github.com/psf/black
-    rev: 22.12.0
+  - repo: https://github.com/psf/black-pre-commit-mirror
+    rev: 25.11.0
     hooks:
       - id: black
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v6.0.0
     hooks:
       - id: check-ast
       - id: check-case-conflict
@@ -14,19 +14,25 @@ repos:
       - id: end-of-file-fixer
       - id: trailing-whitespace
   - repo: https://github.com/PyCQA/isort
-    rev: v5.11.3
+    rev: 7.0.0
     # https://github.com/psf/black/blob/main/docs/guides/using_black_with_other_tools.md
     hooks:
       - id: isort
         args: ["--profile=black"]
   - repo: https://github.com/asottile/pyupgrade
-    rev: v3.3.1
+    rev: v3.21.1
     hooks:
       - id: pyupgrade
         args: ["--py37-plus"]
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v0.991
+    rev: v1.18.2
     hooks:
       - id: mypy
         additional_dependencies:
           - types-requests
+  - repo: https://github.com/python-jsonschema/check-jsonschema
+    rev: 0.35.0
+    hooks:
+      - id: check-dependabot
+      - id: check-github-actions
+      - id: check-github-workflows

CHANGELOG.md

@@ -7,6 +7,80 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.2.6] - 2025-11-22
+
+* Update `cargo-audit` to 0.22.0
+
+## [1.2.5] - 2025-10-09
+
+* Pin the version of `actions/cache` to commit hash by @Gronner in #122
+
+## [1.2.4] - 2025-03-03
+
+* Update `cargo-audit` to 0.21.2
+
+## [1.2.3] - 2024-12-17
+
+* Show a better error message when running "cargo audit" fails #98
+
+## [1.2.2] - 2024-11-06
+
+* Update `cargo-audit` to 0.21.0
+
+## [1.2.1] - 2024-07-31
+
+* Temporarily remove `--locked` from the install instructions again, since cargo-audit relies on an old version of `time` that is incompatible with Rust 1.80.
+
+## [1.2.0] - 2024-03-05
+
+* feat: add --locked to cargo install cargo-audit by @lwshang in #72
+* Add working directory input to configure where cargo audit executes by @jonasbb in #78
+
+## [1.1.14] - 2024-02-18
+
+* Update `cargo-audit` to 0.20.0
+
+## [1.1.13] - 2024-02-03
+
+* Update `cargo-audit` to 0.19.0
+
+## [1.1.12] - 2024-01-20
+
+* Fix default of `file` argument to make it work again for repositories without `Cargo.lock` checked in.
+
+## [1.1.11] - 2024-01-18
+
+* Allow specifying the path to the `Cargo.lock` file, in case it is not in the root of the repository (#55)
+* Update the example in the README, to have the correct permissions for private repositories.
+
+## [1.1.10] - 2023-11-02
+
+* Fix running the action, by using the correct version of the cache action.
+
+## [1.1.9] - 2023-11-01
+
+* Update `cargo-audit` to 0.18.3
+
+## [1.1.8] - 2023-08-23
+
+* Handle missing data in advisories better to prevent crashing (#40)
+
+## [1.1.7] - 2023-05-12
+
+* Update `cargo-audit` to 0.17.6
+
+## [1.1.6] - 2023-03-24
+
+* Update `cargo-audit` to 0.17.5
+
+## [1.1.5] - 2022-12-22
+
+* Fix duplicate issues for yanked crates.
+
+    The previous version introduced a bug where existing issues were not properly detected.
+    This only affected issues for yanked crates.
+    Now duplicate issues will no longer be created.
+
 ## [1.1.4] - 2022-12-22
 
 * Handle warnings without any associated advisory.

README.md

@@ -1,6 +1,6 @@
 # Audit Rust dependencies using the RustSec Advisory DB
 
-Audit your Rust dependencies using [cargo audit] and the [RustSec Advisory DB]. The action creates a summary with all vulnerabilieties. It can create issues for each of the found vulnerabilities.
+Audit your Rust dependencies using [cargo audit] and the [RustSec Advisory DB]. The action creates a summary with all vulnerabilities. It can create issues for each of the found vulnerabilities.
 
 Execution Summary:
 
@@ -20,21 +20,20 @@ on:
       - '**/Cargo.lock'
       # Run if the configuration file changes
       - '**/audit.toml'
-  # Rerun periodicly to pick up new advisories
+  # Rerun periodically to pick up new advisories
   schedule:
     - cron: '0 0 * * *'
   # Run manually
   workflow_dispatch:
 
-permissions: read-all
-
 jobs:
   audit:
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       issues: write
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions-rust-lang/audit@v1
         name: Audit Rust Dependencies
         with:
@@ -45,17 +44,31 @@ jobs:
 ## Inputs
 
 All inputs are optional.
-Consider adding a [`audit.toml` configuration file] to your repository for further configurations.
+Consider adding an [`audit.toml` configuration file] to your repository for further configurations.
 cargo audit supports multiple warning types, such as unsound code or yanked crates.
 Configuration is only possible via the `informational_warnings` parameter in the configuration file ([#318](https://github.com/rustsec/rustsec/issues/318)).
 Setting `denyWarnings` to true will also enable these warnings, but each warning is upgraded to an error.
 
-| Name           | Description                                                                                      | Default                                                                  |
-| -------------- | ------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------ |
-| `TOKEN`        | The GitHub access token to allow us to retrieve, create and update issues (automatically set).   | `github.token`                                                           |
-| `denyWarnings` | Any warnings generated will be treated as an error and fail the action.                          | false                                                                    |
-| `ignore`       | A comma separated list of Rustsec IDs to ignore.                                                 |                                                                          |
-| `createIssues` | Create/Update issues for each found vulnerability. By default only on `main` or `master` branch. | `github.ref == 'refs/heads/master' \|\| github.ref == 'refs/heads/main'` |
+| Name               | Description                                                                                      | Default                                                                  |
+| ------------------ | ------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------ |
+| `TOKEN`            | The GitHub access token to allow us to retrieve, create and update issues (automatically set).   | `github.token`                                                           |
+| `denyWarnings`     | Any warnings generated will be treated as an error and fail the action.                          | false                                                                    |
+| `file`             | The path to the Cargo.lock file to inspect file.                                                 |                                                                          |
+| `ignore`           | A comma separated list of Rustsec IDs to ignore.                                                 |                                                                          |
+| `createIssues`     | Create/Update issues for each found vulnerability. By default only on `main` or `master` branch. | `github.ref == 'refs/heads/master' \|\| github.ref == 'refs/heads/main'` |
+| `workingDirectory` | Run `cargo audit` from the given working directory                                               |                                                                          |
+
+## Dependencies
+
+The action works best on the GitHub-hosted runners, but can work on self-hosted ones too, provided the necessary dependencies are available.
+PRs to add support for more environments are welcome.
+
+* bash
+* Python 3.9+
+    * requests
+* Rust stable
+    * cargo
+* use node actions
 
 ## License
 

action.yml

@@ -14,6 +14,10 @@ inputs:
     description: "Any warnings generated will be treated as an error and fail the action"
     required: false
     default: "false"
+  file:
+    description: "The path to the Cargo.lock file to inspect"
+    required: false
+    default: ""
   ignore:
     description: "A comma separated list of Rustsec IDs to ignore"
     required: false
@@ -22,6 +26,10 @@ inputs:
     description: Create/Update issues for each found vulnerability.
     required: false
     default: "${{ github.ref == 'refs/heads/master' || github.ref == 'refs/heads/main' }}"
+  workingDirectory:
+    description: "Run `cargo audit` from the given working directory"
+    required: false
+    default: ""
 
 runs:
   using: composite
@@ -30,19 +38,19 @@ runs:
       run: echo "cargohome=${CARGO_HOME:-$HOME/.cargo}" >> $GITHUB_OUTPUT
       shell: bash
       id: cargo-home
-    - uses: actions/cache@v3
+    - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
       id: cache
       with:
         path: |
           ${{ steps.cargo-home.outputs.cargohome }}/bin/cargo-audit*
           ${{ steps.cargo-home.outputs.cargohome }}/.crates.toml
           ${{ steps.cargo-home.outputs.cargohome }}/.crates2.json
-        key: cargo-audit-v0.17.4
+        key: cargo-audit-v0.22.0
 
     - name: Install cargo-audit
       if: steps.cache.outputs.cache-hit != 'true'
       # Update both this version number and the cache key
-      run: cargo install cargo-audit --vers 0.17.4 --no-default-features
+      run: cargo install cargo-audit --vers 0.22.0 --no-default-features
       shell: bash
 
     - run: |
@@ -52,7 +60,9 @@ runs:
       env:
         INPUT_CREATE_ISSUES: ${{ inputs.createIssues }}
         INPUT_DENY_WARNINGS: ${{ inputs.denyWarnings }}
+        INPUT_FILE: ${{ inputs.file }}
         INPUT_IGNORE: ${{ inputs.ignore }}
         INPUT_TOKEN: ${{ inputs.TOKEN }}
+        INPUT_WORKING_DIRECTORY: ${{ inputs.workingDirectory }}
         PYTHONPATH: ${{ github.action_path }}
         REPO: ${{ github.repository }}

audit.py

@@ -7,18 +7,32 @@ from typing import Any, Dict, List, Optional, Union
 
 import requests
 
-# GitHub API CLient copied and adapted from
+# GitHub API Client copied and adapted from
 # https://github.com/alstr/todo-to-issue-action/blob/25c80e9c4999d107bec208af49974d329da26370/main.py
 # Originally licensed under MIT license
 
-# Timeout in seconds for requests methods
 TIMEOUT = 30
+"""Timeout in seconds for requests methods"""
+
+NEWLINE = "\n"
+"""Definition of newline"""
 
 
 def debug(message: str) -> None:
     """Print a debug message to the GitHub Action log"""
-    newline = "\n"
-    print(f"""::debug::{message.replace(newline, " ")}""")
+    print(f"""::debug::{message.replace(NEWLINE, " ")}""")
+
+
+def error(message: str) -> None:
+    """Print an error message to the GitHub Action log"""
+    print(f"""::error::{message.replace(NEWLINE, " ")}""")
+
+
+def group(title: str, message: str) -> None:
+    """Print an expandable group message to the GitHub Action log"""
+    print(f"::group::{title}")
+    print(message)
+    print("::endgroup::")
 
 
 class Issue:
@@ -69,6 +83,13 @@ class Entry:
         self.warning_type = warning_type
 
     def id(self) -> str:
+        """
+        Return the ID of the entry.
+        """
+
+        # IMPORTANT: Coordinate this value with the `_get_existing_issues` method below.
+        # Any value returned here must also be present in the filtering there, since the id will be used in the issue title.
+
         advisory = self.entry.get("advisory", None)
         if advisory:
             return advisory["id"]
@@ -90,9 +111,11 @@ class Entry:
             table.append(
                 (
                     "Patched Versions",
-                    " OR ".join(self.entry["versions"]["patched"])
-                    if len(self.entry["versions"]["patched"]) > 0
-                    else "n/a",
+                    (
+                        " OR ".join(self.entry["versions"]["patched"])
+                        if len(self.entry["versions"]["patched"]) > 0
+                        else "n/a"
+                    ),
                 )
             )
             if len(self.entry["versions"]["unaffected"]) > 0:
@@ -126,9 +149,13 @@ class Entry:
             table_parts = []
             for row in table:
                 table_parts.append("| ")
-                table_parts.append(row[0])
+                if row[0] is not None:
+                    table_parts.append(row[0])
                 table_parts.append(" | ")
-                table_parts.append(row[1])
+                if row[1] is not None:
+                    table_parts.append(row[1])
+                else:
+                    table_parts.append("n/a")
                 table_parts.append(" |\n")
 
             return "".join(table_parts)
@@ -188,7 +215,7 @@ Switch to a different version of `{name}` to resolve this issue.
         if advisory:
             entry_table = self._entry_table()
 
-            title = f"{advisory['id']}: {advisory['title']}"
+            title = f"{self.id()}: {advisory['title']}"
             body = f"""{entry_table}
 
 {advisory['description']}"""
@@ -197,7 +224,7 @@ Switch to a different version of `{name}` to resolve this issue.
                 labels=labels,
                 assignees=assignees,
                 body=body,
-                rustsec_id=advisory["id"],
+                rustsec_id=self.id(),
             )
         else:
             # There is no advisory.
@@ -235,6 +262,10 @@ class GitHubClient:
         # Retrieve the existing repo issues now so we can easily check them later.
         self._get_existing_issues()
 
+        debug("Existing issues:")
+        for issue in self.existing_issues:
+            debug(f"* {issue['title']}")
+
     def _get_existing_issues(self, page: int = 1) -> None:
         """Populate the existing issues list."""
         params: Dict[str, Union[str, int]] = {
@@ -252,6 +283,7 @@ class GitHubClient:
                     issue
                     for issue in list_issues_request.json()
                     if issue["title"].startswith("RUSTSEC-")
+                    or issue["title"].startswith("Crate ")
                 ]
             )
             links = list_issues_request.links
@@ -261,6 +293,7 @@ class GitHubClient:
     def create_issue(self, issue: Issue) -> Optional[int]:
         """Create a dict containing the issue details and send it to GitHub."""
         title = issue.title
+        debug(f"Creating issue: {title=}")
 
         # Check if the current issue already exists - if so, skip it.
         # The below is a simple and imperfect check based on the issue title.
@@ -283,6 +316,10 @@ class GitHubClient:
                     )
                     return update_request.status_code
 
+        debug(
+            f"""No existing issue found for "{issue.rustsec_id}". Creating new issue."""
+        )
+
         new_issue_body = {"title": title, "body": issue.body, "labels": issue.labels}
 
         # We need to check if any assignees/milestone specified exist, otherwise issue creation will fail.
@@ -377,16 +414,38 @@ def run() -> None:
         extra_args.append("--deny")
         extra_args.append("warnings")
 
+    if os.environ["INPUT_FILE"] != "":
+        extra_args.append("--file")
+        extra_args.append(os.environ["INPUT_FILE"])
+
+    working_directory = None
+    if os.environ["INPUT_WORKING_DIRECTORY"] != "":
+        working_directory = os.environ["INPUT_WORKING_DIRECTORY"]
+
     audit_cmd = ["cargo", "audit", "--json"] + extra_args + ignore_args
     debug(f"Running command: {audit_cmd}")
     completed = subprocess.run(
         audit_cmd,
+        cwd=working_directory,
         capture_output=True,
         text=True,
         check=False,
     )
+    debug(f"Command return code: {completed.returncode}")
     debug(f"Command output: {completed.stdout}")
-    data = json.loads(completed.stdout)
+    debug(f"Command error: {completed.stderr}")
+    try:
+        data = json.loads(completed.stdout)
+    except json.decoder.JSONDecodeError as _:
+        error(
+            f"cargo audit did not produce any JSON output. Exit code: {completed.returncode}"
+        )
+        group(
+            "cargo audit output",
+            f"""stdout:\n{completed.stdout}\n\n\nstderr:\n{completed.stderr}""",
+        )
+
+        sys.exit(2)
 
     summary = create_summary(data)
     entries = create_entries(data)