Update cargo-audit to 0.20.0

[pre-commit.ci] pre-commit autoupdate

.github/workflows/autotag-releases.yml

@@ -15,7 +15,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Get version from tag
         id: tag_name
         run: |

.pre-commit-config.yaml

@@ -1,10 +1,10 @@
 repos:
   - repo: https://github.com/psf/black
-    rev: 23.7.0
+    rev: 24.1.1
     hooks:
       - id: black
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v4.5.0
     hooks:
       - id: check-ast
       - id: check-case-conflict
@@ -14,24 +14,24 @@ repos:
       - id: end-of-file-fixer
       - id: trailing-whitespace
   - repo: https://github.com/PyCQA/isort
-    rev: 5.12.0
+    rev: 5.13.2
     # https://github.com/psf/black/blob/main/docs/guides/using_black_with_other_tools.md
     hooks:
       - id: isort
         args: ["--profile=black"]
   - repo: https://github.com/asottile/pyupgrade
-    rev: v3.10.1
+    rev: v3.15.0
     hooks:
       - id: pyupgrade
         args: ["--py37-plus"]
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.5.1
+    rev: v1.8.0
     hooks:
       - id: mypy
         additional_dependencies:
           - types-requests
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.24.1
+    rev: 0.28.0
     hooks:
       - id: check-dependabot
       - id: check-github-actions

CHANGELOG.md

@@ -7,6 +7,31 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.1.14] - 2024-02-18
+
+* Update `cargo-audit` to 0.20.0
+
+## [1.1.13] - 2024-02-03
+
+* Update `cargo-audit` to 0.19.0
+
+## [1.1.12] - 2024-01-20
+
+* Fix default of `file` argument to make it work again for repositories without `Cargo.lock` checked in.
+
+## [1.1.11] - 2024-01-18
+
+* Allow specifying the path to the `Cargo.lock` file, in case it is not in the root of the repository (#55)
+* Update the example in the readme, to have the correct permissions for private repositories.
+
+## [1.1.10] - 2023-11-02
+
+* Fix running the action, by using the correct version of the cache action.
+
+## [1.1.9] - 2023-11-01
+
+* Update `cargo-audit` to 0.18.3
+
 ## [1.1.8] - 2023-08-23
 
 * Handle missing data in advisories better to prevent crashing (#40)

README.md

@@ -26,15 +26,14 @@ on:
   # Run manually
   workflow_dispatch:
 
-permissions: read-all
-
 jobs:
   audit:
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       issues: write
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions-rust-lang/audit@v1
         name: Audit Rust Dependencies
         with:
@@ -54,6 +53,7 @@ Setting `denyWarnings` to true will also enable these warnings, but each warning
 | -------------- | ------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------ |
 | `TOKEN`        | The GitHub access token to allow us to retrieve, create and update issues (automatically set).   | `github.token`                                                           |
 | `denyWarnings` | Any warnings generated will be treated as an error and fail the action.                          | false                                                                    |
+| `file`         | The path to the Cargo.lock file.                                                                 |                                                                          |
 | `ignore`       | A comma separated list of Rustsec IDs to ignore.                                                 |                                                                          |
 | `createIssues` | Create/Update issues for each found vulnerability. By default only on `main` or `master` branch. | `github.ref == 'refs/heads/master' \|\| github.ref == 'refs/heads/main'` |
 

action.yml

@@ -14,6 +14,10 @@ inputs:
     description: "Any warnings generated will be treated as an error and fail the action"
     required: false
     default: "false"
+  file:
+    description: "Cargo lockfile to inspect"
+    required: false
+    default: ""
   ignore:
     description: "A comma separated list of Rustsec IDs to ignore"
     required: false
@@ -30,19 +34,19 @@ runs:
       run: echo "cargohome=${CARGO_HOME:-$HOME/.cargo}" >> $GITHUB_OUTPUT
       shell: bash
       id: cargo-home
-    - uses: actions/cache@v3
+    - uses: actions/cache@v4
       id: cache
       with:
         path: |
           ${{ steps.cargo-home.outputs.cargohome }}/bin/cargo-audit*
           ${{ steps.cargo-home.outputs.cargohome }}/.crates.toml
           ${{ steps.cargo-home.outputs.cargohome }}/.crates2.json
-        key: cargo-audit-v0.17.6
+        key: cargo-audit-v0.20.0
 
     - name: Install cargo-audit
       if: steps.cache.outputs.cache-hit != 'true'
       # Update both this version number and the cache key
-      run: cargo install cargo-audit --vers 0.17.6 --no-default-features
+      run: cargo install cargo-audit --vers 0.20.0 --no-default-features
       shell: bash
 
     - run: |
@@ -52,6 +56,7 @@ runs:
       env:
         INPUT_CREATE_ISSUES: ${{ inputs.createIssues }}
         INPUT_DENY_WARNINGS: ${{ inputs.denyWarnings }}
+        INPUT_FILE: ${{ inputs.file }}
         INPUT_IGNORE: ${{ inputs.ignore }}
         INPUT_TOKEN: ${{ inputs.TOKEN }}
         PYTHONPATH: ${{ github.action_path }}

audit.py

@@ -97,9 +97,11 @@ class Entry:
             table.append(
                 (
                     "Patched Versions",
-                    " OR ".join(self.entry["versions"]["patched"])
-                    if len(self.entry["versions"]["patched"]) > 0
-                    else "n/a",
+                    (
+                        " OR ".join(self.entry["versions"]["patched"])
+                        if len(self.entry["versions"]["patched"]) > 0
+                        else "n/a"
+                    ),
                 )
             )
             if len(self.entry["versions"]["unaffected"]) > 0:
@@ -398,6 +400,10 @@ def run() -> None:
         extra_args.append("--deny")
         extra_args.append("warnings")
 
+    if os.environ["INPUT_FILE"] != "":
+        extra_args.append("--file")
+        extra_args.append(os.environ["INPUT_FILE"])
+
     audit_cmd = ["cargo", "audit", "--json"] + extra_args + ignore_args
     debug(f"Running command: {audit_cmd}")
     completed = subprocess.run(
@@ -406,7 +412,9 @@ def run() -> None:
         text=True,
         check=False,
     )
+    debug(f"Command return code: {completed.returncode}")
     debug(f"Command output: {completed.stdout}")
+    debug(f"Command error: {completed.stderr}")
     data = json.loads(completed.stdout)
 
     summary = create_summary(data)