Merge pull request #78 from actions-rust-lang/working-directory

updates:
- [github.com/psf/black: 24.4.0 → 24.4.2](https://github.com/psf/black/compare/24.4.0...24.4.2)
- [github.com/pre-commit/mirrors-mypy: v1.9.0 → v1.10.0](https://github.com/pre-commit/mirrors-mypy/compare/v1.9.0...v1.10.0)

.github/workflows/autotag-releases.yml

@@ -15,7 +15,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Get version from tag
         id: tag_name
         run: |

.pre-commit-config.yaml

@@ -1,10 +1,10 @@
 repos:
   - repo: https://github.com/psf/black
-    rev: 23.7.0
+    rev: 24.4.2
     hooks:
       - id: black
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v4.6.0
     hooks:
       - id: check-ast
       - id: check-case-conflict
@@ -14,24 +14,24 @@ repos:
       - id: end-of-file-fixer
       - id: trailing-whitespace
   - repo: https://github.com/PyCQA/isort
-    rev: 5.12.0
+    rev: 5.13.2
     # https://github.com/psf/black/blob/main/docs/guides/using_black_with_other_tools.md
     hooks:
       - id: isort
         args: ["--profile=black"]
   - repo: https://github.com/asottile/pyupgrade
-    rev: v3.10.1
+    rev: v3.15.2
     hooks:
       - id: pyupgrade
         args: ["--py37-plus"]
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.5.1
+    rev: v1.10.0
     hooks:
       - id: mypy
         additional_dependencies:
           - types-requests
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.24.1
+    rev: 0.28.2
     hooks:
       - id: check-dependabot
       - id: check-github-actions

CHANGELOG.md

@@ -7,6 +7,31 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.1.14] - 2024-02-18
+
+* Update `cargo-audit` to 0.20.0
+
+## [1.1.13] - 2024-02-03
+
+* Update `cargo-audit` to 0.19.0
+
+## [1.1.12] - 2024-01-20
+
+* Fix default of `file` argument to make it work again for repositories without `Cargo.lock` checked in.
+
+## [1.1.11] - 2024-01-18
+
+* Allow specifying the path to the `Cargo.lock` file, in case it is not in the root of the repository (#55)
+* Update the example in the readme, to have the correct permissions for private repositories.
+
+## [1.1.10] - 2023-11-02
+
+* Fix running the action, by using the correct version of the cache action.
+
+## [1.1.9] - 2023-11-01
+
+* Update `cargo-audit` to 0.18.3
+
 ## [1.1.8] - 2023-08-23
 
 * Handle missing data in advisories better to prevent crashing (#40)

README.md

@@ -1,6 +1,6 @@
 # Audit Rust dependencies using the RustSec Advisory DB
 
-Audit your Rust dependencies using [cargo audit] and the [RustSec Advisory DB]. The action creates a summary with all vulnerabilieties. It can create issues for each of the found vulnerabilities.
+Audit your Rust dependencies using [cargo audit] and the [RustSec Advisory DB]. The action creates a summary with all vulnerabilities. It can create issues for each of the found vulnerabilities.
 
 Execution Summary:
 
@@ -26,15 +26,14 @@ on:
   # Run manually
   workflow_dispatch:
 
-permissions: read-all
-
 jobs:
   audit:
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       issues: write
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions-rust-lang/audit@v1
         name: Audit Rust Dependencies
         with:
@@ -45,17 +44,19 @@ jobs:
 ## Inputs
 
 All inputs are optional.
-Consider adding a [`audit.toml` configuration file] to your repository for further configurations.
+Consider adding an [`audit.toml` configuration file] to your repository for further configurations.
 cargo audit supports multiple warning types, such as unsound code or yanked crates.
 Configuration is only possible via the `informational_warnings` parameter in the configuration file ([#318](https://github.com/rustsec/rustsec/issues/318)).
 Setting `denyWarnings` to true will also enable these warnings, but each warning is upgraded to an error.
 
-| Name           | Description                                                                                      | Default                                                                  |
-| -------------- | ------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------ |
-| `TOKEN`        | The GitHub access token to allow us to retrieve, create and update issues (automatically set).   | `github.token`                                                           |
-| `denyWarnings` | Any warnings generated will be treated as an error and fail the action.                          | false                                                                    |
-| `ignore`       | A comma separated list of Rustsec IDs to ignore.                                                 |                                                                          |
-| `createIssues` | Create/Update issues for each found vulnerability. By default only on `main` or `master` branch. | `github.ref == 'refs/heads/master' \|\| github.ref == 'refs/heads/main'` |
+| Name               | Description                                                                                      | Default                                                                  |
+| ------------------ | ------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------ |
+| `TOKEN`            | The GitHub access token to allow us to retrieve, create and update issues (automatically set).   | `github.token`                                                           |
+| `denyWarnings`     | Any warnings generated will be treated as an error and fail the action.                          | false                                                                    |
+| `file`             | The path to the Cargo.lock file to inspect file.                                                 |                                                                          |
+| `ignore`           | A comma separated list of Rustsec IDs to ignore.                                                 |                                                                          |
+| `createIssues`     | Create/Update issues for each found vulnerability. By default only on `main` or `master` branch. | `github.ref == 'refs/heads/master' \|\| github.ref == 'refs/heads/main'` |
+| `workingDirectory` | Run `cargo audit` from the given working directory                                               |                                                                          |
 
 ## License
 

action.yml

@@ -14,6 +14,10 @@ inputs:
     description: "Any warnings generated will be treated as an error and fail the action"
     required: false
     default: "false"
+  file:
+    description: "The path to the Cargo.lock file to inspect"
+    required: false
+    default: ""
   ignore:
     description: "A comma separated list of Rustsec IDs to ignore"
     required: false
@@ -22,6 +26,10 @@ inputs:
     description: Create/Update issues for each found vulnerability.
     required: false
     default: "${{ github.ref == 'refs/heads/master' || github.ref == 'refs/heads/main' }}"
+  workingDirectory:
+    description: "Run `cargo audit` from the given working directory"
+    required: false
+    default: ""
 
 runs:
   using: composite
@@ -30,19 +38,19 @@ runs:
       run: echo "cargohome=${CARGO_HOME:-$HOME/.cargo}" >> $GITHUB_OUTPUT
       shell: bash
       id: cargo-home
-    - uses: actions/cache@v3
+    - uses: actions/cache@v4
       id: cache
       with:
         path: |
           ${{ steps.cargo-home.outputs.cargohome }}/bin/cargo-audit*
           ${{ steps.cargo-home.outputs.cargohome }}/.crates.toml
           ${{ steps.cargo-home.outputs.cargohome }}/.crates2.json
-        key: cargo-audit-v0.17.6
+        key: cargo-audit-v0.20.0
 
     - name: Install cargo-audit
       if: steps.cache.outputs.cache-hit != 'true'
       # Update both this version number and the cache key
-      run: cargo install cargo-audit --vers 0.17.6 --no-default-features
+      run: cargo install cargo-audit --vers 0.20.0 --no-default-features --locked
       shell: bash
 
     - run: |
@@ -52,7 +60,9 @@ runs:
       env:
         INPUT_CREATE_ISSUES: ${{ inputs.createIssues }}
         INPUT_DENY_WARNINGS: ${{ inputs.denyWarnings }}
+        INPUT_FILE: ${{ inputs.file }}
         INPUT_IGNORE: ${{ inputs.ignore }}
         INPUT_TOKEN: ${{ inputs.TOKEN }}
+        INPUT_WORKING_DIRECTORY: ${{ inputs.workingDirectory }}
         PYTHONPATH: ${{ github.action_path }}
         REPO: ${{ github.repository }}

audit.py

@@ -97,9 +97,11 @@ class Entry:
             table.append(
                 (
                     "Patched Versions",
-                    " OR ".join(self.entry["versions"]["patched"])
-                    if len(self.entry["versions"]["patched"]) > 0
-                    else "n/a",
+                    (
+                        " OR ".join(self.entry["versions"]["patched"])
+                        if len(self.entry["versions"]["patched"]) > 0
+                        else "n/a"
+                    ),
                 )
             )
             if len(self.entry["versions"]["unaffected"]) > 0:
@@ -398,15 +400,26 @@ def run() -> None:
         extra_args.append("--deny")
         extra_args.append("warnings")
 
+    if os.environ["INPUT_FILE"] != "":
+        extra_args.append("--file")
+        extra_args.append(os.environ["INPUT_FILE"])
+
+    working_directory = None
+    if os.environ["INPUT_WORKING_DIRECTORY"] != "":
+        working_directory = os.environ["INPUT_WORKING_DIRECTORY"]
+
     audit_cmd = ["cargo", "audit", "--json"] + extra_args + ignore_args
     debug(f"Running command: {audit_cmd}")
     completed = subprocess.run(
         audit_cmd,
+        cwd=working_directory,
         capture_output=True,
         text=True,
         check=False,
     )
+    debug(f"Command return code: {completed.returncode}")
     debug(f"Command output: {completed.stdout}")
+    debug(f"Command error: {completed.stderr}")
     data = json.loads(completed.stdout)
 
     summary = create_summary(data)