Add dependabot cooldown

This limits how quickly new dependencies are considered for updates.

.github/dependabot.yml

@@ -8,4 +8,6 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "monthly"
+      interval: "weekly"
+    cooldown:
+      default-days: 7

.github/workflows/autotag-releases.yml

@@ -15,7 +15,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Get version from tag
         id: tag_name
         run: |

.pre-commit-config.yaml

@@ -1,10 +1,10 @@
 repos:
-  - repo: https://github.com/psf/black
-    rev: 24.4.2
+  - repo: https://github.com/psf/black-pre-commit-mirror
+    rev: 25.12.0
     hooks:
       - id: black
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.6.0
+    rev: v6.0.0
     hooks:
       - id: check-ast
       - id: check-case-conflict
@@ -14,24 +14,24 @@ repos:
       - id: end-of-file-fixer
       - id: trailing-whitespace
   - repo: https://github.com/PyCQA/isort
-    rev: 5.13.2
+    rev: 7.0.0
     # https://github.com/psf/black/blob/main/docs/guides/using_black_with_other_tools.md
     hooks:
       - id: isort
         args: ["--profile=black"]
   - repo: https://github.com/asottile/pyupgrade
-    rev: v3.15.2
+    rev: v3.21.2
     hooks:
       - id: pyupgrade
         args: ["--py37-plus"]
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.10.0
+    rev: v1.19.1
     hooks:
       - id: mypy
         additional_dependencies:
           - types-requests
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.28.2
+    rev: 0.36.0
     hooks:
       - id: check-dependabot
       - id: check-github-actions

CHANGELOG.md

@@ -7,6 +7,35 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.2.6] - 2025-11-22
+
+* Update `cargo-audit` to 0.22.0
+
+## [1.2.5] - 2025-10-09
+
+* Pin the version of `actions/cache` to commit hash by @Gronner in #122
+
+## [1.2.4] - 2025-03-03
+
+* Update `cargo-audit` to 0.21.2
+
+## [1.2.3] - 2024-12-17
+
+* Show a better error message when running "cargo audit" fails #98
+
+## [1.2.2] - 2024-11-06
+
+* Update `cargo-audit` to 0.21.0
+
+## [1.2.1] - 2024-07-31
+
+* Temporarily remove `--locked` from the install instructions again, since cargo-audit relies on an old version of `time` that is incompatible with Rust 1.80.
+
+## [1.2.0] - 2024-03-05
+
+* feat: add --locked to cargo install cargo-audit by @lwshang in #72
+* Add working directory input to configure where cargo audit executes by @jonasbb in #78
+
 ## [1.1.14] - 2024-02-18
 
 * Update `cargo-audit` to 0.20.0
@@ -22,7 +51,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [1.1.11] - 2024-01-18
 
 * Allow specifying the path to the `Cargo.lock` file, in case it is not in the root of the repository (#55)
-* Update the example in the readme, to have the correct permissions for private repositories.
+* Update the example in the README, to have the correct permissions for private repositories.
 
 ## [1.1.10] - 2023-11-02
 

README.md

@@ -20,7 +20,7 @@ on:
       - '**/Cargo.lock'
       # Run if the configuration file changes
       - '**/audit.toml'
-  # Rerun periodicly to pick up new advisories
+  # Rerun periodically to pick up new advisories
   schedule:
     - cron: '0 0 * * *'
   # Run manually
@@ -58,6 +58,18 @@ Setting `denyWarnings` to true will also enable these warnings, but each warning
 | `createIssues`     | Create/Update issues for each found vulnerability. By default only on `main` or `master` branch. | `github.ref == 'refs/heads/master' \|\| github.ref == 'refs/heads/main'` |
 | `workingDirectory` | Run `cargo audit` from the given working directory                                               |                                                                          |
 
+## Dependencies
+
+The action works best on the GitHub-hosted runners, but can work on self-hosted ones too, provided the necessary dependencies are available.
+PRs to add support for more environments are welcome.
+
+* bash
+* Python 3.9+
+    * requests
+* Rust stable
+    * cargo
+* use node actions
+
 ## License
 
 The scripts and documentation in this project are released under the [MIT License].

action.yml

@@ -38,19 +38,19 @@ runs:
       run: echo "cargohome=${CARGO_HOME:-$HOME/.cargo}" >> $GITHUB_OUTPUT
       shell: bash
       id: cargo-home
-    - uses: actions/cache@v4
+    - uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
       id: cache
       with:
         path: |
           ${{ steps.cargo-home.outputs.cargohome }}/bin/cargo-audit*
           ${{ steps.cargo-home.outputs.cargohome }}/.crates.toml
           ${{ steps.cargo-home.outputs.cargohome }}/.crates2.json
-        key: cargo-audit-v0.20.0
+        key: cargo-audit-v0.22.0
 
     - name: Install cargo-audit
       if: steps.cache.outputs.cache-hit != 'true'
       # Update both this version number and the cache key
-      run: cargo install cargo-audit --vers 0.20.0 --no-default-features --locked
+      run: cargo install cargo-audit --vers 0.22.0 --no-default-features
       shell: bash
 
     - run: |

audit.py

@@ -7,18 +7,32 @@ from typing import Any, Dict, List, Optional, Union
 
 import requests
 
-# GitHub API CLient copied and adapted from
+# GitHub API Client copied and adapted from
 # https://github.com/alstr/todo-to-issue-action/blob/25c80e9c4999d107bec208af49974d329da26370/main.py
 # Originally licensed under MIT license
 
-# Timeout in seconds for requests methods
 TIMEOUT = 30
+"""Timeout in seconds for requests methods"""
+
+NEWLINE = "\n"
+"""Definition of newline"""
 
 
 def debug(message: str) -> None:
     """Print a debug message to the GitHub Action log"""
-    newline = "\n"
-    print(f"""::debug::{message.replace(newline, " ")}""")
+    print(f"""::debug::{message.replace(NEWLINE, " ")}""")
+
+
+def error(message: str) -> None:
+    """Print an error message to the GitHub Action log"""
+    print(f"""::error::{message.replace(NEWLINE, " ")}""")
+
+
+def group(title: str, message: str) -> None:
+    """Print an expandable group message to the GitHub Action log"""
+    print(f"::group::{title}")
+    print(message)
+    print("::endgroup::")
 
 
 class Issue:
@@ -420,7 +434,18 @@ def run() -> None:
     debug(f"Command return code: {completed.returncode}")
     debug(f"Command output: {completed.stdout}")
     debug(f"Command error: {completed.stderr}")
-    data = json.loads(completed.stdout)
+    try:
+        data = json.loads(completed.stdout)
+    except json.decoder.JSONDecodeError as _:
+        error(
+            f"cargo audit did not produce any JSON output. Exit code: {completed.returncode}"
+        )
+        group(
+            "cargo audit output",
+            f"""stdout:\n{completed.stdout}\n\n\nstderr:\n{completed.stderr}""",
+        )
+
+        sys.exit(2)
 
     summary = create_summary(data)
     entries = create_entries(data)