ci: pin cargo-audit on the blocking gate, float the weekly canary#151
ci: pin cargo-audit on the blocking gate, float the weekly canary#151beardthelion wants to merge 1 commit into
Conversation
The PR-blocking audit job ran `cargo install --locked cargo-audit` with no version, so the scanner floated to the latest release on every run; a regressed release could red the PR gate repo-wide with no code change. Pin it to 0.22.2, the version the unpinned install currently resolves to and the one the audit-gate learnings were validated against. `cargo install --version X` is an exact pin (not a caret), so this freezes the binary while the advisory DB is still fetched fresh at scan time, which is what the gate actually keys on. Keep a forcing function so the pin cannot silently rot: leave the weekly Scheduled Audit deliberately unpinned as a drift canary. That job is cron-only (never pull_request/push-triggered), so it never gates a merge; floating there surfaces a regressed latest as a red weekly run or a changed report, which is the drift signal, without ever blocking a PR. Also assert the installed version after the pinned install so an accidental future unpin fails loud instead of silently running a different scanner, include the version in the rust-cache key so cache hits stay deterministic, and document the yank/bump path in the step comment.
📝 WalkthroughWalkthroughTwo GitHub Actions workflow files are updated: the PR-checks audit job now pins cargo-audit to version 0.22.2 with a matching cache key and runtime version verification, while the scheduled audit workflow's cargo-audit install step is renamed and documented as an intentionally unpinned drift canary. ChangesCI cargo-audit workflow changes
Estimated code review effort: 1 (Trivial) | ~5 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/pr-checks.yml (1)
136-159: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winConsider centralizing the pinned version.
0.22.2is hardcoded independently in the cache key (Line 136), the install command (Line 150), and the verification grep (Line 156). Bumping the pin later requires updating all three consistently, and any mismatch (e.g. updating the install but not the grep) would cause a false failure or, worse, a silent false pass if the grep were dropped.♻️ Suggested refactor using a step-scoped env var
+ - name: Install cargo-audit (pinned) + env: + CARGO_AUDIT_VERSION: 0.22.2 # ... run: | set -euo pipefail - cargo install --locked --version 0.22.2 cargo-audit + cargo install --locked --version "$CARGO_AUDIT_VERSION" cargo-audit installed="$(cargo audit --version)" echo "cargo-audit installed: $installed" - echo "$installed" | grep -qE '(^| )0\.22\.2($| )' || { - echo "::error::cargo-audit is not the pinned 0.22.2 (got: $installed)" + echo "$installed" | grep -qE "(^| )${CARGO_AUDIT_VERSION//./\\.}($| )" || { + echo "::error::cargo-audit is not the pinned ${CARGO_AUDIT_VERSION} (got: $installed)" exit 1 }The cache
key:on Line 136 would still need the literal version sincekey:doesn't expand shell env vars from a later step, but reducing it to two synchronized spots (workflow-level env + cache key) is still an improvement.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/pr-checks.yml around lines 136 - 159, The pinned cargo-audit version is duplicated across the cache key, install command, and version check, which makes future bumps easy to desynchronize. Centralize the version used by the Install cargo-audit (pinned) step by introducing a single step-scoped or workflow-scoped version value and reference it from cargo install and the verification logic, while keeping the cache key aligned to the same pin. Use the existing Install cargo-audit (pinned) step and the cargo audit --version check as the main touchpoints.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/pr-checks.yml:
- Around line 136-159: The pinned cargo-audit version is duplicated across the
cache key, install command, and version check, which makes future bumps easy to
desynchronize. Centralize the version used by the Install cargo-audit (pinned)
step by introducing a single step-scoped or workflow-scoped version value and
reference it from cargo install and the verification logic, while keeping the
cache key aligned to the same pin. Use the existing Install cargo-audit (pinned)
step and the cargo audit --version check as the main touchpoints.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 00f2d29f-bc04-49b7-864f-d7d95aba15c1
📒 Files selected for processing (2)
.github/workflows/audit-schedule.yml.github/workflows/pr-checks.yml
jatmn
left a comment
There was a problem hiding this comment.
Thanks for the contribution. I do not see any actionable issues from my review.
@kevincodex1 LGTM
The PR-blocking
auditjob installs cargo-audit with an unpinnedcargo install --locked cargo-audit, so the scanner floats to the latest release on every run. A regressed release then reds the gate repo-wide with no code change, the same spontaneous-breakage class the quinn-proto advisory exposed but on the scanner itself. #57 added the unpinned install; nothing has pinned it since.pr-checks.yml (the gate): pinned to
--version 0.22.2(what the unpinned install currently resolves to).cargo install --version Xis an exact pin, not a caret, so it freezes the binary; the RustSec advisory DB is still fetched fresh at scan time, so this does not weaken what the gate catches. The step also asserts the resolved version after install, so an accidental future unpin fails loud instead of silently running a different scanner, and the cargo-audit version is now part of the rust-cache key so hits stay deterministic.audit-schedule.yml (weekly canary): left deliberately unpinned. It is cron-only and never gates a merge, so floating it cannot block a PR; if a newer cargo-audit regresses, the weekly run reds or its report changes, which is the drift signal that latest has moved and the gate's pin should not be bumped yet.
If 0.22.2 is ever yanked the gate's install fails loud until bumped; that bump path is documented in the step comment.
Summary by CodeRabbit
cargo-auditversion for PR validation, with an added runtime version check to prevent unexpected tool changes.