Skip to content

[codex] Run cargo audit without GitHub token#42

Merged
cleak merged 1 commit into
masterfrom
codex/ci-audit-no-token
May 2, 2026
Merged

[codex] Run cargo audit without GitHub token#42
cleak merged 1 commit into
masterfrom
codex/ci-audit-no-token

Conversation

@cleak
Copy link
Copy Markdown
Owner

@cleak cleak commented May 2, 2026
edited by coderabbitai Bot
Loading

Summary

  • Replace the token-dependent rustsec/audit-check@v2 action with a direct pinned cargo-audit CLI invocation.
  • Set workflow permissions to read-only repository contents.
  • Disable persisted checkout credentials across CI jobs because none of the jobs push back to the repository.

Why

The merged CI workflow turned red on the master push after the dependency audit action tried to create a GitHub Checks API report and failed with Resource not accessible by integration. The audit itself does not need a GitHub token; only the action's report-publishing path did.

Validation

  • cargo audit --file Cargo.lock
  • cargo fmt --check
  • cargo clippy --workspace --all-targets -- -D warnings
  • cargo test --workspace --locked
  • git diff --check

Summary by CodeRabbit

  • Chores
    • Tightened CI permissions and disabled credential persistence during automated runs.
    • Pinned the Rust toolchain to a fixed revision for build consistency.
    • Reworked dependency auditing to use a pinned cargo-audit tool and scan the lockfile for vulnerabilities, improving reliability of security checks.

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 2, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5c0a894a-ee5a-45e6-9063-e6140068f49d

📥 Commits

Reviewing files that changed from the base of the PR and between b93c5e8 and 6dc744e.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml
📝 Walkthrough

Walkthrough

Adds top-level permissions: contents: read, sets persist-credentials: false on all actions/checkout@v5 steps, pins the Rust toolchain to a specific commit, and replaces rustsec/audit-check@v2 with installing and running cargo-audit v0.22.1 against Cargo.lock.

Changes

CI Security Hardening

Layer / File(s) Summary
Permissions Declaration
.github/workflows/ci.yml		 Adds top-level permissions: contents: read.
Checkout Credential Hardening
.github/workflows/ci.yml		 All actions/checkout@v5 steps in test, audit, and secrets set persist-credentials: false.
Toolchain Pinning
.github/workflows/ci.yml		 Replaces dtolnay/rust-toolchain@stable with a pinned commit 29eef336d9b2848a0b548edc03f92a220660cdb8.
Audit Mechanism Migration
.github/workflows/ci.yml		 Removes rustsec/audit-check@v2; installs cargo-audit v0.22.1 and runs cargo audit --file Cargo.lock.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

Poem

🐰 Hopping through YAML with careful delight,

I set perms to read and shut creds out of sight.
Pinned toolchains snug, audit runs on lock,
A tidy CI path — now let's take stock! 🥕

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and specifically summarizes the main change: replacing a token-dependent GitHub Action with a direct cargo audit CLI invocation.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Review rate limit: 1/5 review remaining, refill in 39 minutes and 13 seconds.

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot reviewed May 2, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yml:
- Line 40: Replace the mutable action reference "dtolnay/rust-toolchain@stable"
with an immutable pinned commit by updating the workflow to use the action at
its full commit SHA (e.g., "dtolnay/rust-toolchain@<full-commit-sha>"); locate
the uses line referencing dtolnay/rust-toolchain and substitute the `@stable` ref
with the exact commit SHA obtained from the action repository to ensure the
action is pinned.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: b65acc1e-4057-4224-8bdc-009ba2f44fa6

📥 Commits

Reviewing files that changed from the base of the PR and between 6dd93b5 and b93c5e8.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml

Comment thread .github/workflows/ci.yml Outdated
@cleak cleak force-pushed the codex/ci-audit-no-token branch from b93c5e8 to 6dc744e Compare May 2, 2026 04:07
@cleak cleak merged commit f1ae86c into master May 2, 2026
5 checks passed
@cleak cleak deleted the codex/ci-audit-no-token branch May 2, 2026 05:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cleak