fix: generate Cargo.lock before security audit#24
Merged
Conversation
Library crates don't commit Cargo.lock, so it needs to be generated before running cargo-audit. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Contributor
|
Note Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported. |
Transitive dependency from sigstore (time crate DoS via stack exhaustion). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | ||
|
|
||
| - name: Generate Cargo.lock | ||
| run: cargo generate-lockfile |
There was a problem hiding this comment.
Audit job uses unpinned Rust toolchain
Medium Severity
security-audit now runs cargo generate-lockfile without installing a Rust toolchain. This step depends on whatever cargo version is preinstalled on ubuntu-latest, so the job can fail when the runner image lags behind the crate’s required toolchain.
Closed
Merged
jdx
added a commit
that referenced
this pull request
Apr 4, 2026
## 🤖 New release * `sigstore-verification`: 0.2.1 -> 0.2.2 (✓ API compatible changes) <details><summary><i><b>Changelog</b></i></summary><p> <blockquote> ## [0.2.2](v0.2.1...v0.2.2) - 2026-04-04 ### Added - add builder pattern for customizable GitHub API URL ([#36](#36)) ### Fixed - generate Cargo.lock before security audit ([#24](#24)) ### Other - *(deps)* pin dtolnay/rust-toolchain action to 29eef33 ([#33](#33)) - *(deps)* update jdx/mise-action digest to 1648a78 ([#34](#34)) - *(deps)* update jdx/mise-action action to v4 ([#31](#31)) - *(deps)* update swatinem/rust-cache digest to e18b497 ([#30](#30)) - *(deps)* update release-plz/action digest to 1528104 ([#29](#29)) - *(deps)* update jdx/mise-action digest to 5228313 ([#28](#28)) - *(deps)* update jdx/mise-action digest to e79ddf6 ([#27](#27)) - *(deps)* pin dependencies ([#26](#26)) </blockquote> </p></details> --- This PR was generated with [release-plz](https://github.com/release-plz/release-plz/). <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Low risk: this PR only updates release metadata (crate version and changelog) without changing library code or behavior. > > **Overview** > Prepares the `v0.2.2` release by bumping `Cargo.toml` from `0.2.1` to `0.2.2` and adding the corresponding `CHANGELOG.md` section. > > The changelog notes the builder pattern for a customizable GitHub API URL, a fix to generate `Cargo.lock` before security audit, and several CI/dependency pin updates. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 9b5a822. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY -->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Cargo.lockdoesn't exist — library crates don't commit it per Rust conventioncargo generate-lockfilestep before runningcargo-auditTest plan
security-auditjob passes in CI🤖 Generated with Claude Code
Note
Low Risk
CI-only changes plus an additional advisory ignore; no production code paths are modified, but ignoring a security advisory can mask a real issue until dependencies are upgraded.
Overview
Ensures the
security-auditGitHub Actions job no longer fails on crates that don’t commitCargo.lockby adding acargo generate-lockfilestep before runningrustsec/audit-check.Updates
.cargo/audit.tomlto ignoreRUSTSEC-2026-0009(a transitivetimecrate DoS advisory viasigstore) so audits remain green until upstream dependencies are updated.Written by Cursor Bugbot for commit afa31d4. This will update automatically on new commits. Configure here.