From 618cf496b66cd69a49b1749efa227a7d4bf9c289 Mon Sep 17 00:00:00 2001
From: slit <me@martinemde.com>
Date: Wed, 7 Jan 2026 12:54:12 -0800
Subject: [PATCH] Add cargo-audit security scanning as release gate

Integrates cargo-audit into the CI workflow as a required check that
must pass before releases can proceed. Also updates the standalone
audit.yml to use modern cargo-audit tooling instead of the deprecated
actions-rs/audit-check action.

- Add security-audit job to ci.yml
- Make release job depend on security-audit passing
- Update audit.yml to use cargo-audit directly with actions/checkout@v4
---
 .github/workflows/audit.yml | 13 ++++++++-----
 .github/workflows/ci.yml    | 14 ++++++++++++++
 2 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
index 74460f7..6a3cf90 100644
--- a/.github/workflows/audit.yml
+++ b/.github/workflows/audit.yml
@@ -2,7 +2,7 @@ name: Security audit
 
 on:
   schedule:
-    - cron: 0 0 * * 1
+    - cron: '0 0 * * 1'
   push:
     paths:
       - '**/Cargo.toml'
@@ -13,7 +13,10 @@ jobs:
   audit:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions-rs/audit-check@v1
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+      - uses: actions/checkout@v4
+
+      - name: Install cargo-audit
+        run: cargo install cargo-audit
+
+      - name: Run security audit
+        run: cargo audit
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 213d4cc..0f11eab 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -53,12 +53,26 @@ jobs:
       - name: Run cargo clippy
         run: cargo clippy --all-targets --all-features
 
+  security-audit:
+    name: Security Audit
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@v4
+
+      - name: Install cargo-audit
+        run: cargo install cargo-audit
+
+      - name: Run security audit
+        run: cargo audit
+
   release:
     runs-on: macos-latest
     needs:
       - test
       - lints
       - check
+      - security-audit
     outputs:
       new_version: ${{ steps.check_for_version_changes.outputs.new_version }}
       changed: ${{ steps.check_for_version_changes.outputs.changed }}