# ABOUTME: Runs cargo audit (RustSec CVE scan) against the locked dependency tree.
# ABOUTME: Supply-chain gate — fails on a known advisory.

name: Audit

on:
  push:
    branches: [main]
    tags: ['v*']
  pull_request:
    branches: [main]

jobs:
  cargo-audit:
    runs-on: moonarch
    steps:
      - name: Checkout
        run: git clone http://gitea:3000/nevaforget/moonlock.git src
      - name: Install cargo-audit
        run: cargo install cargo-audit --locked
      - name: Audit
        run: cd src && cargo audit