Problem
The Security audit workflow (.github/workflows/audit.yml) fails on every run, including the daily scheduled run on main. The last three scheduled runs (SHA 21ac3d4) all failed.
Root cause
rustsec/audit-check@v2 runs:
cargo audit --json --file ./Cargo.lock
but Cargo.lock is listed in .gitignore, so it is never committed and is absent in CI:
error: not found: Couldn't load ./Cargo.lock
Caused by:
-> I/O operation failed: entity not found
##[error]Unexpected end of JSON input
This is not a real advisory — the audit never runs. It silently masks any future RUSTSEC advisory.
Impact
Fix
Commit Cargo.lock and remove it from .gitignore. shadow-rs ships binaries (the setuid-root tools), and the Rust convention is to commit the lockfile for binary/end-product crates. It also gives reproducible builds and a stable input for cargo audit.
(Alternative considered: run cargo generate-lockfile in the workflow before auditing — rejected, since it audits freshly-resolved deps instead of the shipped set and leaves builds non-reproducible.)
Problem
The
Security auditworkflow (.github/workflows/audit.yml) fails on every run, including the daily scheduled run onmain. The last three scheduled runs (SHA21ac3d4) all failed.Root cause
rustsec/audit-check@v2runs:but
Cargo.lockis listed in.gitignore, so it is never committed and is absent in CI:This is not a real advisory — the audit never runs. It silently masks any future RUSTSEC advisory.
Impact
Fix
Commit
Cargo.lockand remove it from.gitignore. shadow-rs ships binaries (the setuid-root tools), and the Rust convention is to commit the lockfile for binary/end-product crates. It also gives reproducible builds and a stable input forcargo audit.(Alternative considered: run
cargo generate-lockfilein the workflow before auditing — rejected, since it audits freshly-resolved deps instead of the shipped set and leaves builds non-reproducible.)