From 7d2a234fc3993a32e511cc48d46117157313f1fd Mon Sep 17 00:00:00 2001
From: jutty <j@jutty.dev>
Date: Wed, 25 Feb 2026 00:32:51 -0300
Subject: [PATCH] Add cargo-audit security assessment

---
 .forgejo/workflows/check.yaml   | 27 +++++++++++++---------
 .forgejo/workflows/publish.yaml | 21 ++++++++++-------
 .justfile                       |  8 ++++++-
 Cargo.lock                      | 40 ++++++++++++++++-----------------
 4 files changed, 57 insertions(+), 39 deletions(-)

diff --git a/.forgejo/workflows/check.yaml b/.forgejo/workflows/check.yaml
index 9d43928..213d73b 100644
--- a/.forgejo/workflows/check.yaml
+++ b/.forgejo/workflows/check.yaml
@@ -14,6 +14,8 @@ env:
   JUST_SHA256SUM: dc3f958aaf8c6506dd90426e9b03f86dd15e74a6467ee0e54929f750af3d9e49
   CARGO_LLVM_COV_VERSION: 0.6.21
   CARGO_LLVM_COV_SHA256SUM: 57f491aedf7cdb261538ceb49cbb1ee9d27df7ca205a5e1a009caaf5cb911afb
+  CARGO_AUDIT_VERSION: 0.22.1
+  CARGO_AUDIT_SHA256SUM: 9899e591c3abee79bd54e88c3b03d27bcf8dd073fb1690af9cd3089be1267a67
 jobs:
   verify:
     runs-on: docker
@@ -36,25 +38,30 @@ jobs:
       - name: Setup additional tooling
         run: |
           fetch() {
-            repo="$1"; tag="$2"; filename="$3"; digest="$4"
+            repo="$1"; tag="$2"; filename="$3"; digest="$4"; binary="$5"
 
-            curl -sSLO -w '%{stderr}HTTP %{response_code} %{url}\n' \
+            [ -d /tmp/tools ] || mkdir -p /tmp/tools
+
+            curl -sSLO --output-dir /tmp \
+                -w '%{stderr}HTTP %{response_code} %{url}\n' \
                 "https://github.com/$repo/releases/download/$tag/$filename"
 
-            printf '%s  %s\n' "$digest" "$filename" > digest
-            sha256sum --check digest && tar xf "$filename" -C tools
+            printf '%s  %s\n' "$digest" "/tmp/$filename" > /tmp/digest
+            sha256sum --check /tmp/digest
+            tar xf "/tmp/$filename" -C /tmp/tools
+            find /tmp/tools -type f -executable -name "$binary" \
+              -exec mv '{}' /usr/local/bin ';'
           }
 
-          mkdir tools
-
           fetch casey/just ${{ env.JUST_VERSION }} \
             just-${{ env.JUST_VERSION }}-x86_64-unknown-linux-musl.tar.gz \
-            ${{ env.JUST_SHA256SUM }}
+            ${{ env.JUST_SHA256SUM }} just
           fetch taiki-e/cargo-llvm-cov v${{ env.CARGO_LLVM_COV_VERSION }} \
             cargo-llvm-cov-x86_64-unknown-linux-gnu.tar.gz \
-            ${{ env.CARGO_LLVM_COV_SHA256SUM }}
-
-          mv -v tools/just tools/cargo-llvm-cov /usr/local/bin
+            ${{ env.CARGO_LLVM_COV_SHA256SUM }} cargo-llvm-cov
+          fetch rustsec/rustsec v${{ env.CARGO_AUDIT_VERSION }} \
+            cargo-audit-x86_64-unknown-linux-gnu-v0.22.1.tgz \
+            ${{ env.CARGO_AUDIT_SHA256SUM }} cargo-audit
 
       - name: Build
         run: just build
diff --git a/.forgejo/workflows/publish.yaml b/.forgejo/workflows/publish.yaml
index 9be60d6..26dc552 100644
--- a/.forgejo/workflows/publish.yaml
+++ b/.forgejo/workflows/publish.yaml
@@ -7,6 +7,8 @@ env:
   JUST_SHA256SUM: dc3f958aaf8c6506dd90426e9b03f86dd15e74a6467ee0e54929f750af3d9e49
   CARGO_LLVM_COV_VERSION: 0.6.21
   CARGO_LLVM_COV_SHA256SUM: 57f491aedf7cdb261538ceb49cbb1ee9d27df7ca205a5e1a009caaf5cb911afb
+  CARGO_AUDIT_VERSION: 0.22.1
+  CARGO_AUDIT_SHA256SUM: 9899e591c3abee79bd54e88c3b03d27bcf8dd073fb1690af9cd3089be1267a67
 jobs:
   publish:
     runs-on: docker
@@ -29,7 +31,9 @@ jobs:
       - name: Setup additional tooling
         run: |
           fetch() {
-            repo="$1"; tag="$2"; filename="$3"; digest="$4"
+            repo="$1"; tag="$2"; filename="$3"; digest="$4"; binary="$5"
+
+            [ -d /tmp/tools ] || mkdir -p /tmp/tools
 
             curl -sSLO --output-dir /tmp \
                 -w '%{stderr}HTTP %{response_code} %{url}\n' \
@@ -38,18 +42,19 @@ jobs:
             printf '%s  %s\n' "$digest" "/tmp/$filename" > /tmp/digest
             sha256sum --check /tmp/digest
             tar xf "/tmp/$filename" -C /tmp/tools
+            find /tmp/tools -type f -executable -name "$binary" \
+              -exec mv '{}' /usr/local/bin ';'
           }
 
-          mkdir /tmp/tools
-
           fetch casey/just ${{ env.JUST_VERSION }} \
             just-${{ env.JUST_VERSION }}-x86_64-unknown-linux-musl.tar.gz \
-            ${{ env.JUST_SHA256SUM }}
+            ${{ env.JUST_SHA256SUM }} just
           fetch taiki-e/cargo-llvm-cov v${{ env.CARGO_LLVM_COV_VERSION }} \
             cargo-llvm-cov-x86_64-unknown-linux-gnu.tar.gz \
-            ${{ env.CARGO_LLVM_COV_SHA256SUM }}
-
-          mv -v /tmp/tools/just /tmp/tools/cargo-llvm-cov /usr/local/bin
+            ${{ env.CARGO_LLVM_COV_SHA256SUM }} cargo-llvm-cov
+          fetch rustsec/rustsec v${{ env.CARGO_AUDIT_VERSION }} \
+            cargo-audit-x86_64-unknown-linux-gnu-v0.22.1.tgz \
+            ${{ env.CARGO_AUDIT_SHA256SUM }} cargo-audit
 
       - name: Build release binary
         run: just full-build
@@ -63,5 +68,5 @@ jobs:
           --user jutty:${{ secrets.GJD_REGISTRY_TOKEN }} \
           --upload-file target/release/en $url
 
-      - name: Print sha256sum
+      - name: Calculate SHA-256 hash
         run: just shasum
diff --git a/.justfile b/.justfile
index 672b8fc..2c68639 100644
--- a/.justfile
+++ b/.justfile
@@ -229,7 +229,8 @@ verify:
         git status
         exit 1
     fi
-    {{ just_cmd }} update version-assess format-assess lint-assess check test cover-assess
+    {{ just_cmd }} update version-assess \
+        security-assess format-assess lint-assess check test cover-assess
 
 alias v := verify
 
@@ -252,6 +253,11 @@ version-assess: update
 
 alias va := version-assess
 
+# Audit security advisories
+security-assess:
+    cargo audit --deny warnings
+alias sa := security-assess
+
 # BUILD
 
 # Cleanup build artifacts
diff --git a/Cargo.lock b/Cargo.lock
index f5d3ef3..91ccbc2 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -123,9 +123,9 @@ dependencies = [
 
 [[package]]
 name = "bumpalo"
-version = "3.20.1"
+version = "3.20.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5c6f81257d10a0f602a294ae4182251151ff97dbb504ef9afcdda4a64b24d9b4"
+checksum = "5d20789868f4b01b2f2caec9f5c4e0213b41e3e5702a50157d699ae31ced2fcb"
 
 [[package]]
 name = "bytes"
@@ -151,9 +151,9 @@ checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801"
 
 [[package]]
 name = "chrono"
-version = "0.4.43"
+version = "0.4.44"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fac4744fb15ae8337dc853fee7fb3f4e48c0fbaa23d0afe49c447b4fab126118"
+checksum = "c673075a2e0e5f4a1dde27ce9dee1ea4558c7ffe648f576438a20ca1d2acc4b0"
 dependencies = [
  "iana-time-zone",
  "num-traits",
@@ -534,9 +534,9 @@ checksum = "92ecc6618181def0457392ccd0ee51198e065e016d1d527a7ac1b6dc7c1f09d2"
 
 [[package]]
 name = "js-sys"
-version = "0.3.85"
+version = "0.3.90"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8c942ebf8e95485ca0d52d97da7c5a2c387d0e7f0ba4c35e93bfcaee045955b3"
+checksum = "14dc6f6450b3f6d4ed5b16327f38fed626d375a886159ca555bd7822c0c3a5a6"
 dependencies = [
  "once_cell",
  "wasm-bindgen",
@@ -810,9 +810,9 @@ dependencies = [
 
 [[package]]
 name = "regex-syntax"
-version = "0.8.9"
+version = "0.8.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a96887878f22d7bad8a3b6dc5b7440e0ada9a245242924394987b21cf2210a4c"
+checksum = "dc897dd8d9e8bd1ed8cdad82b5966c3e0ecae09fb1907d58efaa013543185d0a"
 
 [[package]]
 name = "ring"
@@ -830,9 +830,9 @@ dependencies = [
 
 [[package]]
 name = "rustls"
-version = "0.23.36"
+version = "0.23.37"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c665f33d38cea657d9614f766881e4d510e0eda4239891eea56b4cadcf01801b"
+checksum = "758025cb5fccfd3bc2fd74708fd4682be41d99e5dff73c377c0646c6012c73a4"
 dependencies = [
  "log",
  "once_cell",
@@ -1028,9 +1028,9 @@ checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
 
 [[package]]
 name = "syn"
-version = "2.0.116"
+version = "2.0.117"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3df424c70518695237746f84cede799c9c58fcb37450d7b23716568cc8bc69cb"
+checksum = "e665b8803e7b1d2a727f4023456bbbbe74da67099c585258af0ad9c5013b9b99"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -1266,9 +1266,9 @@ checksum = "ccf3ec651a847eb01de73ccad15eb7d99f80485de043efb2f370cd654f4ea44b"
 
 [[package]]
 name = "wasm-bindgen"
-version = "0.2.108"
+version = "0.2.113"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "64024a30ec1e37399cf85a7ffefebdb72205ca1c972291c51512360d90bd8566"
+checksum = "60722a937f594b7fde9adb894d7c092fc1bb6612897c46368d18e7a20208eff2"
 dependencies = [
  "cfg-if",
  "once_cell",
@@ -1279,9 +1279,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro"
-version = "0.2.108"
+version = "0.2.113"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "008b239d9c740232e71bd39e8ef6429d27097518b6b30bdf9086833bd5b6d608"
+checksum = "0fac8c6395094b6b91c4af293f4c79371c163f9a6f56184d2c9a85f5a95f3950"
 dependencies = [
  "quote",
  "wasm-bindgen-macro-support",
@@ -1289,9 +1289,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro-support"
-version = "0.2.108"
+version = "0.2.113"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5256bae2d58f54820e6490f9839c49780dff84c65aeab9e772f15d5f0e913a55"
+checksum = "ab3fabce6159dc20728033842636887e4877688ae94382766e00b180abac9d60"
 dependencies = [
  "bumpalo",
  "proc-macro2",
@@ -1302,9 +1302,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-shared"
-version = "0.2.108"
+version = "0.2.113"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1f01b580c9ac74c8d8f0c0e4afb04eeef2acf145458e52c03845ee9cd23e3d12"
+checksum = "de0e091bdb824da87dc01d967388880d017a0a9bc4f3bdc0d86ee9f9336e3bb5"
 dependencies = [
  "unicode-ident",
 ]