feat: adds support for ignores

[moliva]

• Adds support for cargo audit --ignore
• Configurable input by comma separated input string as GH Actions does not support sequences as inputs
• Bumps version to 1.3.2
• Adds .nvrm to Node v16 to avoid issue with envelope routines unsupported

Usage example:

jobs:
  security_audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v1
      - uses: moliva/audit-check@v1.3.2
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          ignore: "RUSTSEC-2020-0159, RUSTSEC-2020-0071"

This version can be used FTTB with this option installed: moliva/audit-check@v1.3.2 .

[buehler]

This would be a blast!
There are several use cases where we'd like to ignore some smaller reported issues.
An example is the chrono package which has a segmentation fault issue for a specific Linux distribution. But chrono is used in many packages as dependency and is not yet updated.

[maujim]

Would it be possible to support the ignore syntax mentioned in #223?

[moliva]

Would it be possible to support the ignore syntax mentioned in #223?

The original implementation used this array/list format, but it seems GitHub Actions input doesn't support anything but strings (at least up to this point in time).

[djmitche]

Hi @svartalf -- any chance you could take a look at this PR?

[matschaffer]

@moliva I think you need to add the new input to https://github.com/actions-rs/audit-check/blob/master/action.yml#L8 as well

Looks like this should probably work

inputs:
  token:
    description: GitHub Actions token
    required: true
  ignore:
    description: Comma-separated list of advisory ids to ignore
    required: false

[0xAlcibiades]

This would be really useful re: #223 - any thing blocking this from getting merged?

[djmitche]

This repo seems pretty quiet. You all are welcome to depend on https://github.com/GothenburgBitFactory/audit-check in the interim, or of course you can fork the action yourself.

@matschaffer thanks - I can add that on the fork.

[matschaffer]

Thanks @djmitche - seems to work a treat! https://github.com/matschaffer/zero2prod/runs/7492523985?check_suite_focus=true

[moliva]

@moliva I think you need to add the new input to https://github.com/actions-rs/audit-check/blob/master/action.yml#L8 as well

Looks like this should probably work

inputs:
  token:
    description: GitHub Actions token
    required: true
  ignore:
    description: Comma-separated list of advisory ids to ignore
    required: false

Thanks @matschaffer , I wasn't aware of that file. This PR by itself is already working for me, I've been using it mostly because of chrono's potential issues, see here.

[djmitche]

So it turns out that .cargo/audit.toml can be used to ignore things, too -- I just had it in the wrong directory (fix in GothenburgBitFactory/taskwarrior#2903). So the fork probably isn't necessary!

[matschaffer]

Ooooh! nice find!

[pinkforest]

There were a lot of outdated dependencies which have been brought relatively up to date at:

We've forked to rustsec/audit-check

Have also forked actions-rs/core to rinse-repeat/audit-rs-core