From fc32eaa181e695d60116e4be38311c2c5c5f8fd9 Mon Sep 17 00:00:00 2001
From: Cole Miller <cole@zed.dev>
Date: Mon, 2 Dec 2024 16:07:44 -0500
Subject: [PATCH] Check for vulnerable dependencies in CI

This PR add's GitHub's dependency review action to CI, to flag PRs that
introduce new Cargo.lock entries for vulnerable crates according to the
GHSA database.

An alternative would be to run `cargo audit`, which checks against the
RustSec database. The state of synchronization between these two
databases seems a bit messy, but as far as I can tell GHSA has most
recent RustSec advisories on file, while RustSec is missing a larger
number of recent GHSA advisories.

The dependency review action should be smart enough not to flag PRs
because an untouched entry in Cargo.lock has a new advisory.

I've turned off the "license check" functionality since we have a
separate CI step for that.
---
 .github/workflows/ci.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 49881e2e7cb0cc..33c85f74b9673d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -113,6 +113,11 @@ jobs:
           script/check-licenses
           script/generate-licenses /tmp/zed_licenses_output
 
+      - name: Check for new vulnerable dependencies
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4
+        with:
+          license-check: false
+
       - name: Run tests
         uses: ./.github/actions/run_tests