From 3d99c09b756e94054be3d346c9d658e7b17a17b0 Mon Sep 17 00:00:00 2001
From: Tony Arcieri <bascule@gmail.com>
Date: Sat, 27 Dec 2025 13:54:30 -0700
Subject: [PATCH] CI: fix security audit

---
 .github/workflows/security-audit.yml | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml
index ff7779b..d273d3a 100644
--- a/.github/workflows/security-audit.yml
+++ b/.github/workflows/security-audit.yml
@@ -1,24 +1,35 @@
 name: Security Audit
 on:
   pull_request:
-    paths: Cargo.lock
+    paths:
+      - .github/workflows/security-audit.yml
+      - Cargo.lock
   push:
     branches: master
-    paths: Cargo.lock
+    paths:
+      - .github/workflows/security-audit.yml
+      - Cargo.lock
   schedule:
     - cron: "0 0 * * *"
 
+permissions: # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
   security_audit:
     name: Security Audit
     runs-on: ubuntu-latest
+    permissions:
+      checks: write
+      contents: read
+      issues: write
     steps:
       - uses: actions/checkout@v4
       - name: Cache cargo bin
         uses: actions/cache@v4
         with:
           path: ~/.cargo/bin
-          key: ${{ runner.os }}-cargo-audit-v0.12.0
-      - uses: actions-rs/audit-check@v1
+          key: ${{ runner.os }}-cargo-audit-v0.22.0
+      - uses: rustsec/audit-check@v2
         with:
           token: ${{ secrets.GITHUB_TOKEN }}