From e1c509e0de487d5ed6f0ad66e62be2063654f888 Mon Sep 17 00:00:00 2001
From: Cole Miller <cole@zed.dev>
Date: Mon, 2 Dec 2024 18:48:03 -0500
Subject: [PATCH] Check for vulnerable dependencies in CI (#21424)

This PR adds GitHub's dependency review action to CI, to flag PRs that
introduce new Cargo.lock entries for vulnerable crates according to the
GHSA database.

An alternative would be to run `cargo audit`, which checks against the
RustSec database. The state of synchronization between these two
databases seems a bit messy, but as far as I can tell GHSA has most
recent RustSec advisories on file, while RustSec is missing a larger
number of recent GHSA advisories.

The dependency review action should be smart enough not to flag PRs
because an untouched entry in Cargo.lock has a new advisory.

I've turned off the "license check" functionality since we have a
separate CI step for that.

Release Notes:

- N/A
---
 .github/workflows/ci.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 49881e2e7c..33c85f74b9 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -113,6 +113,11 @@ jobs:
           script/check-licenses
           script/generate-licenses /tmp/zed_licenses_output
 
+      - name: Check for new vulnerable dependencies
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4
+        with:
+          license-check: false
+
       - name: Run tests
         uses: ./.github/actions/run_tests