`generate-lockfile` overwrites a checked-in Cargo.lock

andrewhalle commented 1 year ago

Copying https://github.com/actions-rs/audit-check/issues/163 to this fork.

Description

This action calls cargo generate-lockfile, which overwrites Cargo.lock according to cargo docs^1

This command will create the Cargo.lock lockfile for the current package or workspace. If the lockfile already exists, it will be rebuilt with the latest available version of every package.

This negates the purpose of having a checked-in lockfile.

Proposed Fix

https://github.com/actions-rs/audit-check/issues/163#issuecomment-788844440

Rather than call cargo generate-lockfile, call cargo metadata --format-version=1 >/dev/null instead.

tillmann-crabnebula commented 6 months ago

FYI this is fixed in latest main but not released yet.

tarcieri commented 2 months ago

Fixed in v2.0.0

rustsec / audit-check

`generate-lockfile` overwrites a checked-in Cargo.lock #15

Description

Proposed Fix