Rust GitHub Actions in actions-rs seem unmaintained

[oherrala]

This is not a Rust crate, but tooling used by many Rust projects. Is this correct place to discuss and maybe take action on informing community about the issue?

The actions-rs GitHub Actions from GitHub (https://github.com/actions-rs) is used by many Rust projects.

However, the actions don't see much love, there's discussion about the maintenance status here: https://github.com/actions-rs/meta/issues/43

As these actions are not maintained a known vulnerabilities might start to pile up and things might start to break because GitHub is deprecating support for some thing (e.g. https://github.com/actions-rs/audit-check/issues/227).

Pinging @svartalf since he's the (only?) owner of the GitHub organization.

[oherrala]

Quoting @svartalf from https://github.com/actions-rs/cargo/pull/59#issuecomment-1012974186:

Before you ask about adding more maintainers, I thought about it for a long time, but since https://github.com/actions-rs are used heavily both by companies and individuals at this point for both public and private repos, there is a huge trust issue we should take into the consideration, because having a write access to these repositories provides a huge attack vector too. I prefer to keep these repos stale for now rather then accidentally allowing some malicious third party to get access to all these private repos, which will be way worse than not having some feature merged.

[pinkforest]

While back audit-check was forked into RustSec https://github.com/rustsec/audit-check - Issues / PR's welcome

Yeah there is really no way for us to generate notice via advisory-db as this one is just GitHub action thing.

But we have some contacts with GitHub we can ask around.

Moving the issue to RustSec/audit-check

[tarcieri]

I think we could probably put together a much simpler action for people to use, which doesn't depend on e.g. Node.js in any way

[jonasbb]

Some time ago, I wrote https://github.com/actions-rust-lang/audit to move off actions-rs. It is written as a composite action with the main logic in Python instead of JavaScript. It supports maintaining issues and writes a workflow summary with the findings. It doesn't really provide more features than audit-check except for an explicit input argument to ignore IDs. I am happy to talk more about it in case you find it of any interest.

[pinkforest]

This action now uses node16 and dependencies have been bumped so should be perfectly usable. It's fairly simple in the end - can continue altearntives in discussions if there is really need.