From 6da734c11a3568bb8296bb52855b0d539359afa8 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 5 May 2026 22:53:12 +0000 Subject: [PATCH 1/2] Initial plan From 5f824235dd9aa1cb7dfd0676beda13ad5afa4ab8 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 5 May 2026 22:59:59 +0000 Subject: [PATCH 2/2] fix: add checks:write permission and update rand to patch RUSTSEC-2026-0097 Two root causes for the failing Security Audit CI job: 1. rustsec/audit-check@v2.0.0 requires checks:write permission to post check-run results. The workflow only had contents:read, causing: "Resource not accessible by integration" Fix: add permissions.checks:write to the audit job only. 2. rand v0.8.5 is flagged as unsound by RUSTSEC-2026-0097. Fix: cargo update -p rand bumps the lockfile to rand v0.8.6 (patched version per the advisory). Agent-Logs-Url: https://github.com/oneirosoft/dagger/sessions/1c44b64d-2291-4e22-b805-fd947d2fca35 Co-authored-by: mark-pro <20671988+mark-pro@users.noreply.github.com> --- .github/workflows/ci.yml | 3 +++ Cargo.lock | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 880885c..d70b794 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -41,6 +41,9 @@ jobs: audit: name: Security Audit runs-on: ubuntu-24.04 + permissions: + contents: read + checks: write steps: - name: Check out repository uses: actions/checkout@v5 diff --git a/Cargo.lock b/Cargo.lock index 7e0c3ab..e932f9c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1009,9 +1009,9 @@ checksum = "f8dcc9c7d52a811697d2151c701e0d08956f92b0e24136cf4cf27b57a6a0d9bf" [[package]] name = "rand" -version = "0.8.5" +version = "0.8.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404" +checksum = "5ca0ecfa931c29007047d1bc58e623ab12e5590e8c7cc53200d5202b69266d8a" dependencies = [ "rand_core", ]