audit-check icon indicating copy to clipboard operation
audit-check copied to clipboard
verified publisher icon rustsec

`generate-lockfile` overwrites a checked-in Cargo.lock

Open andrewhalle opened this issue 2 years ago • 1 comments

Copying https://github.com/actions-rs/audit-check/issues/163 to this fork.

Description

This action calls cargo generate-lockfile, which overwrites Cargo.lock according to cargo docs^1

This command will create the Cargo.lock lockfile for the current package or workspace. If the lockfile already exists, it will be rebuilt with the latest available version of every package.

This negates the purpose of having a checked-in lockfile.

Proposed Fix

https://github.com/actions-rs/audit-check/issues/163#issuecomment-788844440

Rather than call cargo generate-lockfile, call cargo metadata --format-version=1 >/dev/null instead.

andrewhalle avatar Aug 16 '23 23:08 andrewhalle

FYI this is fixed in latest main but not released yet.

tillmann-crabnebula avatar May 13 '24 02:05 tillmann-crabnebula

Fixed in v2.0.0

tarcieri avatar Sep 23 '24 15:09 tarcieri