# Deny - Linux # # Checks for security vulnerabilities or license incompatibilities # # Runs on: # - scheduled UTC midnight # - on PR review (see comment-trigger.yml) # - on demand from github actions UI # - on pull requests when Cargo.toml or Cargo.lock files change name: Deny - Linux on: workflow_call: inputs: ref: description: "Git ref to checkout" required: false type: string workflow_dispatch: inputs: ref: description: "Git ref to checkout" required: false type: string pull_request: merge_group: types: [checks_requested] schedule: # Same schedule as nightly.yml - cron: "0 5 * * 2-6" # Runs at 5:00 AM UTC, Tuesday through Saturday concurrency: group: ${{ github.workflow }}-${{ github.event.number || github.sha }} cancel-in-progress: true permissions: contents: read jobs: changes: if: ${{ github.event_name == 'pull_request' }} uses: ./.github/workflows/changes.yml secrets: inherit test-deny: runs-on: ubuntu-24.04 timeout-minutes: 30 if: ${{ always() && (github.event_name != 'pull_request' || needs.changes.outputs.deny == 'true') }} needs: [changes] steps: - name: Checkout branch uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ inputs.ref }} - uses: ./.github/actions/setup with: mold: false cargo-deny: true - name: Check cargo deny (all) run: make check-deny test-deny-licenses: runs-on: ubuntu-24.04 timeout-minutes: 30 if: ${{ always() && (github.event_name != 'pull_request' || needs.changes.outputs.deny == 'true') }} needs: [changes] steps: - name: Checkout branch uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ inputs.ref }} - uses: ./.github/actions/setup with: mold: false cargo-deny: true - name: Check cargo deny licenses run: make check-deny-licenses