From 6dc744e08b4bba76194d464d44cfba9459c2d67b Mon Sep 17 00:00:00 2001
From: Caleb Leak <caleb.leak@gmail.com>
Date: Fri, 1 May 2026 20:59:47 -0700
Subject: [PATCH] Run cargo audit without GitHub token

---
 .github/workflows/ci.yml | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 808c2ed..1ddd170 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,6 +7,9 @@ on:
       - master
       - main
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Rust checks (${{ matrix.os }})
@@ -17,7 +20,9 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v5
-      - uses: dtolnay/rust-toolchain@stable
+        with:
+          persist-credentials: false
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8
       - name: Format
         run: cargo fmt --check
       - name: Clippy
@@ -30,9 +35,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
-      - uses: rustsec/audit-check@v2
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          persist-credentials: false
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8
+      - name: Install cargo-audit
+        run: cargo install cargo-audit --version 0.22.1 --locked
+      - name: Audit
+        run: cargo audit --file Cargo.lock
 
   secrets:
     name: Secret scan
@@ -41,6 +50,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Install Gitleaks
         env:
           GITLEAKS_VERSION: 8.30.1