From 9517f08098f1e50c22c018fa154d16fbb04ef579 Mon Sep 17 00:00:00 2001
From: Dakera Ops <ferhi.med.amine@gmail.com>
Date: Wed, 13 May 2026 03:15:55 +0000
Subject: [PATCH] =?UTF-8?q?ci:=20fix=20Security=20Audit=20ARM64=20failure?=
 =?UTF-8?q?=20=E2=80=94=20switch=20to=20rustsec/audit-check=20action?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

cargo-audit v0.22.1 fails to compile on ARM64 runners due to
aws-lc-sys 0.37.0 missing trampoline-armv8.S. Replace the manual
cargo install + run with rustsec/audit-check@v2, which downloads a
pre-built binary and avoids the ARM64 compilation issue entirely.

Adds checks: write permission at job level so the action can post
GitHub check annotations.

Fixes: DAK-4571

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 24e9a80..6af1aa3 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -28,16 +28,14 @@ jobs:
     name: Security Audit
     runs-on: [self-hosted, linux, arm64]
     timeout-minutes: 10
+    permissions:
+      contents: read
+      checks: write
     steps:
       - uses: actions/checkout@v6
-      - uses: dtolnay/rust-toolchain@stable
-      - uses: Swatinem/rust-cache@v2
+      - uses: rustsec/audit-check@v2
         with:
-          shared-key: audit
-      - name: Install cargo-audit
-        run: which cargo-audit >/dev/null 2>&1 || cargo install cargo-audit --locked
-      - name: Run cargo audit
-        run: cargo audit
+          token: ${{ secrets.GITHUB_TOKEN }}
 
   check:
     name: Check