ignore audit advisories we want to ignore, or cannot do anything right now

[syphar]

If we want the audit checks on PRs or in forks to pass we have to ignore everything we don't directly fix.

I'm not 100% sure what to add in the comments, I'm happy to add more.

I also set deny = ["warnings"] which makes the audit fail when unmaintained crates are added like I did in #1541 .

[syphar]

don't merge just yet, I want to test the deny = ["warnings"] part first

[jyn514]

LGTM whenever you want to merge :)

[Nemo157]

Will we get an error/warning if one of the ignored advisories does not trigger?

[syphar]

Will we get an error/warning if one of the ignored advisories does not trigger?

I don't think so.

Also, I saw an option to deny yanked releases, not sure if that would be usedful for us. IMHO it depends on why the release was yanked :)

[syphar]

I need to dig deeper here... the actions-rs/audit-check GH action doesn't fail the job when we only have warnings.

[syphar]

@jyn514 to me it seems like that actions-rs/audit-check is ignoring warnings coming from cargo audit, even when audit itself correctly fails.

Seeing open PRs and issues I'm actually not sure if a PR fixing this would even be looked at :) Or do we know someone there?

IMHO we should merge this PR and then see separately how we solve audit. Running it directly would mean we don't have the nicely created issues any more. Or we need to fork it.

[syphar]

Like this the scheduled check should be fine also for forks, only raising warnings (unmaintained dependency) on PRs doesn't.

[jyn514]

IMHO we should merge this PR and then see separately how we solve audit.

👍 Seems good