bashandbone · bashandbone · Apr 4, 2026 · Mar 24, 2026 · Mar 24, 2026 · Apr 4, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -24,7 +24,7 @@ jobs:
           - beta
           - nightly
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           submodules: recursive
 
@@ -69,12 +69,15 @@ jobs:
   security_audit:
     name: Security Audit
     runs-on: ubuntu-latest
+    permissions:
+      checks: write
+      contents: read
     steps:
       - uses: actions/checkout@v6
       - uses: rustsec/audit-check@v1.4.1
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
-          ignore: RUSTSEC-2024-0364
+          ignore: RUSTSEC-2024-0364,RUSTSEC-2024-0436
 
   coverage:
     name: Code Coverage

diff --git a/audit.toml b/audit.toml
@@ -5,4 +5,5 @@
 [advisories]
 ignore = [
     "RUSTSEC-2024-0364", # gitoxide-core does not neutralize special characters for terminals. No patched version available.
+    "RUSTSEC-2024-0436" # No patched version available.
 ]
diff --git a/deny.toml b/deny.toml
@@ -82,6 +82,7 @@ feature-depth = 1
 # output a note when they are encountered.
 ignore = [
   "RUSTSEC-2024-0364", # gitoxide-core does not neutralize special characters for terminals. No patched version available.
+  "RUSTSEC-2024-0436", # paste is unmaintained; it is a transitive dependency via rustls-ffi -> macro_rules_attribute and has no patched version or security impact.
   # "RUSTSEC-0000-0000",
   # { id = "RUSTSEC-0000-0000", reason = "you can specify a reason the advisory is ignored" },
   # "a-crate-that-is-yanked@0.1.1", # you can also ignore yanked crate versions if you wish