From 0f5b1ce6e2e645ad270d4e0157eaf1cf5feb7ea4 Mon Sep 17 00:00:00 2001
From: Nicholas Gates <nick@nickgates.com>
Date: Thu, 11 Jun 2026 18:26:38 -0400
Subject: [PATCH] Make RustSec advisory checks non-blocking for PRs

Signed-off-by: Nicholas Gates <nick@nickgates.com>
---
 .github/workflows/ci.yml      |  4 ++--
 .github/workflows/publish.yml | 11 +++++++++++
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index dea9f3b9ef4..08d09b66038 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -391,11 +391,11 @@ jobs:
         checks:
           - advisories
           - bans licenses sources
-    # Prevent sudden announcement of a new advisory from failing ci:
-    continue-on-error: ${{ matrix.checks == 'advisories' }}
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6
       - uses: EmbarkStudios/cargo-deny-action@bb137d7af7e4fb67e5f82a49c4fce4fad40782fe  # v2
+        # Prevent sudden announcement of a new advisory from failing CI or blocking PR merges.
+        continue-on-error: ${{ matrix.checks == 'advisories' }}
         with:
           command: check ${{ matrix.checks }}
 
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 6398c54c20e..0eab1a2dd95 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -12,7 +12,18 @@ on:
     types: [published]
 
 jobs:
+  rustsec-audit:
+    name: RustSec Audit
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6
+      - uses: EmbarkStudios/cargo-deny-action@bb137d7af7e4fb67e5f82a49c4fce4fad40782fe  # v2
+        with:
+          command: check advisories
+
   package:
+    needs: [rustsec-audit]
     uses: ./.github/workflows/package.yml
     with:
       version: ${{ github.event.release.tag_name }}