ci: add cargo audit cron job

.cargo/audit.toml

@@ -0,0 +1,21 @@
+[advisories]
+ignore = [
+    # `ark-relations` is an unactivated optional transitive dep (via `ark-bn254`'s`r1cs` feature)
+    # that is never compiled but still appears in Cargo.lock, and hence gets considered by `cargo
+    # audit`. There is an upstream fix for `ark-relations`, but it's not yet published to crates.io.
+    # See https://github.com/arkworks-rs/snark/issues/413.
+    "RUSTSEC-2025-0055",
+
+    # `bincode` is unmaintained; transitive reth dep.
+    "RUSTSEC-2025-0141",
+
+    # `derivative` is unmaintained; transitive dep via revm's `ark-ff`.
+    "RUSTSEC-2024-0388",
+
+    # `paste` is unmaintained; transitive dep via revm's `ark-ff` and alloy's `syn-solidity`.
+    "RUSTSEC-2024-0436",
+
+    # `lru` IterMut unsoundness; transitive dep via reth's `discv5` and `ratatui`.
+    # Neither crate calls `iter_mut()` on the LruCache, so the affected code path is never hit.
+    "RUSTSEC-2026-0002",
+]

.github/workflows/rust-audit-security.yml

@@ -0,0 +1,19 @@
+name: Security Audit
+# This workflow uses rustsec/audit-check to check for security vulnerabilities
+# On scheduled runs: automatically creates GitHub issues for findings
+# On push/PR: creates status checks that fail when vulnerabilities are found
+
+on:
+  schedule:
+    # Run daily at 09:00 UTC
+    - cron: '0 9 * * *'
+  workflow_dispatch: # Allow manual runs
+
+permissions: # these permissions are required for the workflow to run
+  contents: read  # Required to checkout the repository
+  issues: write   # Required to create issues (scheduled runs)
+  checks: write   # Required to create status checks (push/PR)
+
+jobs:
+  security-audit:
+    uses: init4tech/actions/.github/workflows/rust-audit-security.yml@main