Since Component Governance (CG) already flags CVE and RUSTSEC advisories, rather than block PRs suddenly by a new RUSTSEC advisory and with no way to ignore advisories without a CVS score, we should stop running it at least in PRs. I think CIs are still fine since we get notifications and they do run more often than CG runs. There's value in it, but twice in recent history it suddenly blocked PRs.
Since Component Governance (CG) already flags CVE and RUSTSEC advisories, rather than block PRs suddenly by a new RUSTSEC advisory and with no way to ignore advisories without a CVS score, we should stop running it at least in PRs. I think CIs are still fine since we get notifications and they do run more often than CG runs. There's value in it, but twice in recent history it suddenly blocked PRs.