Don't fail CI cargo deny advisories via gix-testtools

EliahKagan · EliahKagan · commit 2bf139a942b6 · 2025-04-04T11:53:58.000-04:00
The `gix-testtools` crate depends on previous major/breaking versions of some `gix-*` crates, as described in GitoxideLabs#1510 (comment) and further discussed in GitoxideLabs#1886. This creates a situation where `gix-testtools` will sometimes use `gix-*` crates in vulnerable versions. Even as `gix-testtools` is used in this project, that could in principle cause a problem for some vulnerabilities. So it is correct in general to consider vulnerable `gix-testtools` dependencies significant. However, in most vulnerabilities so far, the specific use in `gix-testtools` as part of gitoxide's test suite has been acceptable. (Other common uses of `gix-testtools`, if they are in test suites operating on trusted data as here, may be in a similar situation, but it may not be reasonable to assume that broadly.) When `cargo deny advisories` fails on CI due to a `gix-testtools` dependency on an old version of a `gix-*` crate, it makes it harder to notice if *other* vulnerable dependencies are also being used. A usual workaround for this would be to add the vulnerability's RUSTSEC ID to the `ignore` list in `deny.toml`, but that would weaken the operation of `cargo deny` far too much, because: - The distraction here is mainly, or perhaps only, a problem in CI, so no change to `deny.toml` may be needed. - It should remain easy to run `cargo deny` in such a way that the dependence of `gix-testtools` on vulnerable crate versions is revealed, and it should be obvious from the command that is run whether that information would be shown or not. - The advisories themselves should not be ignored because they are unexpected, and potentially highly consequently, if they arise from any other crate. - It is useful to be able to easily compare the output of `cargo deny advisories` with and without such messages. So this multiplies the step into two, running `cargo deny` twice for advisories: 1. Initially including dependencies through `gix-testtools`, but marking the step as `continue-on-error: true` so it doesn't fail the job. 2. Again without dependencies through `gix-testtools`, allowing the step to fail the job on vulnerabilities found via other crates.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -342,8 +342,16 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
-      - uses: EmbarkStudios/cargo-deny-action@v2
+      - name: Check all packages
+        uses: EmbarkStudios/cargo-deny-action@v2
+        with:
+          arguments: --all-features
+          command: check advisories
+        continue-on-error: true
+      - name: Check all packages except gix-testtools
+        uses: EmbarkStudios/cargo-deny-action@v2
         with:
+          arguments: --exclude gix-testtools --all-features
           command: check advisories
 
   cargo-deny:
