Skip to content

Commit 177f2fb

Browse files
mockersfmockersf
committed
enable cargo deny (#2101)
https://github.com/EmbarkStudios/cargo-deny cargo-deny is a tool that can issue errors for dependency issues, among other: * security issues in a crate * duplicated dependencies with different versions * unauthorised license Added cargo-deny with an opinionated configuration: * No middle ground with warnings, either allow or deny * Not added to Bors, we probably don't want to block a PR on something that may happen from outside * Different github workflow than CI to run only when Cargo.toml files are changed, or on a schedule * Each check in its own job to help readability * Initial config makes Bevy pass all check Pushing a first commit with commented config to show errors
1 parent 85b1729 commit 177f2fb

File tree

2 files changed

+120
-0
lines changed

2 files changed

+120
-0
lines changed

.github/workflows/dependencies.yml

Lines changed: 54 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,54 @@
1+
name: Dependencies
2+
3+
on:
4+
pull_request:
5+
paths:
6+
- '**/Cargo.toml'
7+
- 'deny.toml'
8+
push:
9+
branches: [main, staging, trying]
10+
paths:
11+
- '**/Cargo.toml'
12+
- 'deny.toml'
13+
schedule:
14+
- cron: "0 0 * * 0"
15+
16+
env:
17+
CARGO_TERM_COLOR: always
18+
19+
jobs:
20+
check-advisories:
21+
runs-on: ubuntu-latest
22+
steps:
23+
- uses: actions/checkout@v2
24+
- name: Install cargo-deny
25+
run: cargo install cargo-deny
26+
- name: Check for security advisories and unmaintained crates
27+
run: cargo deny check advisories
28+
29+
check-bans:
30+
runs-on: ubuntu-latest
31+
steps:
32+
- uses: actions/checkout@v2
33+
- name: Install cargo-deny
34+
run: cargo install cargo-deny
35+
- name: Check for banned and duplicated dependencies
36+
run: cargo deny check bans
37+
38+
check-licenses:
39+
runs-on: ubuntu-latest
40+
steps:
41+
- uses: actions/checkout@v2
42+
- name: Install cargo-deny
43+
run: cargo install cargo-deny
44+
- name: Check for unauthorized licenses
45+
run: cargo deny check licenses
46+
47+
check-sources:
48+
runs-on: ubuntu-latest
49+
steps:
50+
- uses: actions/checkout@v2
51+
- name: Install cargo-deny
52+
run: cargo install cargo-deny
53+
- name: Checked for unauthorized crate sources
54+
run: cargo deny check sources

deny.toml

Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
[advisories]
2+
db-path = "~/.cargo/advisory-db"
3+
db-urls = ["https://github.com/rustsec/advisory-db"]
4+
vulnerability = "deny"
5+
unmaintained = "deny"
6+
yanked = "deny"
7+
notice = "deny"
8+
ignore = [
9+
"RUSTSEC-2020-0016", # net2 deprecated - https://github.com/deprecrated/net2-rs/commit/3350e3819adf151709047e93f25583a5df681091
10+
"RUSTSEC-2020-0056", # stdweb unmaintained - https://github.com/koute/stdweb/issues/403
11+
"RUSTSEC-2021-0047", # security issue - https://github.com/gnzlbg/slice_deque/issues/90
12+
]
13+
14+
[licenses]
15+
unlicensed = "deny"
16+
copyleft = "deny"
17+
allow = [
18+
"MIT",
19+
"Apache-2.0",
20+
"BSD-3-Clause",
21+
"ISC",
22+
"Zlib",
23+
"0BSD",
24+
"BSD-2-Clause",
25+
"CC0-1.0",
26+
"MPL-2.0",
27+
]
28+
default = "deny"
29+
30+
[[licenses.clarify]]
31+
name = "stretch"
32+
expression = "MIT"
33+
license-files = []
34+
35+
[bans]
36+
multiple-versions = "deny"
37+
wildcards = "deny"
38+
highlight = "all"
39+
# Certain crates/versions that will be skipped when doing duplicate detection.
40+
skip = [
41+
{ name = "ahash", version = "0.4" },
42+
{ name = "android_log-sys", version = "0.1" },
43+
{ name = "cfg-if", version = "0.1" }, # https://github.com/rustwasm/console_error_panic_hook/pull/18
44+
{ name = "core-foundation", version = "0.6" },
45+
{ name = "core-foundation", version = "0.7" },
46+
{ name = "core-foundation-sys", version = "0.6" },
47+
{ name = "core-foundation-sys", version = "0.7" },
48+
{ name = "core-graphics", version = "0.19" },
49+
{ name = "fixedbitset", version = "0.2" },
50+
{ name = "libm", version = "0.1" },
51+
{ name = "mach", version = "0.2" },
52+
{ name = "mio", version = "0.6" },
53+
{ name = "miow", version = "0.2" },
54+
{ name = "ndk", version = "0.2" },
55+
{ name = "ndk-glue", version = "0.2" },
56+
{ name = "num_enum", version = "0.4" },
57+
{ name = "num_enum_derive", version = "0.4" },
58+
{ name = "stdweb", version = "0.1" },
59+
{ name = "winapi", version = "0.2" },
60+
]
61+
62+
[sources]
63+
unknown-registry = "deny"
64+
unknown-git = "deny"
65+
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
66+
allow-git = []

0 commit comments

Comments
 (0)