F-017: ci: add cargo-deny license/advisory enforcement#20
Open
Sephyi wants to merge 1 commit intodevelopmentfrom
Open
F-017: ci: add cargo-deny license/advisory enforcement#20Sephyi wants to merge 1 commit intodevelopmentfrom
Sephyi wants to merge 1 commit intodevelopmentfrom
Conversation
PRD SR-005 requires cargo-deny for license, advisory, and source enforcement across the dependency graph. Previously only cargo audit ran, leaving license compatibility and unknown-registry risk unchecked. Add a root deny.toml with: - licenses: curated allow-list (MIT, Apache-2.0, BSD variants, ISC, Unicode-3.0, Zlib, CC0-1.0, MPL-2.0, BSL-1.0) plus an explicit exception for the root crate's AGPL-3.0-only OR LicenseRef-Commercial dual license. version = 2 disables the legacy copyleft behaviour. - advisories: yanked = "deny", empty ignore list, version = 2. - sources: deny unknown-registry and unknown-git; allow only crates.io-index. - bans: multiple-versions = "warn" (too noisy to fail on today given the gix and toml trees), wildcards = "deny". - graph.targets: all Tier-1 hosts so platform-gated deps (security-framework on macOS, winapi on Windows) are evaluated. Wire a new "Cargo Deny" CI job via EmbarkStudios/cargo-deny-action@v2 running "cargo deny check --all-features". Kept as a standalone job to minimise conflicts with other in-flight ci.yml edits. Verified locally: cargo-deny 0.19.0 reports "advisories ok, bans ok, licenses ok, sources ok" with only expected duplicate-version warnings. Closes audit entry F-017 from #3.
There was a problem hiding this comment.
Pull request overview
Adds cargo-deny policy enforcement to CI to cover license/advisory/source compliance (audit finding F-017 / PRD SR-005).
Changes:
- Introduce
deny.tomlto define cargo-deny policy (targets, advisories, licenses, sources). - Add a new GitHub Actions CI job to run
cargo deny checkon PRs/branches.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
deny.toml |
New cargo-deny configuration for advisories, license allowlist/exception, and source restrictions. |
.github/workflows/ci.yml |
Adds a deny job running EmbarkStudios/cargo-deny-action@v2 to enforce the new policy in CI. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+118
to
+127
| deny: | ||
| name: Cargo Deny | ||
| runs-on: ubuntu-24.04 | ||
| timeout-minutes: 10 | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: EmbarkStudios/cargo-deny-action@v2 | ||
| with: | ||
| command: check | ||
| arguments: --all-features |
There was a problem hiding this comment.
The new deny job doesn’t install the pinned Rust toolchain (env.RUST_TOOLCHAIN) like the other Rust jobs do. This can make cargo-deny run with whatever toolchain happens to be on the runner (or fail if cargo isn’t available), reducing reproducibility vs the rest of CI. Add the same dtolnay/rust-toolchain@master step (and optionally Swatinem/rust-cache@v2) before running cargo-deny.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ci: add cargo-deny license/advisory enforcement.
Audit context
Closes audit entry F-017 from #3.
Verification
cargo fmt --checkcargo clippy --all-targets --all-features -- -D warningscargo test --all-targets