From 6dff3cd06efda5dc26ee9f16aa55cad558e71dce Mon Sep 17 00:00:00 2001 From: Sephyi Date: Sun, 19 Apr 2026 18:57:44 +0200 Subject: [PATCH] ci: add cargo-deny license/advisory/source enforcement PRD SR-005 requires cargo-deny for license, advisory, and source enforcement across the dependency graph. Previously only cargo audit ran, leaving license compatibility and unknown-registry risk unchecked. Add a root deny.toml with: - licenses: curated allow-list (MIT, Apache-2.0, BSD variants, ISC, Unicode-3.0, Zlib, CC0-1.0, MPL-2.0, BSL-1.0) plus an explicit exception for the root crate's AGPL-3.0-only OR LicenseRef-Commercial dual license. version = 2 disables the legacy copyleft behaviour. - advisories: yanked = "deny", empty ignore list, version = 2. - sources: deny unknown-registry and unknown-git; allow only crates.io-index. - bans: multiple-versions = "warn" (too noisy to fail on today given the gix and toml trees), wildcards = "deny". - graph.targets: all Tier-1 hosts so platform-gated deps (security-framework on macOS, winapi on Windows) are evaluated. Wire a new "Cargo Deny" CI job via EmbarkStudios/cargo-deny-action@v2 running "cargo deny check --all-features". Kept as a standalone job to minimise conflicts with other in-flight ci.yml edits. Verified locally: cargo-deny 0.19.0 reports "advisories ok, bans ok, licenses ok, sources ok" with only expected duplicate-version warnings. Closes audit entry F-017 from #3. --- .github/workflows/ci.yml | 11 +++++++ deny.toml | 70 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 81 insertions(+) create mode 100644 deny.toml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 212bd30..0e428d8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -114,3 +114,14 @@ jobs: steps: - uses: actions/checkout@v4 - uses: fsfe/reuse-action@v4 + + deny: + name: Cargo Deny + runs-on: ubuntu-24.04 + timeout-minutes: 10 + steps: + - uses: actions/checkout@v4 + - uses: EmbarkStudios/cargo-deny-action@v2 + with: + command: check + arguments: --all-features diff --git a/deny.toml b/deny.toml new file mode 100644 index 0000000..aeebf07 --- /dev/null +++ b/deny.toml @@ -0,0 +1,70 @@ +# SPDX-FileCopyrightText: 2026 Sephyi +# +# SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-Commercial + +# cargo-deny configuration for CommitBee. +# Enforces PRD SR-005 (license / advisory / source policy) across the +# dependency graph. Tuned for cargo-deny 0.19+. + +[graph] +# Check all Tier-1 targets so platform-specific deps (e.g. security-framework +# on macOS, winapi on Windows) don't sneak unreviewed licenses in. +targets = [ + "x86_64-unknown-linux-gnu", + "aarch64-unknown-linux-gnu", + "x86_64-apple-darwin", + "aarch64-apple-darwin", + "x86_64-pc-windows-msvc", +] +all-features = true + +[advisories] +version = 2 +# Yanked crates are treated as advisories — refuse to ship them. +yanked = "deny" +# Start with an empty ignore list. Any accepted advisory must be added here +# explicitly, with a link to the accompanying triage note. +ignore = [] + +[licenses] +version = 2 +# Allow-list curated for the current dependency tree. Every entry is an SPDX +# identifier. Add new ones only after reviewing the crate's license text. +allow = [ + "MIT", + "Apache-2.0", + "Apache-2.0 WITH LLVM-exception", + "BSD-2-Clause", + "BSD-3-Clause", + "ISC", + "Unicode-3.0", + "Zlib", + "CC0-1.0", + "MPL-2.0", + "BSL-1.0", +] +confidence-threshold = 0.8 + +[[licenses.exceptions]] +# The root crate is dual-licensed (AGPL-3.0-only OR LicenseRef-Commercial). +# cargo-deny doesn't resolve LicenseRef- identifiers against the allow-list, +# so grant the root crate an explicit exception. +name = "commitbee" +allow = ["AGPL-3.0-only", "LicenseRef-Commercial"] + +[bans] +# Duplicate versions are common in transitive deps (e.g. hashbrown 0.14/0.15). +# Warn for visibility but don't fail CI — tighten later once the tree stabilises. +multiple-versions = "warn" +wildcards = "deny" +highlight = "all" +# Explicitly ban crates we don't want creeping in via transitive deps. +deny = [] +skip = [] +skip-tree = [] + +[sources] +unknown-registry = "deny" +unknown-git = "deny" +allow-registry = ["https://github.com/rust-lang/crates.io-index"] +allow-git = []