Add a cargo deny workflow (#89)

* Add a cargo deny workflow

Also trims out a pointless submodule checkout (we have none).

* Remove no longer relevant advisories/allowances

* Patch for array-bytes

* Remove unused properties

* Restore chrono advisory

* Allow MPL-2.0, correct GPL-3.0 allowance specification

* Properly ban copyleft, run on all crates

* Exceptions for Serai crates (AGPL-3.0)

* Remove top comments

* Clarify reasoning for not checking advisories in CI

* Run all checks in CI

While this may bring down an unrelated commit, we can manually review, before creating a followup commit allowing it. If it's critical, then this did its job.
This commit is contained in:
Luke Parker 2022-11-16 20:53:35 -06:00 committed by GitHub
parent 4a3178ed8f
commit 56574f2f5b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 102 additions and 10 deletions

View file

@ -17,8 +17,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
submodules: "recursive"
- name: Test Dependencies
uses: ./.github/actions/test-dependencies
@ -37,8 +35,6 @@ jobs:
steps:
- uses: actions/checkout@v3
with:
submodules: "recursive"
- name: Test Dependencies
uses: ./.github/actions/test-dependencies

View file

@ -12,8 +12,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
submodules: "recursive"
- name: Get nightly version to use
id: nightly
@ -29,12 +27,33 @@ jobs:
- name: Run Clippy
run: cargo clippy --all-features -- -D warnings -A clippy::type_complexity -A dead_code
deny:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Rust Cache
uses: actions/cache@v3
with:
path: ~/.cargo/advisory-db
key: rust-advisory-db
- name: Install cargo
uses: actions-rs/toolchain@v1
with:
toolchain: stable
profile: minimal
- name: Install cargo deny
run: cargo install --locked cargo-deny
- name: Run cargo deny
run: cargo deny -L error --all-features check
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
submodules: "recursive"
- name: Test Dependencies
uses: ./.github/actions/test-dependencies

3
Cargo.lock generated
View file

@ -118,8 +118,7 @@ dependencies = [
[[package]]
name = "array-bytes"
version = "4.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6a913633b0c922e6b745072795f50d90ebea78ba31a57e2ac8c2fc7b50950949"
source = "git+https://github.com/hack-ink/array-bytes?rev=994cd29b66bd2ab5c8c15f0b15a1618d4bb2d94c#994cd29b66bd2ab5c8c15f0b15a1618d4bb2d94c"
[[package]]
name = "array-init"

View file

@ -48,3 +48,8 @@ monero-serai = { opt-level = 3 }
[profile.release]
panic = "unwind"
[patch.crates-io]
# array-bytes 4.1.0 is GPL-3.0.
# array-bytes git, which has no code changes, includes a dual-license under Apache-2.0.
array-bytes = { git = "https://github.com/hack-ink/array-bytes", rev = "994cd29b66bd2ab5c8c15f0b15a1618d4bb2d94c" }

73
deny.toml Normal file
View file

@ -0,0 +1,73 @@
[advisories]
db-path = "~/.cargo/advisory-db"
db-urls = ["https://github.com/rustsec/advisory-db"]
vulnerability = "deny"
yanked = "deny"
notice = "warn"
unmaintained = "warn"
ignore = [
"RUSTSEC-2020-0071", # https://github.com/chronotope/chrono/issues/602
]
[licenses]
unlicensed = "deny"
allow = [
# Effective public domain
"CC0-1.0",
"Unlicense",
# Attribution required
"MIT",
"BSD-2-Clause",
"BSD-3-Clause",
"ISC",
"Unicode-DFS-2016",
"OpenSSL",
# Non-invasive copyleft
"MPL-2.0",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"GPL-3.0 WITH Classpath-exception-2.0",
]
copyleft = "deny"
allow-osi-fsf-free = "neither"
default = "deny"
exceptions = [
{ allow = ["AGPL-3.0"], name = "ethereum-serai" },
{ allow = ["AGPL-3.0"], name = "serai-processor" },
{ allow = ["AGPL-3.0"], name = "serai-extension" },
{ allow = ["AGPL-3.0"], name = "serai-multisig" },
{ allow = ["AGPL-3.0"], name = "serai-runtime" },
{ allow = ["AGPL-3.0"], name = "serai-consensus" },
{ allow = ["AGPL-3.0"], name = "serai-node" },
]
[[licenses.clarify]]
name = "ring"
version = "*"
expression = "MIT AND ISC AND OpenSSL"
license-files = [
{ path = "LICENSE", hash = 0xbd0eed23 }
]
[bans]
multiple-versions = "warn"
wildcards = "warn"
highlight = "all"
[sources]
unknown-registry = "deny"
unknown-git = "deny"
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
allow-git = [
"https://github.com/serai-dex/substrate",
"https://github.com/hack-ink/array-bytes"
]