From 4cee8920a4ee739f10f17192d309d66cf8a4a297 Mon Sep 17 00:00:00 2001 From: DaniPopes <57450786+DaniPopes@users.noreply.github.com> Date: Fri, 24 Feb 2023 23:14:04 +0100 Subject: [PATCH] ci: add deny CI --- .github/workflows/deps.yml | 43 ++++++++++++++++ .github/workflows/releases.yml | 2 +- .github/workflows/rustsec.yml | 23 --------- deny.toml | 89 ++++++++++++++++++++++++++++++++++ 4 files changed, 133 insertions(+), 24 deletions(-) create mode 100644 .github/workflows/deps.yml delete mode 100644 .github/workflows/rustsec.yml create mode 100644 deny.toml diff --git a/.github/workflows/deps.yml b/.github/workflows/deps.yml new file mode 100644 index 00000000..dbcafc82 --- /dev/null +++ b/.github/workflows/deps.yml @@ -0,0 +1,43 @@ +name: deps + +on: + push: + branches: [master] + paths: [Cargo.lock] + pull_request: + branches: [master] + paths: [Cargo.lock] + +env: + RUSTFLAGS: -D warnings + CARGO_TERM_COLOR: always + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +jobs: + audit: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: dtolnay/rust-toolchain@nightly + - run: cargo install --locked cargo-audit + - run: cargo audit + + deny: + name: deny (${{ matrix.checks }}) + runs-on: ubuntu-latest + strategy: + matrix: + checks: + - advisories + - bans licenses sources + + continue-on-error: ${{ matrix.checks == 'advisories' }} + + steps: + - uses: actions/checkout@v3 + - uses: EmbarkStudios/cargo-deny-action@v1 + with: + command: check ${{ matrix.checks }} diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml index 9d13cc28..1dbe6779 100644 --- a/.github/workflows/releases.yml +++ b/.github/workflows/releases.yml @@ -1,4 +1,4 @@ -name: Release +name: release on: schedule: diff --git a/.github/workflows/rustsec.yml b/.github/workflows/rustsec.yml deleted file mode 100644 index 532f7d6c..00000000 --- a/.github/workflows/rustsec.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: Security audit - -on: - push: - branches: [master] - paths: - - "**/Cargo.toml" - - "**/Cargo.lock" - pull_request: - branches: [master] - paths: - - "**/Cargo.toml" - - "**/Cargo.lock" - -jobs: - audit: - name: Security audit - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: dtolnay/rust-toolchain@nightly - - run: cargo install --locked cargo-audit - - run: cargo audit --deny warnings diff --git a/deny.toml b/deny.toml new file mode 100644 index 00000000..b81bbbba --- /dev/null +++ b/deny.toml @@ -0,0 +1,89 @@ +# This section is considered when running `cargo deny check advisories` +# More documentation for the advisories section can be found here: +# https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html +[advisories] +vulnerability = "deny" +unmaintained = "warn" +unsound = "warn" +yanked = "warn" +notice = "warn" + +# This section is considered when running `cargo deny check bans`. +# More documentation about the 'bans' section can be found here: +# https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html +[bans] +# Lint level for when multiple versions of the same crate are detected +multiple-versions = "warn" +# Lint level for when a crate version requirement is `*` +wildcards = "allow" +highlight = "all" +# List of crates to deny +deny = [ + # Each entry the name of a crate and a version range. If version is + # not specified, all versions will be matched. + #{ name = "ansi_term", version = "=0.11.0" }, +] +# Certain crates/versions that will be skipped when doing duplicate detection. +skip = [] +# Similarly to `skip` allows you to skip certain crates during duplicate +# detection. Unlike skip, it also includes the entire tree of transitive +# dependencies starting at the specified crate, up to a certain depth, which is +# by default infinite +skip-tree = [] + +[licenses] +unlicensed = "deny" +# List of explicitly allowed licenses +# See https://spdx.org/licenses/ for list of possible licenses +# [possible values: any SPDX 3.7 short identifier (+ optional exception)]. +allow = [ + "MIT", + "Apache-2.0", + "Apache-2.0 WITH LLVM-exception", + "BSD-2-Clause", + "BSD-3-Clause", + "ISC", + "Unicode-DFS-2016", + "OpenSSL", + "Unlicense", +] + +# Allow 1 or more licenses on a per-crate basis, so that particular licenses +# aren't accepted for every possible crate as with the normal allow list +exceptions = [ + # CC0 is a permissive license but somewhat unclear status for source code + # so we prefer to not have dependencies using it + # https://tldrlegal.com/license/creative-commons-cc0-1.0-universal + { allow = ["CC0-1.0"], name = "secp256k1" }, + { allow = ["CC0-1.0"], name = "secp256k1-sys" }, + { allow = ["CC0-1.0"], name = "tiny-keccak" }, + { allow = ["CC0-1.0"], name = "more-asserts" }, + + # TODO: ethers transitive deps + { allow = ["GPL-3.0"], name = "fastrlp" }, + { allow = ["GPL-3.0"], name = "fastrlp-derive" }, +] +#copyleft = "deny" + +# See note in unicode-ident's readme! +[[licenses.clarify]] +name = "unicode-ident" +version = "*" +expression = "(MIT OR Apache-2.0) AND Unicode-DFS-2016" +license-files = [{ path = "LICENSE-UNICODE", hash = 0x3fb01745 }] +[[licenses.clarify]] +name = "ring" +version = "*" +expression = "OpenSSL" +license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }] + +# This section is considered when running `cargo deny check sources`. +# More documentation about the 'sources' section can be found here: +# https://embarkstudios.github.io/cargo-deny/checks/sources/cfg.html +[sources] +# Lint level for what to happen when a crate from a crate registry that is not +# in the allow list is encountered +unknown-registry = "warn" +# Lint level for what to happen when a crate from a git repository that is not +# in the allow list is encountered +unknown-git = "allow"