Skip to content

ci: add cargo-deny for dependency auditing#82

Merged
kafkade merged 2 commits into
mainfrom
kafkade-add-cargo-deny-ci
Jul 7, 2026
Merged

ci: add cargo-deny for dependency auditing#82
kafkade merged 2 commits into
mainfrom
kafkade-add-cargo-deny-ci

Conversation

@kafkade

@kafkade kafkade commented Jul 7, 2026

Copy link
Copy Markdown
Owner

Description

Adds cargo-deny to CI to automatically audit dependencies for security advisories, license compliance, banned/duplicate crates, and crate sources on every PR and push to main.

What's included:

  • deny.toml (new) — written for the current cargo-deny 0.19.x schema:
    • Licenses: permissive allowlist covering every license actually present in the tree (MIT, MIT-0, Apache-2.0 incl. LLVM-exception, 0BSD/BSD-1/2/3-Clause, ISC, BSL-1.0, CC0-1.0, Zlib, Unicode-3.0, Unlicense, and MPL-2.0 for the weak-copyleft option-ext).
    • Advisories: vulnerabilities and yanked crates are denied; unmaintained is scoped to workspace deps. A documented ignore list acknowledges four advisories that have no MSRV-compatible fix (each with justification): rsa Marvin attack (via russh, ssh feature) and the time + quick-xml DoS advisories (via plist, whose fixes require Rust 1.88 > the project MSRV of 1.85).
    • Bans: duplicate versions warn (the async/crypto graph has many); Sources: unknown registry/git denied.
    • [graph] all-features = true so optional features (gpu, battery, docker, k8s, ssh, prometheus) are audited too.
  • .github/workflows/ci.yml — new parallel deny job using EmbarkStudios/cargo-deny-action, pinned by commit SHA (bb137d7 = v2.0.20) to match the repo's action-pinning convention.
  • Cargo.lockcargo update for the two fixable yanked crates: aes 0.9.0 → 0.9.1 and crypto-bigint 0.7.3 → 0.7.5. time/quick-xml were intentionally left unbumped to preserve MSRV 1.85.

cargo deny check passes locally (advisories, bans, licenses, sources all ok).

Related Issues

Closes #32

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Documentation update
  • Refactoring (no functional changes)
  • CI / infrastructure
  • Other (describe below)

Checklist

  • I have read CONTRIBUTING.md
  • cargo test passes
  • cargo clippy -- -D warnings reports no warnings
  • cargo fmt has been applied
  • I have added tests for new functionality (if applicable)
  • I have updated documentation (if applicable)

@kafkade kafkade enabled auto-merge (squash) July 7, 2026 04:25
@cloudflare-workers-and-pages

Copy link
Copy Markdown
Contributor

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs
kite e1cbfb0 Commit Preview URL

Branch Preview URL
Jul 07 2026, 04:25 AM

@kafkade kafkade merged commit ccb30a8 into main Jul 7, 2026
3 checks passed
@kafkade kafkade deleted the kafkade-add-cargo-deny-ci branch July 7, 2026 04:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add cargo-deny to CI for dependency auditing

1 participant