ci: add cargo-deny supply-chain gate for Rust dependencies#149
Open
maplesyzzurp wants to merge 1 commit into
Open
ci: add cargo-deny supply-chain gate for Rust dependencies#149maplesyzzurp wants to merge 1 commit into
maplesyzzurp wants to merge 1 commit into
Conversation
CI ran fmt/clippy/test plus a secret scan, but nothing checked the dependency tree for known vulnerabilities. Add a cargo-deny job (advisories + bans + sources) so a RUSTSEC advisory, a yanked crate, a wildcard version requirement, or a dependency from an unexpected registry fails CI. deny.toml is scoped to the security checks; license compliance is left for a follow-up so the gate stays focused. The action is commit-pinned. Verified locally with cargo-deny 0.19.8: advisories ok, bans ok, sources ok.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a dependency-vulnerability gate to CI — the one supply-chain hole in the current setup. CI runs
fmt/clippy/test+check-secrets.py, but nothing audits the dependency tree (261 crates, recently grown).What
A new
cargo-denyjob in.github/workflows/ci.ymlrunscargo deny check advisories bans sourceson every PR/push:*) version requirements; surface duplicate transitive versions as warnings (non-fatal).Config lives in
deny.tomlat the repo root.Scope
Intentionally security-only. License compliance is left for a follow-up so this gate stays focused and does not fail on license classification; enabling it later is a one-line change (
[licenses]allow-list +check licenses).Notes
cargo-deny-actionis commit-pinned (bb137d7…= v2.0.20) — a supply-chain gate should not itself depend on a mutable action tag.Cargo.lock:advisories ok, bans ok, sources ok. Two duplicate-version warnings (thiserror,wit-bindgen) are surfaced but non-fatal.Opened against the contribution freeze as a focused hardening change, in the same vein as #144 / #145 / #148.