From 904406c24443d58f27523d830cc4a49f452dc267 Mon Sep 17 00:00:00 2001 From: jpoehnelt-bot Date: Tue, 31 Mar 2026 11:34:50 -0600 Subject: [PATCH 1/9] ci: add cargo-deny configuration for supply chain auditing --- .changeset/add-cargo-deny.md | 5 ++++ deny.toml | 49 ++++++++++++++++++++++++++++++++++++ 2 files changed, 54 insertions(+) create mode 100644 .changeset/add-cargo-deny.md create mode 100644 deny.toml diff --git a/.changeset/add-cargo-deny.md b/.changeset/add-cargo-deny.md new file mode 100644 index 00000000..2703a283 --- /dev/null +++ b/.changeset/add-cargo-deny.md @@ -0,0 +1,5 @@ +--- +"@googleworkspace/cli": patch +--- + +Add cargo-deny configuration for license, advisory, and source auditing diff --git a/deny.toml b/deny.toml new file mode 100644 index 00000000..1d34787d --- /dev/null +++ b/deny.toml @@ -0,0 +1,49 @@ +# cargo-deny configuration +# https://embarkstudios.github.io/cargo-deny/ + +[graph] +targets = [ + "x86_64-unknown-linux-gnu", + "x86_64-unknown-linux-musl", + "aarch64-unknown-linux-gnu", + "aarch64-unknown-linux-musl", + "x86_64-apple-darwin", + "aarch64-apple-darwin", + "x86_64-pc-windows-msvc", +] + +# Advisories — checks for known vulnerable crate versions +[advisories] +db-path = "~/.cargo/advisory-db" +db-urls = ["https://github.com/rustsec/advisory-db"] + +# Licenses — allowlist of acceptable licenses +[licenses] +allow = [ + "Apache-2.0", + "Apache-2.0 WITH LLVM-exception", + "MIT", + "BSD-2-Clause", + "BSD-3-Clause", + "ISC", + "Unicode-3.0", + "Unicode-DFS-2016", + "Zlib", + "OpenSSL", + "MPL-2.0", + "CC0-1.0", + "BSL-1.0", +] + +# Bans — reject problematic and duplicate crates +[bans] +multiple-versions = "warn" +wildcards = "allow" +deny = [] + +# Sources — restrict where crates can come from +[sources] +unknown-registry = "deny" +unknown-git = "deny" +allow-registry = ["https://github.com/rust-lang/crates.io-index"] +allow-git = [] From ae47944961c171f729478f4cf6d2b2d0d0a3bcbc Mon Sep 17 00:00:00 2001 From: Justin Poehnelt Date: Tue, 31 Mar 2026 11:39:36 -0600 Subject: [PATCH 2/9] Update deny.toml Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- deny.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deny.toml b/deny.toml index 1d34787d..41ec856b 100644 --- a/deny.toml +++ b/deny.toml @@ -37,7 +37,7 @@ allow = [ # Bans — reject problematic and duplicate crates [bans] -multiple-versions = "warn" +multiple-versions = "deny" wildcards = "allow" deny = [] From d013857603fc83a244d1c39b1e02962ea942c9b2 Mon Sep 17 00:00:00 2001 From: Justin Poehnelt Date: Tue, 31 Mar 2026 11:39:42 -0600 Subject: [PATCH 3/9] Update deny.toml Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- deny.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deny.toml b/deny.toml index 41ec856b..291d081f 100644 --- a/deny.toml +++ b/deny.toml @@ -38,7 +38,7 @@ allow = [ # Bans — reject problematic and duplicate crates [bans] multiple-versions = "deny" -wildcards = "allow" +wildcards = "deny" deny = [] # Sources — restrict where crates can come from From 252e2cc7dc1176fc69ebeee0f537d3ef2ac903b6 Mon Sep 17 00:00:00 2001 From: Justin Poehnelt Date: Tue, 31 Mar 2026 11:43:06 -0600 Subject: [PATCH 4/9] Update deny.toml Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- deny.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deny.toml b/deny.toml index 291d081f..5d52cd1f 100644 --- a/deny.toml +++ b/deny.toml @@ -45,5 +45,5 @@ deny = [] [sources] unknown-registry = "deny" unknown-git = "deny" -allow-registry = ["https://github.com/rust-lang/crates.io-index"] +allow-registry = ["https://github.com/rust-lang/crates.io-index", "https://index.crates.io/"] allow-git = [] From 3047cd2169e2943b99b7eaaf67ca61136a2a7bbe Mon Sep 17 00:00:00 2001 From: Justin Poehnelt Date: Tue, 31 Mar 2026 11:43:17 -0600 Subject: [PATCH 5/9] Update deny.toml Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- deny.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deny.toml b/deny.toml index 5d52cd1f..18a7d018 100644 --- a/deny.toml +++ b/deny.toml @@ -37,7 +37,7 @@ allow = [ # Bans — reject problematic and duplicate crates [bans] -multiple-versions = "deny" +multiple-versions = "warn" wildcards = "deny" deny = [] From 8e8348f3063f47a5c2e444ea81c90a7343f29cd3 Mon Sep 17 00:00:00 2001 From: Justin Poehnelt Date: Tue, 31 Mar 2026 11:48:35 -0600 Subject: [PATCH 6/9] Update deny.toml Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- deny.toml | 1 - 1 file changed, 1 deletion(-) diff --git a/deny.toml b/deny.toml index 18a7d018..441e80d8 100644 --- a/deny.toml +++ b/deny.toml @@ -14,7 +14,6 @@ targets = [ # Advisories — checks for known vulnerable crate versions [advisories] -db-path = "~/.cargo/advisory-db" db-urls = ["https://github.com/rustsec/advisory-db"] # Licenses — allowlist of acceptable licenses From ad47efba2b2d627e2c3ee1a672cc8f049daeb774 Mon Sep 17 00:00:00 2001 From: jpoehnelt-bot Date: Tue, 31 Mar 2026 11:52:31 -0600 Subject: [PATCH 7/9] ci: add cargo-deny to workflow Integrates cargo-deny into the main CI pipeline using the official EmbarkStudios action. This will automatically block PRs that introduce banned licenses, insecure crates, or unallowed registries. --- .github/workflows/ci.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e30929d6..1eedc997 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -152,6 +152,19 @@ jobs: - name: Clippy run: cargo clippy --workspace -- -D warnings + deny: + name: Cargo Deny + needs: changes + if: needs.changes.outputs.rust == 'true' || github.event_name == 'push' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + + - name: Cargo deny + uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2.0.15 + with: + command: check + skills: name: Verify Skills From 8426608a8b7a63fa52cdd6db4bde723b2a3f5535 Mon Sep 17 00:00:00 2001 From: jpoehnelt-bot Date: Tue, 31 Mar 2026 11:59:45 -0600 Subject: [PATCH 8/9] ci: explicitly deny unmaintained, yanked, and unlicensed crates per review --- deny.toml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deny.toml b/deny.toml index 441e80d8..98f53805 100644 --- a/deny.toml +++ b/deny.toml @@ -14,10 +14,15 @@ targets = [ # Advisories — checks for known vulnerable crate versions [advisories] +vulnerability = "deny" +unmaintained = "warn" +yanked = "deny" +ignore = [] db-urls = ["https://github.com/rustsec/advisory-db"] # Licenses — allowlist of acceptable licenses [licenses] +unlicensed = "deny" allow = [ "Apache-2.0", "Apache-2.0 WITH LLVM-exception", From ac13de00fc23d7466e5c0bcb4576519ade1c49be Mon Sep 17 00:00:00 2001 From: Justin Poehnelt Date: Tue, 31 Mar 2026 12:02:49 -0600 Subject: [PATCH 9/9] ci: remove deprecated cargo-deny keys and restore valid config --- deny.toml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/deny.toml b/deny.toml index 98f53805..ba5b337f 100644 --- a/deny.toml +++ b/deny.toml @@ -14,15 +14,11 @@ targets = [ # Advisories — checks for known vulnerable crate versions [advisories] -vulnerability = "deny" -unmaintained = "warn" -yanked = "deny" ignore = [] db-urls = ["https://github.com/rustsec/advisory-db"] # Licenses — allowlist of acceptable licenses [licenses] -unlicensed = "deny" allow = [ "Apache-2.0", "Apache-2.0 WITH LLVM-exception",