ci: Run cargo-deny during ci (#2340)

mozilla · Jan 13, 2025 · 8bc926a · 8bc926a
1 parent 1a38b27
commit 8bc926a
Show file tree

Hide file tree

Showing 2 changed files with 60 additions and 0 deletions.
diff --git a/.deny.toml b/.deny.toml
@@ -0,0 +1,28 @@
+[bans]
+multiple-versions = "allow"
+
+[bans.workspace-dependencies]
+duplicates = "allow"
+unused = "allow"
+
+[licenses]
+unused-allowed-license = "allow"
+allow = [
+    "Apache-2.0",
+    "Apache-2.0 WITH LLVM-exception",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "CC0-1.0",
+    "ISC",
+    "MPL-2.0",
+    "MIT",
+    "MIT-0",
+    "Unicode-DFS-2016",
+    "Unicode-3.0",
+    "Zlib",
+]
+
+[sources]
+unknown-registry = "deny"
+unknown-git = "deny"
+required-git-spec = "rev"
diff --git a/.github/workflows/deny.yml b/.github/workflows/deny.yml
@@ -0,0 +1,32 @@
+name: Deny
+on:
+  workflow_dispatch:
+  pull_request:
+    branches: ["main"]
+    paths-ignore: ["*.md", "*.png", "*.svg", "LICENSE-*"]
+  merge_group:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref_name }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  deny:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        checks:
+          - advisories
+          - bans licenses sources
+
+    # Prevent sudden announcement of a new advisory from failing ci:
+    continue-on-error: ${{ matrix.checks == 'advisories' }}
+
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: EmbarkStudios/cargo-deny-action@e2f4ede4a4e60ea15ff31bc0647485d80c66cfba # v2.0.4
+      with:
+        command: check ${{ matrix.checks }}