mirror of
https://github.com/bevyengine/bevy
synced 2024-11-10 07:04:33 +00:00
enable cargo deny (#2101)
https://github.com/EmbarkStudios/cargo-deny cargo-deny is a tool that can issue errors for dependency issues, among other: * security issues in a crate * duplicated dependencies with different versions * unauthorised license Added cargo-deny with an opinionated configuration: * No middle ground with warnings, either allow or deny * Not added to Bors, we probably don't want to block a PR on something that may happen from outside * Different github workflow than CI to run only when Cargo.toml files are changed, or on a schedule * Each check in its own job to help readability * Initial config makes Bevy pass all check Pushing a first commit with commented config to show errors
This commit is contained in:
François
parent
85b17294b9
commit
177f2fbf9a
2 changed files with 120 additions and 0 deletions
54
.github/workflows/dependencies.yml
vendored
Normal file
54
.github/workflows/dependencies.yml
vendored
Normal file
|
|
@ -0,0 +1,54 @@
|
||||||
|
name: Dependencies
|
||||||
|
|
||||||
|
on:
|
||||||
|
pull_request:
|
||||||
|
paths:
|
||||||
|
- '**/Cargo.toml'
|
||||||
|
- 'deny.toml'
|
||||||
|
push:
|
||||||
|
branches: [main, staging, trying]
|
||||||
|
paths:
|
||||||
|
- '**/Cargo.toml'
|
||||||
|
- 'deny.toml'
|
||||||
|
schedule:
|
||||||
|
- cron: "0 0 * * 0"
|
||||||
|
|
||||||
|
env:
|
||||||
|
CARGO_TERM_COLOR: always
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
check-advisories:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v2
|
||||||
|
- name: Install cargo-deny
|
||||||
|
run: cargo install cargo-deny
|
||||||
|
- name: Check for security advisories and unmaintained crates
|
||||||
|
run: cargo deny check advisories
|
||||||
|
|
||||||
|
check-bans:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v2
|
||||||
|
- name: Install cargo-deny
|
||||||
|
run: cargo install cargo-deny
|
||||||
|
- name: Check for banned and duplicated dependencies
|
||||||
|
run: cargo deny check bans
|
||||||
|
|
||||||
|
check-licenses:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v2
|
||||||
|
- name: Install cargo-deny
|
||||||
|
run: cargo install cargo-deny
|
||||||
|
- name: Check for unauthorized licenses
|
||||||
|
run: cargo deny check licenses
|
||||||
|
|
||||||
|
check-sources:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v2
|
||||||
|
- name: Install cargo-deny
|
||||||
|
run: cargo install cargo-deny
|
||||||
|
- name: Checked for unauthorized crate sources
|
||||||
|
run: cargo deny check sources
|
||||||
66
deny.toml
Normal file
66
deny.toml
Normal file
|
|
@ -0,0 +1,66 @@
|
||||||
|
[advisories]
|
||||||
|
db-path = "~/.cargo/advisory-db"
|
||||||
|
db-urls = ["https://github.com/rustsec/advisory-db"]
|
||||||
|
vulnerability = "deny"
|
||||||
|
unmaintained = "deny"
|
||||||
|
yanked = "deny"
|
||||||
|
notice = "deny"
|
||||||
|
ignore = [
|
||||||
|
"RUSTSEC-2020-0016", # net2 deprecated - https://github.com/deprecrated/net2-rs/commit/3350e3819adf151709047e93f25583a5df681091
|
||||||
|
"RUSTSEC-2020-0056", # stdweb unmaintained - https://github.com/koute/stdweb/issues/403
|
||||||
|
"RUSTSEC-2021-0047", # security issue - https://github.com/gnzlbg/slice_deque/issues/90
|
||||||
|
]
|
||||||
|
|
||||||
|
[licenses]
|
||||||
|
unlicensed = "deny"
|
||||||
|
copyleft = "deny"
|
||||||
|
allow = [
|
||||||
|
"MIT",
|
||||||
|
"Apache-2.0",
|
||||||
|
"BSD-3-Clause",
|
||||||
|
"ISC",
|
||||||
|
"Zlib",
|
||||||
|
"0BSD",
|
||||||
|
"BSD-2-Clause",
|
||||||
|
"CC0-1.0",
|
||||||
|
"MPL-2.0",
|
||||||
|
]
|
||||||
|
default = "deny"
|
||||||
|
|
||||||
|
[[licenses.clarify]]
|
||||||
|
name = "stretch"
|
||||||
|
expression = "MIT"
|
||||||
|
license-files = []
|
||||||
|
|
||||||
|
[bans]
|
||||||
|
multiple-versions = "deny"
|
||||||
|
wildcards = "deny"
|
||||||
|
highlight = "all"
|
||||||
|
# Certain crates/versions that will be skipped when doing duplicate detection.
|
||||||
|
skip = [
|
||||||
|
{ name = "ahash", version = "0.4" },
|
||||||
|
{ name = "android_log-sys", version = "0.1" },
|
||||||
|
{ name = "cfg-if", version = "0.1" }, # https://github.com/rustwasm/console_error_panic_hook/pull/18
|
||||||
|
{ name = "core-foundation", version = "0.6" },
|
||||||
|
{ name = "core-foundation", version = "0.7" },
|
||||||
|
{ name = "core-foundation-sys", version = "0.6" },
|
||||||
|
{ name = "core-foundation-sys", version = "0.7" },
|
||||||
|
{ name = "core-graphics", version = "0.19" },
|
||||||
|
{ name = "fixedbitset", version = "0.2" },
|
||||||
|
{ name = "libm", version = "0.1" },
|
||||||
|
{ name = "mach", version = "0.2" },
|
||||||
|
{ name = "mio", version = "0.6" },
|
||||||
|
{ name = "miow", version = "0.2" },
|
||||||
|
{ name = "ndk", version = "0.2" },
|
||||||
|
{ name = "ndk-glue", version = "0.2" },
|
||||||
|
{ name = "num_enum", version = "0.4" },
|
||||||
|
{ name = "num_enum_derive", version = "0.4" },
|
||||||
|
{ name = "stdweb", version = "0.1" },
|
||||||
|
{ name = "winapi", version = "0.2" },
|
||||||
|
]
|
||||||
|
|
||||||
|
[sources]
|
||||||
|
unknown-registry = "deny"
|
||||||
|
unknown-git = "deny"
|
||||||
|
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
|
||||||
|
allow-git = []
|
||||||
Loading…
Reference in a new issue