mirror of
https://github.com/bevyengine/bevy
synced 2024-11-25 14:10:19 +00:00
enable cargo deny (#2101)
https://github.com/EmbarkStudios/cargo-deny cargo-deny is a tool that can issue errors for dependency issues, among other: * security issues in a crate * duplicated dependencies with different versions * unauthorised license Added cargo-deny with an opinionated configuration: * No middle ground with warnings, either allow or deny * Not added to Bors, we probably don't want to block a PR on something that may happen from outside * Different github workflow than CI to run only when Cargo.toml files are changed, or on a schedule * Each check in its own job to help readability * Initial config makes Bevy pass all check Pushing a first commit with commented config to show errors
This commit is contained in:
parent
85b17294b9
commit
177f2fbf9a
2 changed files with 120 additions and 0 deletions
54
.github/workflows/dependencies.yml
vendored
Normal file
54
.github/workflows/dependencies.yml
vendored
Normal file
|
@ -0,0 +1,54 @@
|
|||
name: Dependencies
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
paths:
|
||||
- '**/Cargo.toml'
|
||||
- 'deny.toml'
|
||||
push:
|
||||
branches: [main, staging, trying]
|
||||
paths:
|
||||
- '**/Cargo.toml'
|
||||
- 'deny.toml'
|
||||
schedule:
|
||||
- cron: "0 0 * * 0"
|
||||
|
||||
env:
|
||||
CARGO_TERM_COLOR: always
|
||||
|
||||
jobs:
|
||||
check-advisories:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Install cargo-deny
|
||||
run: cargo install cargo-deny
|
||||
- name: Check for security advisories and unmaintained crates
|
||||
run: cargo deny check advisories
|
||||
|
||||
check-bans:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Install cargo-deny
|
||||
run: cargo install cargo-deny
|
||||
- name: Check for banned and duplicated dependencies
|
||||
run: cargo deny check bans
|
||||
|
||||
check-licenses:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Install cargo-deny
|
||||
run: cargo install cargo-deny
|
||||
- name: Check for unauthorized licenses
|
||||
run: cargo deny check licenses
|
||||
|
||||
check-sources:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Install cargo-deny
|
||||
run: cargo install cargo-deny
|
||||
- name: Checked for unauthorized crate sources
|
||||
run: cargo deny check sources
|
66
deny.toml
Normal file
66
deny.toml
Normal file
|
@ -0,0 +1,66 @@
|
|||
[advisories]
|
||||
db-path = "~/.cargo/advisory-db"
|
||||
db-urls = ["https://github.com/rustsec/advisory-db"]
|
||||
vulnerability = "deny"
|
||||
unmaintained = "deny"
|
||||
yanked = "deny"
|
||||
notice = "deny"
|
||||
ignore = [
|
||||
"RUSTSEC-2020-0016", # net2 deprecated - https://github.com/deprecrated/net2-rs/commit/3350e3819adf151709047e93f25583a5df681091
|
||||
"RUSTSEC-2020-0056", # stdweb unmaintained - https://github.com/koute/stdweb/issues/403
|
||||
"RUSTSEC-2021-0047", # security issue - https://github.com/gnzlbg/slice_deque/issues/90
|
||||
]
|
||||
|
||||
[licenses]
|
||||
unlicensed = "deny"
|
||||
copyleft = "deny"
|
||||
allow = [
|
||||
"MIT",
|
||||
"Apache-2.0",
|
||||
"BSD-3-Clause",
|
||||
"ISC",
|
||||
"Zlib",
|
||||
"0BSD",
|
||||
"BSD-2-Clause",
|
||||
"CC0-1.0",
|
||||
"MPL-2.0",
|
||||
]
|
||||
default = "deny"
|
||||
|
||||
[[licenses.clarify]]
|
||||
name = "stretch"
|
||||
expression = "MIT"
|
||||
license-files = []
|
||||
|
||||
[bans]
|
||||
multiple-versions = "deny"
|
||||
wildcards = "deny"
|
||||
highlight = "all"
|
||||
# Certain crates/versions that will be skipped when doing duplicate detection.
|
||||
skip = [
|
||||
{ name = "ahash", version = "0.4" },
|
||||
{ name = "android_log-sys", version = "0.1" },
|
||||
{ name = "cfg-if", version = "0.1" }, # https://github.com/rustwasm/console_error_panic_hook/pull/18
|
||||
{ name = "core-foundation", version = "0.6" },
|
||||
{ name = "core-foundation", version = "0.7" },
|
||||
{ name = "core-foundation-sys", version = "0.6" },
|
||||
{ name = "core-foundation-sys", version = "0.7" },
|
||||
{ name = "core-graphics", version = "0.19" },
|
||||
{ name = "fixedbitset", version = "0.2" },
|
||||
{ name = "libm", version = "0.1" },
|
||||
{ name = "mach", version = "0.2" },
|
||||
{ name = "mio", version = "0.6" },
|
||||
{ name = "miow", version = "0.2" },
|
||||
{ name = "ndk", version = "0.2" },
|
||||
{ name = "ndk-glue", version = "0.2" },
|
||||
{ name = "num_enum", version = "0.4" },
|
||||
{ name = "num_enum_derive", version = "0.4" },
|
||||
{ name = "stdweb", version = "0.1" },
|
||||
{ name = "winapi", version = "0.2" },
|
||||
]
|
||||
|
||||
[sources]
|
||||
unknown-registry = "deny"
|
||||
unknown-git = "deny"
|
||||
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
|
||||
allow-git = []
|
Loading…
Reference in a new issue