ci: add cargo-deny (advisories, licenses, bans, sources)#353
Conversation
Also bumps anyhow 1.0.102 -> 1.0.103 past RUSTSEC advisory for a Miri-detected UB in downcast_mut, which cargo-deny flagged on first run.
Greptile SummaryThis PR adds dependency-policy checks to CI. The main changes are:
Confidence Score: 4/5The cargo-deny source gate can reject the current lockfile.
deny.toml
|
| Filename | Overview |
|---|---|
| .github/workflows/ci.yml | Adds a root-level cargo-deny check job to CI. |
| deny.toml | Adds strict dependency policy, but the git source allowlist misses existing lockfile sources. |
| Cargo.lock | Updates the resolved anyhow package version and checksum. |
| devenv.lock | Updates the pinned rust-overlay flake input. |
Reviews (1): Last reviewed commit: "ci: add cargo-deny (advisories, licenses..." | Re-trigger Greptile
| allow-git = [ | ||
| "https://github.com/zed-industries/zed", | ||
| "https://github.com/longbridge/gpui-component", | ||
| ] |
There was a problem hiding this comment.
Git Source Allowlist Is Incomplete
With unknown-git = "deny", this list must cover every git source in Cargo.lock. The current lockfile also uses AprilNEA/gpui-updater, zed-industries/wgpu.git, zed-industries/xim-rs.git, zed-industries/font-kit, zed-industries/reqwest.git, and zed-industries/scap, so the new cargo-deny job can reject the existing dependency graph before it checks new changes.
| allow-git = [ | |
| "https://github.com/zed-industries/zed", | |
| "https://github.com/longbridge/gpui-component", | |
| ] | |
| allow-git = [ | |
| "https://github.com/zed-industries/zed", | |
| "https://github.com/longbridge/gpui-component", | |
| "https://github.com/AprilNEA/gpui-updater", | |
| "https://github.com/zed-industries/wgpu.git", | |
| "https://github.com/zed-industries/xim-rs.git", | |
| "https://github.com/zed-industries/font-kit", | |
| "https://github.com/zed-industries/reqwest.git", | |
| "https://github.com/zed-industries/scap", | |
| ] |
Adds a cargo-deny gate over the whole dependency graph:
downcast_mut, GitHub dependabot alert feat(macOS): Native MX Master 3S Gesture Button Support + AppleScript Space-Switch Bypass + Drag Debouncing #2) — this PR bumps anyhow 1.0.102 → 1.0.103 to clear it. The lockfile diff is that single package; the zed/gpui git pins are untouched.Validated locally:
cargo deny check→ advisories ok, bans ok, licenses ok, sources ok.