Skip to content

ci: add cargo-deny (advisories, licenses, bans, sources)#353

Open
AprilNEA wants to merge 2 commits into
masterfrom
ci/cargo-deny
Open

ci: add cargo-deny (advisories, licenses, bans, sources)#353
AprilNEA wants to merge 2 commits into
masterfrom
ci/cargo-deny

Conversation

@AprilNEA

@AprilNEA AprilNEA commented Jul 4, 2026

Copy link
Copy Markdown
Owner

Adds a cargo-deny gate over the whole dependency graph:

  • advisories: RUSTSEC database, yanked crates denied. First local run immediately flagged RUSTSEC's anyhow advisory (Miri-detected UB in downcast_mut, GitHub dependabot alert feat(macOS): Native MX Master 3S Gesture Button Support + AppleScript Space-Switch Bypass + Drag Debouncing #2) — this PR bumps anyhow 1.0.102 → 1.0.103 to clear it. The lockfile diff is that single package; the zed/gpui git pins are untouched.
  • licenses: explicit allow-list covering what the graph actually pulls in (incl. the zed/gpui tree); anything new needs a conscious deny.toml addition.
  • bans: duplicate versions warn-only — the zed tree inevitably carries duplicates.
  • sources: unknown registries/git denied; only the two pinned git sources (zed-industries/zed, longbridge/gpui-component) are allowed, so an accidental new git dependency fails CI.

Validated locally: cargo deny check → advisories ok, bans ok, licenses ok, sources ok.

AprilNEA added 2 commits July 5, 2026 05:51
Also bumps anyhow 1.0.102 -> 1.0.103 past RUSTSEC advisory for a Miri-detected UB in downcast_mut, which cargo-deny flagged on first run.
@greptile-apps

greptile-apps Bot commented Jul 4, 2026

Copy link
Copy Markdown

Greptile Summary

This PR adds dependency-policy checks to CI. The main changes are:

  • New cargo-deny GitHub Actions job.
  • New deny.toml policy for advisories, licenses, bans, and sources.
  • anyhow lockfile bump from 1.0.102 to 1.0.103.
  • Updated rust-overlay entry in devenv.lock.

Confidence Score: 4/5

The cargo-deny source gate can reject the current lockfile.

  • unknown-git = "deny" is enabled.
  • The allowlist only includes two git repositories.
  • The current lockfile contains several other git repositories that are still part of the dependency graph.

deny.toml

Security Review

The new source policy is security-related, but its git allowlist does not cover all current lockfile sources. The CI gate can fail on the existing dependency graph until those sources are handled.

Important Files Changed

Filename Overview
.github/workflows/ci.yml Adds a root-level cargo-deny check job to CI.
deny.toml Adds strict dependency policy, but the git source allowlist misses existing lockfile sources.
Cargo.lock Updates the resolved anyhow package version and checksum.
devenv.lock Updates the pinned rust-overlay flake input.

Fix All in Codex Fix All in Claude Code

Reviews (1): Last reviewed commit: "ci: add cargo-deny (advisories, licenses..." | Re-trigger Greptile

Comment thread deny.toml
Comment on lines +34 to +37
allow-git = [
"https://github.com/zed-industries/zed",
"https://github.com/longbridge/gpui-component",
]

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 security Git Source Allowlist Is Incomplete

With unknown-git = "deny", this list must cover every git source in Cargo.lock. The current lockfile also uses AprilNEA/gpui-updater, zed-industries/wgpu.git, zed-industries/xim-rs.git, zed-industries/font-kit, zed-industries/reqwest.git, and zed-industries/scap, so the new cargo-deny job can reject the existing dependency graph before it checks new changes.

Suggested change
allow-git = [
"https://github.com/zed-industries/zed",
"https://github.com/longbridge/gpui-component",
]
allow-git = [
"https://github.com/zed-industries/zed",
"https://github.com/longbridge/gpui-component",
"https://github.com/AprilNEA/gpui-updater",
"https://github.com/zed-industries/wgpu.git",
"https://github.com/zed-industries/xim-rs.git",
"https://github.com/zed-industries/font-kit",
"https://github.com/zed-industries/reqwest.git",
"https://github.com/zed-industries/scap",
]

Fix in Codex Fix in Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant