chore(gha): setup cargo-deny (#3816)

2025-11-02 10:52:25 +09:00 · 2025-11-02 10:52:25 +09:00 · 627af8ce57
parent 97e701721b
commit 627af8ce57
2 changed files with 49 additions and 0 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -85,6 +85,10 @@ jobs:
      - name: CI cache clean
        run: cargo-ci-cache-clean

+      - name: deny check
+        if: matrix.version.name == 'stable' && matrix.target.os == 'ubuntu-latest'
+        uses: EmbarkStudios/cargo-deny-action@f2ba7abc2abebaf185c833c3961145a3c275caad # v2.0.13
+
  io-uring:
    name: io-uring tests
    runs-on: ubuntu-latest
--- a/deny.toml
+++ b/deny.toml
@ -0,0 +1,45 @@
+[licenses]
+confidence-threshold = 0.90
+allow = [
+    "Apache-2.0",
+    "MIT",
+    "Unicode-3.0",
+    "ISC",
+    "CDLA-Permissive-2.0",
+    "BSD-3-Clause",
+    "Zlib",
+    "OpenSSL",
+    "MPL-2.0"
+]
+private = { ignore = true }
+
+# FIXME: old rustls introduces old ring which is not set license field properly.
+[[licenses.clarify]]
+crate = "ring"
+expression = "MIT AND ISC AND OpenSSL"
+license-files = [
+    { path = "LICENSE", hash = 0xbd0eed23 }
+]
+
+# FIXME: webpki is almost unmaintained and is not set license field properly.
+# rustls has its own fork now so removing old rustls should resolve the issue.
+[[licenses.clarify]]
+crate = "webpki"
+expression = "ISC"
+license-files = [
+    { path = "LICENSE", hash = 0x001c7e6c }
+]
+
+[bans]
+multiple-versions = "allow"
+
+[bans.build]
+executables = "deny"
+
+[advisories]
+# because of old rustls support:
+ignore = [
+    "RUSTSEC-2024-0336",
+    "RUSTSEC-2025-0009",
+    "RUSTSEC-2025-0010"
+]