From 29eac3356a842489cda555c69f8aa07c90b5bfdf Mon Sep 17 00:00:00 2001 From: evalir Date: Wed, 4 Oct 2023 18:13:49 +0900 Subject: [PATCH] feat(`ci`): add deny deps CI (#6) * feat: add deny ci * chore: config deny.toml properly --- .github/workflows/deps.yml | 19 ++++++++ Cargo.toml | 1 + deny.toml | 94 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 114 insertions(+) create mode 100644 .github/workflows/deps.yml create mode 100644 deny.toml diff --git a/.github/workflows/deps.yml b/.github/workflows/deps.yml new file mode 100644 index 00000000..e96af9f3 --- /dev/null +++ b/.github/workflows/deps.yml @@ -0,0 +1,19 @@ +name: deps + +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: [cron: "00 00 * * *"] + +jobs: + cargo-deny: + name: cargo deny check + runs-on: ubuntu-latest + timeout-minutes: 30 + steps: + - uses: actions/checkout@v3 + - uses: EmbarkStudios/cargo-deny-action@v1 + with: + command: check all \ No newline at end of file diff --git a/Cargo.toml b/Cargo.toml index 4e180c9b..41440c48 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -3,6 +3,7 @@ name = "foundry-compilers" authors = ["Foundry Maintainers"] version = "0.1.0" readme = "README.md" +license = "MIT OR Apache-2.0" description = "Utilities for working with solidity compilers, namely solc" keywords = ["foundry", "solidity", "solc", "ethereum", "ethers"] edition = "2021" diff --git a/deny.toml b/deny.toml new file mode 100644 index 00000000..8b00f2f4 --- /dev/null +++ b/deny.toml @@ -0,0 +1,94 @@ +# This section is considered when running `cargo deny check advisories` +# More documentation for the advisories section can be found here: +# https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html +[advisories] +vulnerability = "deny" +unmaintained = "warn" +unsound = "warn" +yanked = "warn" +notice = "warn" + +# This section is considered when running `cargo deny check bans`. +# More documentation about the 'bans' section can be found here: +# https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html +[bans] +# Lint level for when multiple versions of the same crate are detected +multiple-versions = "warn" +# Lint level for when a crate version requirement is `*` +wildcards = "deny" +highlight = "all" +# List of crates to deny +deny = [ + # Each entry the name of a crate and a version range. If version is + # not specified, all versions will be matched. + #{ name = "ansi_term", version = "=0.11.0" }, +] +# Certain crates/versions that will be skipped when doing duplicate detection. +skip = [] +# Similarly to `skip` allows you to skip certain crates during duplicate +# detection. Unlike skip, it also includes the entire tree of transitive +# dependencies starting at the specified crate, up to a certain depth, which is +# by default infinite +skip-tree = [] + +[licenses] +unlicensed = "deny" +confidence-threshold = 0.9 +# copyleft = "deny" + +# List of explicitly allowed licenses +# See https://spdx.org/licenses/ for list of possible licenses +# [possible values: any SPDX 3.7 short identifier (+ optional exception)]. +allow = [ + "MIT", + "MIT-0", + "Apache-2.0", + "Apache-2.0 WITH LLVM-exception", + "BSD-2-Clause", + "BSD-3-Clause", + "ISC", + "Unicode-DFS-2016", + "Unlicense", + "MPL-2.0", + # https://github.com/briansmith/ring/issues/902 + "LicenseRef-ring", + # https://github.com/briansmith/webpki/issues/148 + "LicenseRef-webpki", +] + +# Allow 1 or more licenses on a per-crate basis, so that particular licenses +# aren't accepted for every possible crate as with the normal allow list +exceptions = [ + # CC0 is a permissive license but somewhat unclear status for source code + # so we prefer to not have dependencies using it + # https://tldrlegal.com/license/creative-commons-cc0-1.0-universal + { allow = ["CC0-1.0"], name = "tiny-keccak" }, + { allow = ["CC0-1.0"], name = "trezor-client" }, + { allow = ["CC0-1.0"], name = "constant_time_eq" }, +] + +[[licenses.clarify]] +name = "ring" +expression = "LicenseRef-ring" +license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }] + +[[licenses.clarify]] +name = "webpki" +expression = "LicenseRef-webpki" +license-files = [{ path = "LICENSE", hash = 0x001c7e6c }] + +[[licenses.clarify]] +name = "rustls-webpki" +expression = "LicenseRef-webpki" +license-files = [{ path = "LICENSE", hash = 0x001c7e6c }] + +# This section is considered when running `cargo deny check sources`. +# More documentation about the 'sources' section can be found here: +# https://embarkstudios.github.io/cargo-deny/checks/sources/cfg.html +[sources] +# Lint level for what to happen when a crate from a crate registry that is not +# in the allow list is encountered +unknown-registry = "deny" +# Lint level for what to happen when a crate from a git repository that is not +# in the allow list is encountered +unknown-git = "deny" \ No newline at end of file