From 886751c5689890c964668d7495c62f3c89c7331f Mon Sep 17 00:00:00 2001 From: Alice Ryhl Date: Wed, 23 Oct 2024 11:56:44 +0200 Subject: [PATCH 1/2] ci: use cargo deny --- .github/workflows/audit.yml | 18 ++++++------------ benches/Cargo.toml | 3 ++- deny.toml | 21 +++++++++++++++++++++ examples/Cargo.toml | 1 + stress-test/Cargo.toml | 3 ++- tests-build/Cargo.toml | 3 ++- tests-integration/Cargo.toml | 5 +++-- tokio-stream/Cargo.toml | 2 +- 8 files changed, 38 insertions(+), 18 deletions(-) create mode 100644 deny.toml diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index 2a5cb641a9a..3944195077a 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -13,18 +13,12 @@ permissions: contents: read jobs: - security-audit: + cargo-deny: permissions: - checks: write # for rustsec/audit-check to create check - contents: read # for actions/checkout to fetch code - issues: write # for rustsec/audit-check to create issues + checks: write + contents: read + issues: write runs-on: ubuntu-latest - if: "!contains(github.event.head_commit.message, 'ci skip')" steps: - - uses: actions/checkout@v4 - - - name: Audit Check - # https://github.com/rustsec/audit-check/issues/2 - uses: rustsec/audit-check@master - with: - token: ${{ secrets.GITHUB_TOKEN }} + - uses: actions/checkout@v3 + - uses: EmbarkStudios/cargo-deny-action@v1 diff --git a/benches/Cargo.toml b/benches/Cargo.toml index 048d6ee7725..44156fcbfb5 100644 --- a/benches/Cargo.toml +++ b/benches/Cargo.toml @@ -3,6 +3,7 @@ name = "benches" version = "0.0.0" publish = false edition = "2021" +license = "MIT" [features] test-util = ["tokio/test-util"] @@ -15,7 +16,7 @@ rand_chacha = "0.3" [dev-dependencies] tokio-util = { version = "0.7.0", path = "../tokio-util", features = ["full"] } -tokio-stream = { path = "../tokio-stream" } +tokio-stream = { version = "0.1", path = "../tokio-stream" } [target.'cfg(unix)'.dependencies] libc = "0.2.42" diff --git a/deny.toml b/deny.toml new file mode 100644 index 00000000000..6f343f80b72 --- /dev/null +++ b/deny.toml @@ -0,0 +1,21 @@ +# https://embarkstudios.github.io/cargo-deny/cli/init.html + +[graph] +all-features = true + +[licenses] +allow = [ + "MIT", + "Apache-2.0", +] +exceptions = [ + { allow = ["Unicode-DFS-2016"], crate = "unicode-ident" }, +] + +[bans] +multiple-versions = "allow" +wildcards = "deny" + +[sources] +unknown-registry = "deny" +unknown-git = "deny" diff --git a/examples/Cargo.toml b/examples/Cargo.toml index d1a70dbc774..54f2ecb8a4f 100644 --- a/examples/Cargo.toml +++ b/examples/Cargo.toml @@ -3,6 +3,7 @@ name = "examples" version = "0.0.0" publish = false edition = "2021" +license = "MIT" # If you copy one of the examples into a new project, you should be using # [dependencies] instead, and delete the **path**. diff --git a/stress-test/Cargo.toml b/stress-test/Cargo.toml index ee7431f096b..60c07e4eabd 100644 --- a/stress-test/Cargo.toml +++ b/stress-test/Cargo.toml @@ -3,12 +3,13 @@ name = "stress-test" version = "0.1.0" authors = ["Tokio Contributors "] edition = "2021" +license = "MIT" publish = false # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] -tokio = { path = "../tokio/", features = ["full"] } +tokio = { version = "1.0.0", path = "../tokio/", features = ["full"] } [dev-dependencies] rand = "0.8" diff --git a/tests-build/Cargo.toml b/tests-build/Cargo.toml index 251399c9f14..639dc3d1292 100644 --- a/tests-build/Cargo.toml +++ b/tests-build/Cargo.toml @@ -3,6 +3,7 @@ name = "tests-build" version = "0.1.0" authors = ["Tokio Contributors "] edition = "2021" +license = "MIT" publish = false [features] @@ -10,7 +11,7 @@ full = ["tokio/full"] rt = ["tokio/rt", "tokio/macros"] [dependencies] -tokio = { path = "../tokio", optional = true } +tokio = { version = "1.0.0", path = "../tokio", optional = true } [dev-dependencies] trybuild = "1.0" diff --git a/tests-integration/Cargo.toml b/tests-integration/Cargo.toml index 4852f7d23ae..74724917f15 100644 --- a/tests-integration/Cargo.toml +++ b/tests-integration/Cargo.toml @@ -3,6 +3,7 @@ name = "tests-integration" version = "0.1.0" authors = ["Tokio Contributors "] edition = "2021" +license = "MIT" publish = false [[bin]] @@ -55,8 +56,8 @@ rt = ["tokio/rt"] rt-multi-thread = ["rt", "tokio/rt-multi-thread"] [dependencies] -tokio = { path = "../tokio" } -tokio-test = { path = "../tokio-test", optional = true } +tokio = { version = "1.0.0", path = "../tokio" } +tokio-test = { version = "0.4", path = "../tokio-test", optional = true } doc-comment = "0.3.1" futures = { version = "0.3.0", features = ["async-await"] } bytes = "1.0.0" diff --git a/tokio-stream/Cargo.toml b/tokio-stream/Cargo.toml index 3c6868b688c..0b3244f7148 100644 --- a/tokio-stream/Cargo.toml +++ b/tokio-stream/Cargo.toml @@ -45,7 +45,7 @@ tokio-util = { version = "0.7.0", path = "../tokio-util", optional = true } tokio = { version = "1.2.0", path = "../tokio", features = ["full", "test-util"] } async-stream = "0.3" parking_lot = "0.12.0" -tokio-test = { path = "../tokio-test" } +tokio-test = { version = "0.4", path = "../tokio-test" } futures = { version = "0.3", default-features = false } [package.metadata.docs.rs] From 127b122f762ac6e260cb94823d9c2d53d416913e Mon Sep 17 00:00:00 2001 From: Alice Ryhl Date: Wed, 23 Oct 2024 12:54:23 +0200 Subject: [PATCH 2/2] update pr-audit too --- .github/workflows/audit.yml | 4 ++-- .github/workflows/pr-audit.yml | 15 +++------------ 2 files changed, 5 insertions(+), 14 deletions(-) diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index 3944195077a..ba582413344 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -20,5 +20,5 @@ jobs: issues: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: EmbarkStudios/cargo-deny-action@v1 + - uses: actions/checkout@v4 + - uses: EmbarkStudios/cargo-deny-action@v2 diff --git a/.github/workflows/pr-audit.yml b/.github/workflows/pr-audit.yml index ce2e81cda43..e6543964c9e 100644 --- a/.github/workflows/pr-audit.yml +++ b/.github/workflows/pr-audit.yml @@ -16,17 +16,8 @@ permissions: contents: read jobs: - security-audit: + cargo-deny: runs-on: ubuntu-latest - if: "!contains(github.event.head_commit.message, 'ci skip')" steps: - - uses: actions/checkout@v4 - - - name: Install cargo-audit - run: cargo install cargo-audit - - - name: Generate lockfile - run: cargo generate-lockfile - - - name: Audit dependencies - run: cargo audit + - uses: actions/checkout@v4 + - uses: EmbarkStudios/cargo-deny-action@v2