Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: use cargo deny #6931

Merged
merged 2 commits into from
Oct 23, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 6 additions & 12 deletions .github/workflows/audit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,18 +13,12 @@ permissions:
contents: read

jobs:
security-audit:
cargo-deny:
permissions:
checks: write # for rustsec/audit-check to create check
contents: read # for actions/checkout to fetch code
issues: write # for rustsec/audit-check to create issues
checks: write
contents: read
issues: write
Comment on lines 17 to +20
Copy link
Member

@taiki-e taiki-e Oct 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

EmbarkStudios/cargo-deny-action action does not seem create issues (EmbarkStudios/cargo-deny-action#64), so these permissions are probably not needed.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean, not like the rustsec one has ever created an issue ...

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(The last time rustsec action created an issue in this repository was two years ago, which IIRC was before fine-grained permission settings in GitHub actions were supported.)
https://github.com/tokio-rs/tokio/issues?q=is%3Aissue+author%3Aapp%2Fgithub-actions

runs-on: ubuntu-latest
if: "!contains(github.event.head_commit.message, 'ci skip')"
steps:
- uses: actions/checkout@v4

- name: Audit Check
# https://github.com/rustsec/audit-check/issues/2
uses: rustsec/audit-check@master
with:
token: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/checkout@v4
- uses: EmbarkStudios/cargo-deny-action@v2
15 changes: 3 additions & 12 deletions .github/workflows/pr-audit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,17 +16,8 @@ permissions:
contents: read

jobs:
security-audit:
cargo-deny:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we are doing the same thing with both files, I think it would be better to merge them.

Copy link
Contributor Author

@Darksonn Darksonn Oct 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The docs recommend using this:

name: CI
on: [push, pull_request]
jobs:
  cargo-deny:
    runs-on: ubuntu-22.04
    strategy:
      matrix:
        checks:
          - advisories
          - bans licenses sources

    # Prevent sudden announcement of a new advisory from failing ci:
    continue-on-error: ${{ matrix.checks == 'advisories' }}

    steps:
    - uses: actions/checkout@v3
    - uses: EmbarkStudios/cargo-deny-action@v1
      with:
        command: check ${{ matrix.checks }}

Perhaps we should do this in the toml for master, but keep it as-is on PRs?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps we should do this in the toml for master, but keep it as-is on PRs?

Hmm. This will cause the advisory to be ignored until someone next opens a PR that edits Cargo.toml, right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess that depends on whether we get an email on error ...

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have an image that continue-on-error treats failures the same as successes, but in practice I have rarely used it.

https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idcontinue-on-error

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, this PR is sufficient as-is to address the problem of broken CI, so I think it is fine to leave the fine tuning to future PRs.

runs-on: ubuntu-latest
if: "!contains(github.event.head_commit.message, 'ci skip')"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We never used that 🤷‍♀️

steps:
- uses: actions/checkout@v4

- name: Install cargo-audit
run: cargo install cargo-audit

- name: Generate lockfile
run: cargo generate-lockfile

- name: Audit dependencies
run: cargo audit
- uses: actions/checkout@v4
- uses: EmbarkStudios/cargo-deny-action@v2
3 changes: 2 additions & 1 deletion benches/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ name = "benches"
version = "0.0.0"
publish = false
edition = "2021"
license = "MIT"
Darksonn marked this conversation as resolved.
Show resolved Hide resolved

[features]
test-util = ["tokio/test-util"]
Expand All @@ -15,7 +16,7 @@ rand_chacha = "0.3"

[dev-dependencies]
tokio-util = { version = "0.7.0", path = "../tokio-util", features = ["full"] }
tokio-stream = { path = "../tokio-stream" }
tokio-stream = { version = "0.1", path = "../tokio-stream" }

[target.'cfg(unix)'.dependencies]
libc = "0.2.42"
Expand Down
21 changes: 21 additions & 0 deletions deny.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# https://embarkstudios.github.io/cargo-deny/cli/init.html

[graph]
all-features = true

[licenses]
allow = [
"MIT",
"Apache-2.0",
]
exceptions = [
{ allow = ["Unicode-DFS-2016"], crate = "unicode-ident" },
]

[bans]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't usually have bans and sources sections, are the defaults not good enough?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's spamming warnings about some duplicate versions of windows-sys.

multiple-versions = "allow"
wildcards = "deny"

[sources]
unknown-registry = "deny"
unknown-git = "deny"
1 change: 1 addition & 0 deletions examples/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ name = "examples"
version = "0.0.0"
publish = false
edition = "2021"
license = "MIT"

# If you copy one of the examples into a new project, you should be using
# [dependencies] instead, and delete the **path**.
Expand Down
3 changes: 2 additions & 1 deletion stress-test/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,13 @@ name = "stress-test"
version = "0.1.0"
authors = ["Tokio Contributors <[email protected]>"]
edition = "2021"
license = "MIT"
publish = false

# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

[dependencies]
tokio = { path = "../tokio/", features = ["full"] }
tokio = { version = "1.0.0", path = "../tokio/", features = ["full"] }

[dev-dependencies]
rand = "0.8"
3 changes: 2 additions & 1 deletion tests-build/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,15 @@ name = "tests-build"
version = "0.1.0"
authors = ["Tokio Contributors <[email protected]>"]
edition = "2021"
license = "MIT"
publish = false

[features]
full = ["tokio/full"]
rt = ["tokio/rt", "tokio/macros"]

[dependencies]
tokio = { path = "../tokio", optional = true }
tokio = { version = "1.0.0", path = "../tokio", optional = true }

[dev-dependencies]
trybuild = "1.0"
5 changes: 3 additions & 2 deletions tests-integration/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ name = "tests-integration"
version = "0.1.0"
authors = ["Tokio Contributors <[email protected]>"]
edition = "2021"
license = "MIT"
publish = false

[[bin]]
Expand Down Expand Up @@ -55,8 +56,8 @@ rt = ["tokio/rt"]
rt-multi-thread = ["rt", "tokio/rt-multi-thread"]

[dependencies]
tokio = { path = "../tokio" }
tokio-test = { path = "../tokio-test", optional = true }
tokio = { version = "1.0.0", path = "../tokio" }
tokio-test = { version = "0.4", path = "../tokio-test", optional = true }
doc-comment = "0.3.1"
futures = { version = "0.3.0", features = ["async-await"] }
bytes = "1.0.0"
2 changes: 1 addition & 1 deletion tokio-stream/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ tokio-util = { version = "0.7.0", path = "../tokio-util", optional = true }
tokio = { version = "1.2.0", path = "../tokio", features = ["full", "test-util"] }
async-stream = "0.3"
parking_lot = "0.12.0"
tokio-test = { path = "../tokio-test" }
tokio-test = { version = "0.4", path = "../tokio-test" }
futures = { version = "0.3", default-features = false }

[package.metadata.docs.rs]
Expand Down
Loading