From 9963471b7c13baf3e45f980c4ad13e0efe622e16 Mon Sep 17 00:00:00 2001 From: teor Date: Tue, 2 Nov 2021 07:19:22 +1000 Subject: [PATCH] Check for duplicate crate dependencies in CI (#2986) * Add default deny.toml for "cargo deny check bans" `cargo deny init` * Delete unused "cargo deny" config entries Also cleanup trailing whitespace. * Deny duplicate crates and unexpected crate sources Allow the current set of duplicates and sources, with references to the tickets that will fix them. * Check for duplicate dependencies in CI Also check for: - unexpected crate sources - outdated Cargo.lock (required for accurate duplicate and source checks) * Revert CI name changes so required statuses pass * Fix ticket for sentry-tracing --- .github/workflows/ci.yml | 27 +++++++++-- deny.toml | 102 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 126 insertions(+), 3 deletions(-) create mode 100644 deny.toml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 04c085abbde..89ef401c8aa 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -169,7 +169,7 @@ jobs: command: build args: --verbose --release - clippy: + clippy-cargo-lock: name: Clippy (stable) timeout-minutes: 30 runs-on: ubuntu-latest @@ -204,7 +204,14 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} args: --all-features --all-targets -- -D warnings - fmt: + # This check makes sure the crate dependency check is accurate + - name: Check Cargo.lock is up to date + uses: actions-rs/cargo@v1.0.3 + with: + command: check + args: --locked --all-features --all-targets + + fmt-deps: name: Rustfmt timeout-minutes: 30 runs-on: ubuntu-latest @@ -231,7 +238,21 @@ jobs: echo "CARGO_INCREMENTAL=${{ env.CARGO_INCREMENTAL }}" echo "RUST_BACKTRACE=${{ env.RUST_BACKTRACE }}" - - uses: actions-rs/cargo@v1.0.3 + - name: Check rustfmt + uses: actions-rs/cargo@v1.0.3 with: command: fmt args: --all -- --check + + # Edit zebra/deny.toml to allow duplicates + - name: Check for dependent crates with different versions + uses: EmbarkStudios/cargo-deny-action@v1.2.6 + with: + command: check bans + args: --all-features --workspace + + - name: Check crate sources + uses: EmbarkStudios/cargo-deny-action@v1.2.6 + with: + command: check sources + args: --all-features --workspace diff --git a/deny.toml b/deny.toml new file mode 100644 index 00000000000..ff71772f406 --- /dev/null +++ b/deny.toml @@ -0,0 +1,102 @@ +# Note that all fields that take a lint level have these possible values: +# * deny - An error will be produced and the check will fail +# * warn - A warning will be produced, but the check will not fail +# * allow - No warning or error will be produced, though in some cases a note +# will be + +# This section is considered when running `cargo deny check bans`. +# More documentation about the 'bans' section can be found here: +# https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html +[bans] +# Lint level for when multiple versions of the same crate are detected +multiple-versions = "deny" +# The graph highlighting used when creating dotgraphs for crates +# with multiple versions +# * lowest-version - The path to the lowest versioned duplicate is highlighted +# * simplest-path - The path to the version with the fewest edges is highlighted +# * all - Both lowest-version and simplest-path are used +highlight = "all" + +# List of crates that are allowed. Use with care! +allow = [ + #{ name = "ansi_term", version = "=0.11.0" }, +] + +# Certain crates/versions that will be skipped when doing duplicate detection. +skip = [ + #{ name = "ansi_term", version = "=0.11.0" }, +] +# Similarly to `skip` allows you to skip certain crates during duplicate +# detection. Unlike skip, it also includes the entire tree of transitive +# dependencies starting at the specified crate, up to a certain depth, which is +# by default infinite +skip-tree = [ + # ticket #2200: tokio dependencies + { name = "metrics-exporter-prometheus", version = "=0.1.0-alpha.7" }, + { name = "tower", version = "=0.4.0" }, + { name = "tokio", version = "=0.2.23" }, + { name = "tokio-util", version = "=0.3.1" }, + + # ticket #2953: tracing dependencies + { name = "tracing-subscriber", version = "=0.1.6" }, + + # ticket #2952: cryptography dependencies + { name = "aes", version = "=0.6.0" }, + { name = "bellman", version = "=0.10.0" }, + { name = "bls12_381", version = "=0.5.0" }, + { name = "fpe", version = "=0.4.0" }, + + # ticket #2982: librustzcash and orchard git versions + { name = "zcash_primitives", version = "=0.5.0" }, + + # ticket #2983: criterion dependencies + { name = "criterion", version = "=0.3.4" }, + + # ticket #2981: bindgen dependencies + { name = "rocksdb", version = "=0.16.0" }, + + # ticket #2984: owo-colors dependencies + { name = "color-eyre", version = "=0.5.11" }, + + # tickets #2985 and #2391: tempdir & rand dependencies + { name = "tempdir", version = "=0.3.7" }, + + # ticket #2980: inferno dependencies + { name = "inferno", version = "=0.10.7" }, + + # upgrade orchard from deprecated `bigint` to `uint`: https://github.com/zcash/orchard/issues/219 + # alternative: downgrade Zebra to `bigint` + { name = "bigint", version = "=4.4.3" }, +] + +# This section is considered when running `cargo deny check sources`. +# More documentation about the 'sources' section can be found here: +# https://embarkstudios.github.io/cargo-deny/checks/sources/cfg.html +[sources] +# Lint level for what to happen when a crate from a crate registry that is not +# in the allow list is encountered +unknown-registry = "deny" +# Lint level for what to happen when a crate from a git repository that is not +# in the allow list is encountered +unknown-git = "deny" +# List of URLs for allowed crate registries. Defaults to the crates.io index +# if not specified. If it is specified but empty, no registries are allowed. +allow-registry = ["https://github.com/rust-lang/crates.io-index"] +# List of URLs for allowed Git repositories +allow-git = [ + # ticket #2200: tokio dependencies + "https://github.com/kellpossible/sentry-tracing", + + # ticket #2982: librustzcash and orchard git versions + "https://github.com/str4d/redjubjub", +] + +[sources.allow-org] +github = [ + "ZcashFoundation", + "zcash", + + # ticket #2200: tokio dependencies + "hyperium", + "tower-rs", +]