From a0b377c61b10e47826c697ce75e4bb0d3b0ee59d Mon Sep 17 00:00:00 2001 From: 0xfourzerofour Date: Wed, 27 Sep 2023 08:38:40 -0400 Subject: [PATCH] chore(licenses): Add CI job when cargo.toml or lock file changes --- .github/workflows/license-check.yaml | 14 ++++ deny.toml | 96 ++++++++++++++++++++++++++++ 2 files changed, 110 insertions(+) create mode 100644 .github/workflows/license-check.yaml create mode 100644 deny.toml diff --git a/.github/workflows/license-check.yaml b/.github/workflows/license-check.yaml new file mode 100644 index 000000000..3daedde8a --- /dev/null +++ b/.github/workflows/license-check.yaml @@ -0,0 +1,14 @@ +name: Cargo Deny +on: + pull_request: + paths: + - '**/Cargo.lock' + - '**/Cargo.toml' +jobs: + cargo-deny: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: EmbarkStudios/cargo-deny-action@v1 + with: + command: check bans licenses sources diff --git a/deny.toml b/deny.toml new file mode 100644 index 000000000..c6cb720f9 --- /dev/null +++ b/deny.toml @@ -0,0 +1,96 @@ +# This section is considered when running `cargo deny check advisories` +# More documentation for the advisories section can be found here: +# https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html +[advisories] +vulnerability = "deny" +unmaintained = "warn" +unsound = "warn" +yanked = "warn" +notice = "warn" + +# This section is considered when running `cargo deny check bans`. +# More documentation about the 'bans' section can be found here: +# https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html +[bans] +# Lint level for when multiple versions of the same crate are detected +multiple-versions = "warn" +# Lint level for when a crate version requirement is `*` +wildcards = "warn" +highlight = "all" +# List of crates to deny +deny = [ + # Each entry the name of a crate and a version range. If version is + # not specified, all versions will be matched. + #{ name = "ansi_term", version = "=0.11.0" }, +] +# Certain crates/versions that will be skipped when doing duplicate detection. +skip = [] +# Similarly to `skip` allows you to skip certain crates during duplicate +# detection. Unlike skip, it also includes the entire tree of transitive +# dependencies starting at the specified crate, up to a certain depth, which is +# by default infinite +skip-tree = [] + +[licenses] +unlicensed = "deny" +confidence-threshold = 0.9 +copyleft = "deny" + +# List of explicitly allowed licenses +# See https://spdx.org/licenses/ for list of possible licenses +# [possible values: any SPDX 3.7 short identifier (+ optional exception)]. +allow = [ + "MIT", + "MIT-0", + "Apache-2.0", + "BSD-2-Clause", + "BSD-3-Clause", + "ISC", + "Unlicense", + "MPL-2.0", + "Zlib", +] + +# Allow 1 or more licenses on a per-crate basis, so that particular licenses +# aren't accepted for every possible crate as with the normal allow list +exceptions = [ + { allow = ["CC0-1.0"], name = "tiny-keccak" }, + { allow = ["Unicode-DFS-2016"], name = "unicode-ident" }, + { allow = ["OpenSSL"], name = "ring" }, +] + + +# This section is considered when running `cargo deny check sources`. +# More documentation about the 'sources' section can be found here: +# https://embarkstudios.github.io/cargo-deny/checks/sources/cfg.html +[sources] +# Lint level for what to happen when a crate from a crate registry that is not +# in the allow list is encountered +unknown-registry = "deny" +# Lint level for what to happen when a crate from a git repository that is not +# in the allow list is encountered +unknown-git = "deny" + +[[licenses.clarify]] +name = "ring" +# SPDX considers OpenSSL to encompass both the OpenSSL and SSLeay licenses +# https://spdx.org/licenses/OpenSSL.html +# ISC - Both BoringSSL and ring use this for their new files +# MIT - "Files in third_party/ have their own licenses, as described therein. The MIT +# license, for third_party/fiat, which, unlike other third_party directories, is +# compiled into non-test libraries, is included below." +# OpenSSL +expression = "ISC AND MIT AND OpenSSL" +license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }] + +[[licenses.clarify]] +name = "webpki" +expression = "ISC" +license-files = [{ path = "LICENSE", hash = 0x001c7e6c }] + +# Actually "ISC-style" +[[licenses.clarify]] +name = "rustls-webpki" +expression = "ISC" +license-files = [{ path = "LICENSE", hash = 0x001c7e6c }] +