diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index 4b18fa9..deba163 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -167,7 +167,7 @@ jobs:
         uses: dtolnay/rust-toolchain@stable
         with:
           components: clippy
-      - run: cargo clippy --locked --all-features -- --deny warnings
+      - run: cargo clippy --locked --all-features --all-targets -- --deny warnings
 
   clippy-nightly:
     name: Clippy (Nightly)
@@ -181,5 +181,4 @@ jobs:
         uses: dtolnay/rust-toolchain@nightly
         with:
           components: clippy
-      - run: cargo clippy --locked --all-features -- --deny warnings
-
+      - run: cargo clippy --locked --all-features --all-targets -- --deny warnings
diff --git a/src/lib.rs b/src/lib.rs
index 0bb35d3..0c8f224 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -404,7 +404,7 @@ mod tests {
     fn from_env_bad_dir_perms() {
         // Create a temp dir that we can't read from.
         let temp_dir = tempfile::TempDir::new().unwrap();
-        fs::set_permissions(temp_dir.path(), Permissions::from_mode(0)).unwrap();
+        fs::set_permissions(temp_dir.path(), Permissions::from_mode(0o000)).unwrap();
 
         test_cert_paths_bad_perms(CertPaths {
             file: None,
@@ -420,7 +420,7 @@ mod tests {
         let file_path = temp_dir.path().join("unreadable.pem");
         let cert_file = File::create(&file_path).unwrap();
         cert_file
-            .set_permissions(Permissions::from_mode(0))
+            .set_permissions(Permissions::from_mode(0o000))
             .unwrap();
 
         test_cert_paths_bad_perms(CertPaths {
diff --git a/tests/compare_mozilla.rs b/tests/compare_mozilla.rs
index e01614e..64522d1 100644
--- a/tests/compare_mozilla.rs
+++ b/tests/compare_mozilla.rs
@@ -67,7 +67,7 @@ fn test_does_not_have_many_roots_unknown_by_mozilla() {
     let mut missing_in_moz_roots = 0;
 
     for cert in &native {
-        let cert = anchor_from_trusted_cert(&cert).unwrap();
+        let cert = anchor_from_trusted_cert(cert).unwrap();
         if let Some(moz) = mozilla.get(cert.subject_public_key_info.as_ref()) {
             assert_eq!(cert.subject, moz.subject, "subjects differ for public key");
         } else {
@@ -103,7 +103,7 @@ fn test_contains_most_roots_known_by_mozilla() {
 
     let mut native_map = HashMap::new();
     for anchor in &native {
-        let cert = anchor_from_trusted_cert(&anchor).unwrap();
+        let cert = anchor_from_trusted_cert(anchor).unwrap();
         let spki = cert.subject_public_key_info.as_ref();
         native_map.insert(spki.to_owned(), anchor);
     }
@@ -111,10 +111,7 @@ fn test_contains_most_roots_known_by_mozilla() {
     let mut missing_in_native_roots = 0;
     let mozilla = webpki_roots::TLS_SERVER_ROOTS;
     for cert in mozilla {
-        if native_map
-            .get(cert.subject_public_key_info.as_ref())
-            .is_none()
-        {
+        if !native_map.contains_key(cert.subject_public_key_info.as_ref()) {
             println!(
                 "Mozilla anchor {:?} is missing from native set",
                 stringify_x500name(&cert.subject)
@@ -152,7 +149,7 @@ fn util_list_certs() {
     let native = rustls_native_certs::load_native_certs().unwrap();
 
     for (i, cert) in native.iter().enumerate() {
-        let cert = anchor_from_trusted_cert(&cert).unwrap();
+        let cert = anchor_from_trusted_cert(cert).unwrap();
         println!("cert[{i}] = {}", stringify_x500name(&cert.subject));
     }
 }