Setup cargo-deny #358
Setup cargo-deny #358
Conversation
.github/workflows/ci.yml
Outdated
|
|
||
| - uses: EmbarkStudios/cargo-deny-action@v1 | ||
| with: | ||
| command: check ${{ matrix.checks }} |
There was a problem hiding this comment.
This has been copied from https://github.com/EmbarkStudios/cargo-deny-action#recommended-pipeline-to-avoid-sudden-breakages
| "MIT", | ||
| "Apache-2.0", |
There was a problem hiding this comment.
I have set these licenses.
| #"Nokia", | ||
| ] | ||
| # Lint level for licenses considered copyleft | ||
| copyleft = "deny" |
There was a problem hiding this comment.
And denied copyleft licenses.
| # Certain crates/versions that will be skipped when doing duplicate detection. | ||
| skip = [ | ||
| #{ name = "ansi_term", version = "=0.11.0" }, | ||
| { name = "cfg-if", version = "=0.1.10" }, |
There was a problem hiding this comment.
cfg-if exists both in version 0.1 and 1.0 in the dependency tree.
|
|
||
| [sources.allow-org] | ||
| # 1 or more github.com organizations to allow git sources for | ||
| github = ["GraphiteEditor"] |
There was a problem hiding this comment.
All git dependencies from this organization should be fine.
| @@ -3,6 +3,7 @@ name = "graphite-proc-macros" | |||
| version = "0.1.0" | |||
| authors = ["Graphite Authors <[email protected]>"] | |||
| edition = "2018" | |||
| license = "Apache-2.0" | |||
There was a problem hiding this comment.
cargo-deny complained about the missing license here.
|
Actually one thing I noticed: Is it possible to alter this so we only get 1 entry in there? Or even 0 entries (include it as a step in |
This two entry scheme suggested at https://github.com/EmbarkStudios/cargo-deny-action#recommended-pipeline-to-avoid-sudden-breakages to allow CI to still pass when there are new advisories, while still preventing it from passing when there are other problems and to still show if there are new advisories.
What do you mean? What does Cloudflare have to do with this? |
.github/workflows/ci.yml
Outdated
| - advisories | ||
| - bans licenses sources |
There was a problem hiding this comment.
Do you know if it would be possible to rename the actions (as they are displayed in GitHub) to "security advisories" and "banned licenses"? I didn't understand what "advisories" meant (security, not license compatibility) and "bans licenses sources" is verbose and grammatically awkward. If that is not possible to change since it is calling the action directly by that name, no worries!
There was a problem hiding this comment.
Excellent! I feel bad to nitpick but I'll bring it up, however I don't feel strongly about this:
Do you think the "and crates" part of "banned licenses and crates" is redundant? Besides crates, what else would the banned licenses apply to? It makes it kind of long. Perhaps "banned crate licenses" would be a good middle ground, as it's both descriptive and shorter, and distinguishes from the node.js ecosystem licenses?
There was a problem hiding this comment.
You can explicitly ban crates even if they have a compatible license.
* Setup cargo-deny * Nicer job names
* Setup cargo-deny * Nicer job names
Part of #294
This change is