-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Mahdi Baghbani <[email protected]>
- Loading branch information
1 parent
2634053
commit ff38811
Showing
2 changed files
with
54 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -15,12 +15,20 @@ on: | |
| jobs: | ||
| audit: | ||
| runs-on: ubuntu-22.04 | ||
| strategy: | ||
| matrix: | ||
| checks: | ||
| - advisories | ||
| - bans licenses sources | ||
|
|
||
| # Prevent sudden announcement of a new advisory from failing ci: | ||
| continue-on-error: ${{ matrix.checks == 'advisories' }} | ||
|
|
||
| steps: | ||
| # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: rust-audit-check | ||
| uses: actions-rs/[email protected] | ||
| - uses: EmbarkStudios/cargo-deny-action@v1 | ||
| with: | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
| command: check ${{ matrix.checks }} | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| # cargo-deny is really only ever intended to run on the "normal" tier-1 targets | ||
| targets = [ | ||
| { triple = "x86_64-unknown-linux-gnu" }, | ||
| { triple = "aarch64-unknown-linux-gnu" }, | ||
| { triple = "x86_64-unknown-linux-musl" }, | ||
| { triple = "aarch64-apple-darwin" }, | ||
| { triple = "x86_64-apple-darwin" }, | ||
| { triple = "x86_64-pc-windows-msvc" }, | ||
| ] | ||
|
|
||
| [advisories] | ||
| vulnerability = "deny" | ||
| unmaintained = "deny" | ||
| notice = "deny" | ||
| unsound = "deny" | ||
|
|
||
| [sources] | ||
| unknown-registry = "deny" | ||
| unknown-git = "deny" | ||
|
|
||
| [licenses] | ||
| unlicensed = "deny" | ||
| allow-osi-fsf-free = "both" | ||
| copyleft = "allow" | ||
| # We want really high confidence when inferring licenses from text | ||
| confidence-threshold = 0.93 | ||
|
|
||
| exceptions = [ | ||
| { allow = ["OpenSSL"], name = "ring" }, | ||
| { allow = ["Unicode-DFS-2016"], name = "unicode-ident" }, | ||
| ] | ||
|
|
||
| [[licenses.clarify]] | ||
| name = "ring" | ||
| # SPDX considers OpenSSL to encompass both the OpenSSL and SSLeay licenses | ||
| # https://spdx.org/licenses/OpenSSL.html | ||
| # ISC - Both BoringSSL and ring use this for their new files | ||
| # MIT - "Files in third_party/ have their own licenses, as described therein. The MIT | ||
| # license, for third_party/fiat, which, unlike other third_party directories, is | ||
| # compiled into non-test libraries, is included below." | ||
| # OpenSSL - Obviously | ||
| expression = "ISC AND MIT AND OpenSSL" | ||
| license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }] |