cargoLib.cargoDeny: init (#440)

---------

Co-authored-by: Ivan Petkov <[email protected]>

CHANGELOG.md

@@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## Unreleased
 
+### Added
+* `cargoDeny` added for running [`cargo-deny`](https://github.com/EmbarkStudios/cargo-deny).
+
 ### Changed
 * The `use-zstd` artifact installation mode now uses a chained, incremental
   approach to avoid redundancy. Old behavior (taking a full snapshot of the

checks/cargoDeny.nix

@@ -0,0 +1,7 @@
+{ cargoDeny
+, buildDepsOnly
+}:
+
+cargoDeny {
+  src = ./simple-with-deny-toml;
+}

checks/default.nix

@@ -48,6 +48,8 @@ in
 
   cargoAuditTests = callPackage ./cargoAudit.nix { };
 
+  cargoDenyTests = callPackage ./cargoDeny.nix { };
+
   cargoLlvmCov = myLibLlvmTools.cargoLlvmCov {
     src = ./simple;
     cargoArtifacts = myLib.buildDepsOnly {

checks/simple-with-deny-toml/Cargo.toml

@@ -0,0 +1,8 @@
+[package]
+name = "simple"
+version = "0.1.0"
+edition = "2021"
+license = "CC0-1.0"
+
+[dependencies]
+byteorder = "*"

checks/simple-with-deny-toml/deny.toml

@@ -0,0 +1,5 @@
+[licenses]
+allow = [
+    "CC0-1.0",
+    "MIT"
+]

checks/simple-with-deny-toml/src/main.rs

@@ -0,0 +1,23 @@
+fn main() {
+    println!("Hello, world!");
+}
+
+#[test]
+fn first() {
+    assert_eq!(1 + 1, 2);
+}
+
+#[test]
+fn second() {
+    assert_eq!(84 / 2, 42);
+}
+
+#[test]
+fn third() {
+    assert_eq!(5 * 5, 25);
+}
+
+#[test]
+fn fourth() {
+    assert_eq!(81 / 3, 27);
+}

docs/API.md

@@ -337,6 +337,51 @@ environment variables during the build, you can bring them back via
 * `cargoAuditExtraArgs`
 * `cargoExtraArgs`
 
+### `craneLib.cargoDeny`
+`cargoDeny :: set -> drv`
+
+Create a derivation which will run a `cargo deny` invocation in a cargo
+workspace.
+
+Note that although `cargo deny` can serve as a replacement for `cargo audit`,
+`craneLib.cargoDeny` does not expose this functionality because `cargo deny`
+requires the full source tree, rather than working from just the `Cargo.lock`
+file, meaning it will be re-run when any source file changes, rather than only
+when dependencies change.
+
+Except where noted below, all derivation attributes are delegated to
+`mkCargoDerivation`, and can be used to influence its behavior.
+* `buildPhaseCargoCommand` will be set to run
+  `cargo --offline $cargoExtraArgs deny $cargoDenyExtraArgs check
+  $cargoDenyChecks` in the workspace.
+* `cargoArtifacts` will be set to `null`
+* `doInstallCargoArtifacts` will be set to `false`
+* `pnameSuffix` will be set to `"-deny"`
+
+#### Required attributes
+* `src`: The project source to audit, it must contain `Cargo.toml` and
+  `Cargo.lock` files.
+
+#### Optional attributes
+* `cargoDenyChecks`: check types to run
+  - Default value: `"bans licenses sources"`
+* `cargoDenyExtraArgs`: additional flags to be passed in the cargo-deny invocation
+  - Default value: `""`
+* `cargoExtraArgs`: additional flags to be passed in the cargo invocation
+  - Default value: `""`
+
+#### Native build dependencies
+The `cargo-deny` package is automatically appended as a native build input to any
+other `nativeBuildInputs` specified by the caller.
+
+#### Remove attributes
+The following attributes will be removed before being lowered to
+`mkCargoDerivation`. If you absolutely need these attributes present as
+environment variables during the build, you can bring them back via
+`.overrideAttrs`.
+* `cargoDenyExtraArgs`
+* `cargoExtraArgs`
+
 ### `craneLib.cargoBuild`
 
 `cargoBuild :: set -> drv`

examples/quick-start/Cargo.toml

@@ -2,6 +2,7 @@
 name = "quick-start"
 version = "0.1.0"
 edition = "2021"
+license = "MIT"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 

examples/quick-start/deny.toml

@@ -0,0 +1,4 @@
+[licenses]
+allow = [
+  "MIT"
+]

examples/quick-start/flake.nix

@@ -98,6 +98,11 @@
             inherit src advisory-db;
           };
 
+          # Audit licenses
+          my-crate-deny = craneLib.cargoDeny {
+            inherit src;
+          };
+
           # Run tests with cargo-nextest
           # Consider setting `doCheck = false` on `my-crate` if you do not want
           # the tests to run twice

lib/cargoDeny.nix

@@ -0,0 +1,28 @@
+{ cargo-deny
+, mkCargoDerivation
+}:
+
+{ cargoDenyExtraArgs ? ""
+, cargoDenyChecks ? "bans licenses sources"
+, cargoExtraArgs ? ""
+, src
+, ...
+}@origArgs:
+let
+  args = builtins.removeAttrs origArgs [
+    "cargoDenyExtraArgs"
+    "cargoExtraArgs"
+  ];
+in
+mkCargoDerivation (args // {
+  buildPhaseCargoCommand = ''
+    cargo --offline ${cargoExtraArgs} \
+      deny ${cargoDenyExtraArgs} check ${cargoDenyChecks}
+  '';
+
+  cargoArtifacts = null;
+  doInstallCargoArtifacts = false;
+  pnameSuffix = "-deny";
+
+  nativeBuildInputs = (args.nativeBuildInputs or [ ]) ++ [ cargo-deny ];
+})

lib/default.nix

@@ -19,6 +19,7 @@ in
   cargoAudit = callPackage ./cargoAudit.nix { };
   cargoBuild = callPackage ./cargoBuild.nix { };
   cargoClippy = callPackage ./cargoClippy.nix { };
+  cargoDeny = callPackage ./cargoDeny.nix { };
   cargoDoc = callPackage ./cargoDoc.nix { };
   cargoFmt = callPackage ./cargoFmt.nix { };
   cargoHelperFunctionsHook = callPackage ./setupHooks/cargoHelperFunctions.nix { };