Skip to content

Harden dependency policy with strict cargo-deny and CI enforcement#45

Merged
TKorr merged 1 commit intomainfrom
gh-actions-scan-e66f3
Mar 1, 2026
Merged

Harden dependency policy with strict cargo-deny and CI enforcement#45
TKorr merged 1 commit intomainfrom
gh-actions-scan-e66f3

Conversation

@TKorr
Copy link
Contributor

@TKorr TKorr commented Mar 1, 2026

Summary

  • Add a new top-level deny.toml with strict policy checks across advisories, bans, licenses, and sources.
  • Enforce dependency policy in PR/push CI via a new cargo-deny job running cargo deny check all.
  • Refactor maintenance.yml to run weekly dependency-policy drift checks with cargo-deny and keep a latest-stable workspace smoke test.
  • Tighten workspace dependency declarations to satisfy strict bans (wildcards = "deny") by adding explicit version fields on local path dependencies.
  • Keep license policy strict (MIT/Apache-2.0) with minimal targeted exceptions for unavoidable transitive licenses (unicode-ident + foldhash).

Why

  • Shifts security/compliance checks left so policy violations fail PRs early.
  • Uses one policy source of truth (deny.toml) instead of split checks.
  • Improves supply-chain controls across all execution paths (build, runtime, tests/dev tooling).

Key Files Changed

  • .github/workflows/ci.yml
  • .github/workflows/maintenance.yml
  • deny.toml (new)
  • Cargo.toml
  • bench-support/Cargo.toml

Test Plan

  • cargo deny check licenses
  • cargo deny check bans
  • cargo deny check sources
  • Verify GitHub Actions pass on PR:
    • CI / Cargo Deny
    • Maintenance / Dependency Policy (cargo-deny) (on schedule/manual run)

Notes

  • security-audit behavior is now covered by cargo-deny advisories checks.
  • Policy is intentionally strict; future third-party additions may require explicit, reviewed exceptions in deny.toml.

@TKorr
Implement cargo-deny checks in CI workflows and update dependencies. …
de7cb4a 
…Add a new `deny.toml` configuration for license and advisory management. Update `Cargo.toml` for `bench-support` and ensure consistent versioning across dependencies.
@TKorr TKorr self-assigned this Mar 1, 2026
@TKorr TKorr merged commit 0722ce0 into main Mar 1, 2026
17 checks passed
@TKorr TKorr deleted the gh-actions-scan-e66f3 branch March 1, 2026 17:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@TKorr TKorr

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TKorr