feat(ci): generate the cargo-deny workflow from xtask

[synoet]

Generate the cargo-deny workflow from Rust

Ports .github/workflows/cargo-deny.yml to the xtask + gh-workflow system
added in #4276 — one snake_case module (cargo_deny.rs) generates
cargo_deny.yml via cargo x workflows, guarded by the drift-check.

Same name ("cargo deny check"), PR triggers + paths filter, and concurrency.
Runs on the existing namespace-profile-linux-small runner.

Key change vs the original: it used EmbarkStudios/cargo-deny-action, a
Docker container action (runs.using: docker) that rebuilds an image every
run and needs Docker on the runner — for a Cargo.lock scan. This instead
installs the prebuilt cargo-deny binary (taiki-e/install-action, pinned to
cargo-deny@0.19.9 for reproducibility) and runs cargo deny check
directly: no Docker, no per-run image build.

All actions SHA-pinned. Reuses the shared checkout / setup-rust /
concurrency / Runner helpers — no new runner profile.

Regenerate: cargo x workflows from rust/cloud-storage (--check verifies sync).

🤖 Generated with Claude Code

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b8204b0b-5a09-463a-8ba9-a1de15501599

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

The handwritten .github/workflows/cargo-deny.yml is deleted and replaced with a generated .github/workflows/cargo_deny.yml. To support generation, the xtask tool gains a new Runner::Ubuntu2204 enum variant (mapped to "ubuntu-22.04"), a new cargo_deny workflow builder module defining the workflow's PR triggers, path filters, concurrency settings, job, and pinned EmbarkStudios/cargo-deny-action step, and a corresponding WorkflowFile registration in the WORKFLOWS array so the workflow participates in generation and staleness checks.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title follows conventional commits format with 'feat(ci):' prefix and clearly describes the main change: generating the cargo-deny workflow from xtask. At 53 characters, it is well under the 72-character limit.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The pull request description clearly explains the intent to port cargo-deny.yml to the xtask workflow system, detailing the key architectural change from Docker-based action to binary installation and regeneration instructions.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@rust/cloud-storage/tools/xtask/src/workflows/cargo_deny.rs`:
- Around line 11-28: The cargo_deny() function is missing an explicit
permissions configuration in the Workflow builder chain, which allows the GitHub
token to default to overly broad scope. Add a .permissions() method call to the
Workflow builder in cargo_deny() to explicitly set minimal permissions with at
least contents: read access. Insert this method call into the builder chain
alongside the existing .on(), .concurrency(), and .add_job() calls to align with
the permissions pattern already established in other workflow generators like
pulumi-preview-pr.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a487fa6b-be97-4b7b-8df6-6e1e15972a08

📥 Commits

Reviewing files that changed from the base of the PR and between 60d6839 and feda27a.

📒 Files selected for processing (5)

• .github/workflows/cargo-deny.yml
• .github/workflows/cargo_deny.yml
• rust/cloud-storage/tools/xtask/src/workflows/cargo_deny.rs
• rust/cloud-storage/tools/xtask/src/workflows/mod.rs
• rust/cloud-storage/tools/xtask/src/workflows/runners.rs

💤 Files with no reviewable changes (1)

• .github/workflows/cargo-deny.yml

[coderabbitai]

🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify missing explicit permissions in both source generator and generated YAML.
rg -n 'permissions' rust/cloud-storage/tools/xtask/src/workflows/cargo_deny.rs
rg -n '^permissions:' .github/workflows/cargo_deny.yml

Repository: macro-inc/macro

Length of output: 153

---

🏁 Script executed:

#!/bin/bash

# Check if the generated workflow file exists and read it
if [ -f .github/workflows/cargo_deny.yml ]; then
  echo "=== Generated YAML file exists ===" 
  head -50 .github/workflows/cargo_deny.yml
else
  echo "Generated YAML file not found"
fi

# Check the generator source more carefully
echo ""
echo "=== Checking generator source ==="
cat -n rust/cloud-storage/tools/xtask/src/workflows/cargo_deny.rs 2>/dev/null | head -40

# Check if there's a base Workflow struct that might handle permissions
echo ""
echo "=== Checking Workflow struct definition ==="
find rust/cloud-storage/tools/xtask/src -name "*.rs" -type f | xargs grep -l "struct Workflow" | head -5

Repository: macro-inc/macro

Length of output: 3185

---

🏁 Script executed:

#!/bin/bash

# Search more broadly in the generator code for permissions handling
echo "=== Searching for permissions in workflow generator code ==="
rg 'permission' rust/cloud-storage/tools/xtask/src/workflows/ -A 2 -B 2

# Check other generated workflows to see if they have permissions
echo ""
echo "=== Checking for permissions in other workflows ==="
rg '^permissions:' .github/workflows/

Repository: macro-inc/macro

Length of output: 390

---

🏁 Script executed:

#!/bin/bash

# Check the Workflow builder implementation
echo "=== Looking for Workflow implementation ==="
ast-grep outline rust/cloud-storage/tools/xtask/src/workflows/ --match "impl Workflow"

Repository: macro-inc/macro

Length of output: 211

---

🏁 Script executed:

#!/bin/bash

# Check if gh_workflow is a local crate or external
echo "=== Looking for gh_workflow crate ==="
find rust/cloud-storage/tools/xtask -name "Cargo.toml" -exec grep -l "gh_workflow\|gh-workflow" {} \;

# Look at Cargo.toml to see the dependency
echo ""
echo "=== Checking Cargo.toml for gh_workflow ==="
grep -A 5 "gh.workflow\|gh-workflow" rust/cloud-storage/tools/xtask/Cargo.toml

# Check other workflows to see how they set permissions
echo ""
echo "=== Checking permissions in other workflows ==="
head -30 .github/workflows/pulumi-preview-pr.yml | grep -A 3 "^permissions:"

# Check if there are other cargo_deny related workflows
echo ""
echo "=== Checking for other cargo_deny workflows ==="
ls -la .github/workflows/ | grep -i deny

Repository: macro-inc/macro

Length of output: 544

---

🏁 Script executed:

#!/bin/bash

# Look at how other generator workflows handle permissions
echo "=== Checking other workflow generators ==="
ast-grep outline rust/cloud-storage/tools/xtask/src/workflows/ --match "pub fn" -B 2

# Search specifically for any permissions-related functions in the workflow module
echo ""
echo "=== Looking for permissions method in workflow generator ==="
find rust/cloud-storage/tools/xtask/src -name "*.rs" -type f | xargs grep -l "permissions"

Repository: macro-inc/macro

Length of output: 428

---

🏁 Script executed:

#!/bin/bash

# Look at a specific workflow that has permissions to understand the pattern
echo "=== Example workflow with permissions ==="
head -40 .github/workflows/pulumi-preview-pr.yml

# Check if there are any generator sources for workflows that have permissions
echo ""
echo "=== Checking generator source for pulumi workflow ==="
grep -r "pulumi.preview\|pulumi-preview" rust/cloud-storage/tools/xtask/src/workflows/ --include="*.rs" | head -5

Repository: macro-inc/macro

Length of output: 1354

---

🏁 Script executed:

#!/bin/bash

# Let's check the gh-workflow crate documentation/usage to see if it supports permissions
echo "=== Checking all workflow generators for patterns ==="
ls -la rust/cloud-storage/tools/xtask/src/workflows/*.rs

# List all generated workflow files
echo ""
echo "=== All generated workflow files ==="
ls -la .github/workflows/ | grep -E "\.yml$" | head -20

# Check a few generated workflows to see if ANY have permissions
echo ""
echo "=== Checking permissions in all generated workflows ==="
rg '^permissions:' .github/workflows/ | head -20

Repository: macro-inc/macro

Length of output: 2664

---

🏁 Script executed:

#!/bin/bash

# Check the imports in the Workflow struct to understand what's available
echo "=== Checking gh_workflow import and available methods ==="
rg "use.*gh_workflow" rust/cloud-storage/tools/xtask/src/workflows/ -A 5

# Let's look for all methods called on Workflow in the generators
echo ""
echo "=== All Workflow builder methods used in generators ==="
rg "Workflow::new|\.on\(|\.concurrency|\.add_job|\.permissions" rust/cloud-storage/tools/xtask/src/workflows/ --no-heading

Repository: macro-inc/macro

Length of output: 5325

---

🏁 Script executed:

#!/bin/bash

# Check if pulumi-preview-pr.yml is generated (has the generated header comment)
echo "=== Checking if pulumi-preview-pr.yml is generated ==="
head -5 .github/workflows/pulumi-preview-pr.yml

# Check if cancel-stuck-cloud-storage-deploys.yml is generated
echo ""
echo "=== Checking if cancel-stuck-cloud-storage-deploys.yml is generated ==="
head -5 .github/workflows/cancel-stuck-cloud-storage-deploys.yml

# Check if there's a generator for pulumi-preview-pr
echo ""
echo "=== Checking for pulumi-preview generator ==="
find rust/cloud-storage/tools/xtask/src/workflows -name "*.rs" | xargs grep -l "pulumi"

# Look at the gh_workflow crate in Cargo.lock to see what version and check docs online
echo ""
echo "=== Checking gh_workflow in Cargo.lock ==="
grep -A 5 "name = \"gh-workflow\"" Cargo.lock | head -10

Repository: macro-inc/macro

Length of output: 581

---

🌐 Web query:

gh-workflow crate 0.8 permissions Workflow builder

💡 Result:

In the gh-workflow Rust crate (version 0.8+), permissions for GitHub Actions workflows are managed via the Permissions struct [1][2]. This struct allows you to define the access levels granted to the GITHUB_TOKEN for either the entire workflow or individual jobs [3][4]. You can set permissions by using the.permissions method, which is available on both the Workflow and Job structs [3][4]. Workflow permissions example: let workflow = Workflow::default.permissions(Permissions::read_all).add_job("my-job", Job::new("Job Name")...); Job permissions example: let job = Job::new("Job Name").permissions(Permissions::write_all); The Permissions struct provides a type-safe way to configure these settings, which correspond to the permissions key in GitHub Actions YAML files [3][5]. For specific access control, you can construct a Permissions instance with the necessary granular settings (such as content: PermissionLevel::Read or packages: PermissionLevel::Write) to ensure the GITHUB_TOKEN only has the minimal required access [1].

Citations:

• 1: https://docs.rs/gh-workflow/latest/gh_workflow/struct.Permissions.html
• 2: https://crates.io/crates/gh-workflow
• 3: https://docs.rs/gh-workflow/latest/gh_workflow/struct.Workflow.html
• 4: https://docs.rs/gh-workflow/latest/gh_workflow/struct.Job.html
• 5: https://docs.rs/gh-workflow/latest/src/gh_workflow/workflow.rs.html

---

🏁 Script executed:

#!/bin/bash

# Check the GitHub Actions security best practices
# and see what permissions the cargo-deny action actually needs
echo "=== Checking cargo-deny action documentation ==="

# Let's check what the generated YAML structure looks like for our workflow
echo ""
echo "=== Full generated cargo_deny.yml content ==="
cat .github/workflows/cargo_deny.yml

# Check if there's documentation about permissions in the repo
echo ""
echo "=== Searching for permissions documentation in repo ==="
find . -name "*.md" -type f | xargs grep -l "permissions:" 2>/dev/null | head -5

Repository: macro-inc/macro

Length of output: 1236

---

Add explicit minimal permissions to the workflow generator.

The cargo_deny.yml workflow currently lacks an explicit permissions block, causing the GITHUB_TOKEN to default to the repository's broad default scope. The gh-workflow crate (v0.8+) supports the .permissions() method on Workflow and Job builders, so add at least contents: read to the workflow generator in cargo_deny.rs. This aligns with the pattern already followed in other workflows (e.g., pulumi-preview-pr.yml).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@rust/cloud-storage/tools/xtask/src/workflows/cargo_deny.rs` around lines 11 -
28, The cargo_deny() function is missing an explicit permissions configuration
in the Workflow builder chain, which allows the GitHub token to default to
overly broad scope. Add a .permissions() method call to the Workflow builder in
cargo_deny() to explicitly set minimal permissions with at least contents: read
access. Insert this method call into the builder chain alongside the existing
.on(), .concurrency(), and .add_job() calls to align with the permissions
pattern already established in other workflow generators like pulumi-preview-pr.

Source: Linters/SAST tools