Add a cargo deny workflow (#89)

* Add a cargo deny workflow Also trims out a pointless submodule checkout (we have none). * Remove no longer relevant advisories/allowances * Patch for array-bytes * Remove unused properties * Restore chrono advisory * Allow MPL-2.0, correct GPL-3.0 allowance specification * Properly ban copyleft, run on all crates * Exceptions for Serai crates (AGPL-3.0) * Remove top comments * Clarify reasoning for not checking advisories in CI * Run all checks in CI While this may bring down an unrelated commit, we can manually review, before creating a followup commit allowing it. If it's critical, then this did its job.
2025-12-09 04:39:24 +00:00 · 2022-11-16 20:53:35 -06:00
parent 4a3178ed8f
commit 56574f2f5b
5 changed files with 102 additions and 10 deletions
--- a/deny.toml
+++ b/deny.toml
@@ -0,0 +1,73 @@
+[advisories]
+db-path = "~/.cargo/advisory-db"
+db-urls = ["https://github.com/rustsec/advisory-db"]
+
+vulnerability = "deny"
+yanked = "deny"
+notice = "warn"
+unmaintained = "warn"
+
+ignore = [
+  "RUSTSEC-2020-0071", # https://github.com/chronotope/chrono/issues/602
+]
+
+[licenses]
+unlicensed = "deny"
+
+allow = [
+  # Effective public domain
+  "CC0-1.0",
+  "Unlicense",
+
+  # Attribution required
+  "MIT",
+  "BSD-2-Clause",
+  "BSD-3-Clause",
+  "ISC",
+  "Unicode-DFS-2016",
+  "OpenSSL",
+
+  # Non-invasive copyleft
+  "MPL-2.0",
+  "Apache-2.0",
+  "Apache-2.0 WITH LLVM-exception",
+  "GPL-3.0 WITH Classpath-exception-2.0",
+]
+
+copyleft = "deny"
+allow-osi-fsf-free = "neither"
+default = "deny"
+
+exceptions = [
+  { allow = ["AGPL-3.0"], name = "ethereum-serai" },
+  { allow = ["AGPL-3.0"], name = "serai-processor" },
+
+  { allow = ["AGPL-3.0"], name = "serai-extension" },
+  { allow = ["AGPL-3.0"], name = "serai-multisig" },
+
+  { allow = ["AGPL-3.0"], name = "serai-runtime" },
+  { allow = ["AGPL-3.0"], name = "serai-consensus" },
+  { allow = ["AGPL-3.0"], name = "serai-node" },
+]
+
+[[licenses.clarify]]
+name = "ring"
+version = "*"
+expression = "MIT AND ISC AND OpenSSL"
+license-files = [
+  { path = "LICENSE", hash = 0xbd0eed23 }
+]
+
+[bans]
+multiple-versions = "warn"
+wildcards = "warn"
+highlight = "all"
+
+[sources]
+unknown-registry = "deny"
+unknown-git = "deny"
+allow-registry = ["https://github.com/rust-lang/crates.io-index"]
+allow-git = [
+  "https://github.com/serai-dex/substrate",
+  "https://github.com/hack-ink/array-bytes"
+]