chore(gha): setup cargo-deny (#3816)

JohnTitor · web-flow · commit 627af8ce57d6 · 2025-11-02T10:52:25.000+09:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -85,6 +85,10 @@ jobs:
       - name: CI cache clean
         run: cargo-ci-cache-clean
 
+      - name: deny check
+        if: matrix.version.name == 'stable' && matrix.target.os == 'ubuntu-latest'
+        uses: EmbarkStudios/cargo-deny-action@f2ba7abc2abebaf185c833c3961145a3c275caad # v2.0.13
+
   io-uring:
     name: io-uring tests
     runs-on: ubuntu-latest
diff --git a/deny.toml b/deny.toml
@@ -0,0 +1,45 @@
+[licenses]
+confidence-threshold = 0.90
+allow = [
+    "Apache-2.0",
+    "MIT",
+    "Unicode-3.0",
+    "ISC",
+    "CDLA-Permissive-2.0",
+    "BSD-3-Clause",
+    "Zlib",
+    "OpenSSL",
+    "MPL-2.0"
+]
+private = { ignore = true }
+
+# FIXME: old rustls introduces old ring which is not set license field properly.
+[[licenses.clarify]]
+crate = "ring"
+expression = "MIT AND ISC AND OpenSSL"
+license-files = [
+    { path = "LICENSE", hash = 0xbd0eed23 }
+]
+
+# FIXME: webpki is almost unmaintained and is not set license field properly.
+# rustls has its own fork now so removing old rustls should resolve the issue.
+[[licenses.clarify]]
+crate = "webpki"
+expression = "ISC"
+license-files = [
+    { path = "LICENSE", hash = 0x001c7e6c }
+]
+
+[bans]
+multiple-versions = "allow"
+
+[bans.build]
+executables = "deny"
+
+[advisories]
+# because of old rustls support:
+ignore = [
+    "RUSTSEC-2024-0336",
+    "RUSTSEC-2025-0009",
+    "RUSTSEC-2025-0010"
+]
