chore: add cargo-deny + dependency-review + commitlint workflows #22
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| { | ||
| "extends": ["@commitlint/config-conventional"], | ||
| "rules": { | ||
| "header-max-length": [2, "always", 100], | ||
| "body-max-line-length": [0, "always"], | ||
| "footer-max-line-length": [0, "always"], | ||
| "type-enum": [2, "always", [ | ||
| "build", "chore", "ci", "docs", "feat", "fix", | ||
| "perf", "refactor", "revert", "style", "test" | ||
| ]] | ||
| } | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| name: cargo-deny | ||
|
|
||
| # License + advisory + ban policy enforcement via deny.toml. Runs on PR | ||
| # + push to main + manual dispatch. Mirrors the cargo-deny gate already | ||
| # running on the chain repo (sentrix-labs/sentrix). | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: [main] | ||
| push: | ||
| branches: [main] | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| cargo-deny: | ||
| name: cargo-deny (licenses + advisories + bans) | ||
| runs-on: ubuntu-22.04 | ||
| steps: | ||
| - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 | ||
| - uses: EmbarkStudios/cargo-deny-action@6c8f9facfa5047ec02d8485b6bf52b587b7777d1 # v2 | ||
| with: | ||
| command: check | ||
| arguments: --all-features |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| name: commitlint | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: [main] | ||
|
|
||
| permissions: | ||
| contents: read | ||
| pull-requests: read | ||
|
|
||
| jobs: | ||
| commitlint: | ||
| name: commitlint | ||
| runs-on: ubuntu-22.04 | ||
| steps: | ||
| - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6 | ||
| with: | ||
| configFile: .commitlintrc.json |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| name: Dependency review | ||
|
|
||
| # Runs GitHub's dependency-review-action on PRs. Diffs the lockfile | ||
| # changes vs the base branch and BLOCKS merge if newly-introduced | ||
| # dependencies have HIGH-severity vulnerabilities OR licenses outside | ||
| # our allowlist. Complements cargo-deny (full-tree post-merge gate) | ||
| # with a pre-merge diff-only gate. | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: [main] | ||
|
|
||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
|
|
||
| jobs: | ||
| dependency-review: | ||
| name: Dependency review | ||
| runs-on: ubuntu-22.04 | ||
| steps: | ||
| - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 | ||
|
|
||
| - uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4 | ||
| with: | ||
| fail-on-severity: high | ||
| # Mirror deny.toml [licenses].allow. | ||
| allow-licenses: MIT, Apache-2.0, Apache-2.0 WITH LLVM-exception, BSD-2-Clause, BSD-3-Clause, ISC, MPL-2.0, Unicode-DFS-2016, Unicode-3.0, CC0-1.0, Zlib, 0BSD, BUSL-1.1, CDLA-Permissive-2.0 | ||
| allow-dependencies-licenses: pkg:githubactions/Swatinem/rust-cache | ||
| comment-summary-in-pr: on-failure |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| # cargo-deny configuration. Loaded by .github/workflows/cargo-deny.yml. | ||
| # See https://embarkstudios.github.io/cargo-deny/ | ||
|
|
||
| [graph] | ||
| all-features = true | ||
|
|
||
| [advisories] | ||
| yanked = "deny" | ||
| ignore = [ | ||
| # `paste` is unmaintained (author archived) but still a transitive dep | ||
| # of alloy / sqlx / prost. No vulnerability — just dormant. Mirrors | ||
| # the ignore in indexer-rs + the chain repo. | ||
| "RUSTSEC-2024-0436", | ||
| # `rustls-pemfile` is deprecated in favour of `rustls-pki-types`; | ||
| # transitive via reqwest -> rustls. No vulnerability. | ||
| "RUSTSEC-2025-0134", | ||
| ] | ||
|
|
||
| [licenses] | ||
| unused-allowed-license = "allow" | ||
| confidence-threshold = 0.8 | ||
| allow = [ | ||
| "MIT", | ||
| "Apache-2.0", | ||
| "Apache-2.0 WITH LLVM-exception", | ||
| "BSD-2-Clause", | ||
| "BSD-3-Clause", | ||
| "ISC", | ||
| "MPL-2.0", | ||
| "Unicode-DFS-2016", | ||
| "Unicode-3.0", | ||
| "CC0-1.0", | ||
| "Zlib", | ||
| "0BSD", | ||
| "BUSL-1.1", | ||
| # webpki-roots v1.x: CDLA-Permissive-2.0 (transitive via reqwest -> rustls). | ||
| "CDLA-Permissive-2.0", | ||
| ] | ||
|
|
||
| [bans] | ||
| # Multiple major versions tolerated for now; tighten later. | ||
| multiple-versions = "warn" | ||
| wildcards = "warn" | ||
| allow-wildcard-paths = true | ||
| highlight = "all" | ||
|
Comment on lines
+40
to
+45
There was a problem hiding this comment. 🧹 Nitpick | 🔵 Trivial Consider tightening ban policies in future iterations. The current configuration uses
The 🤖 Prompt for AI Agents
Member
Author
There was a problem hiding this comment. Skip for now — the comment itself frames this as "in future iterations after baseline issues are resolved". sdk-rs is at v0.1.0-alpha.0 with active migration churn (the sentrix-proto extraction lands in #23). Tightening multiple-versions/wildcards to deny right now would block legitimate transitive duplicates from alloy/leptos ecosystems mid-migration. Revisit at 1.0 stabilisation. There was a problem hiding this comment.
Would you like me to open a GitHub issue tagged as a 1.0 milestone task to track the eventual tightening of these ban policies? That way it doesn't fall through the cracks when the migration settles. |
||
|
|
||
| [sources] | ||
| unknown-registry = "deny" | ||
| unknown-git = "deny" | ||
| allow-git = [] | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧹 Nitpick | 🔵 Trivial
🧩 Analysis chain
🏁 Script executed:
Repository: Sentriscloud/sdk-rs
Length of output: 104
Remove unused BUSL-1.1 license from the allowlist.
No dependencies in the tree use BUSL-1.1. While the configuration allows unused licenses without error, this entry in the allowlist serves no purpose and can be safely removed to keep the configuration clean.
🤖 Prompt for AI Agents
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Skip — kept for forward-compat. sdk-rs is the SDK for Sentrix Chain whose workspace crates are all BUSL-1.1. If a future iteration adds a workspace path-dep on a chain crate (e.g. for shared types between server + client), the allowlist needs BUSL-1.1 already. Removing now and re-adding later = churn. Harmless idle entry.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@satyakwok, that's a clear rationale — keeping BUSL-1.1 as a forward-compat entry makes sense given that the chain workspace crates are already BUSL-1.1 licensed, andunused-allowed-license = "allow"means the idle entry is entirely harmless. I'll note this for future reviews.✏️ Learnings added