diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml index 446746b3..fb883f88 100644 --- a/.github/workflows/security-audit.yml +++ b/.github/workflows/security-audit.yml @@ -8,22 +8,22 @@ on: paths: - "**/Cargo.toml" - "**/Cargo.lock" - schedule: - - cron: "0 0 * * *" jobs: security_audit: - if: (github.event_name == 'schedule' && github.repository == 'starship/starship') || (github.event_name != 'schedule') runs-on: ubuntu-latest + strategy: + matrix: + checks: + - advisories + - bans licenses sources + + # Prevent sudden announcement of a new advisory from failing ci: + continue-on-error: ${{ matrix.checks == 'advisories' }} + steps: - name: Setup | Checkout uses: actions/checkout@v3 - - name: Setup | Rust - uses: actions-rs/toolchain@v1.0.7 - with: - toolchain: stable - override: true - profile: minimal - name: Test | Security Audit - uses: actions-rs/audit-check@v1.2.0 + uses: EmbarkStudios/cargo-deny-action@v1.4.0 with: - token: ${{ secrets.GITHUB_TOKEN }} + command: check ${{ matrix.checks }} diff --git a/Cargo.lock b/Cargo.lock index 425bd0ee..8e9d3263 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -224,9 +224,9 @@ dependencies = [ [[package]] name = "bumpalo" -version = "3.11.0" +version = "3.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c1ad822118d20d2c234f427000d5acc36eabe1e29a348c89b63dd60b13f28e5d" +checksum = "0d261e256854913907f67ed06efbc3338dfe6179796deefc1ff763fc1aee5535" [[package]] name = "byteorder" @@ -408,9 +408,9 @@ checksum = "5827cebf4670468b8772dd191856768aedcb1b0278a04f989f7766351917b9dc" [[package]] name = "cpufeatures" -version = "0.2.4" +version = "0.2.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dc948ebb96241bb40ab73effeb80d9f93afaad49359d159a5e61be51619fe813" +checksum = "28d997bd5e24a5928dd43e46dc529867e207907fe0b239c3477d924f7f2ca320" dependencies = [ "libc", ] @@ -765,9 +765,18 @@ dependencies = [ [[package]] name = "fragile" -version = "1.2.1" +version = "1.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "85dcb89d2b10c5f6133de2efd8c11959ce9dbb46a2f7a4cab208c4eeda6ce1ab" +checksum = "b7464c5c4a3f014d9b2ec4073650e5c06596f385060af740fc45ad5a19f959e8" +dependencies = [ + "fragile 2.0.0", +] + +[[package]] +name = "fragile" +version = "2.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6c2141d6d6c8512188a7891b4b01590a45f6dac67afb4f255c4124dbb86d4eaa" [[package]] name = "futures-core" @@ -1743,7 +1752,7 @@ checksum = "e2be9a9090bc1cac2930688fa9478092a64c6a92ddc6ae0692d46b37d9cab709" dependencies = [ "cfg-if 1.0.0", "downcast", - "fragile", + "fragile 1.2.2", "lazy_static", "mockall_derive", "predicates", diff --git a/deny.toml b/deny.toml new file mode 100644 index 00000000..eb33b74a --- /dev/null +++ b/deny.toml @@ -0,0 +1,43 @@ +[advisories] +vulnerability = "deny" +unmaintained = "warn" +yanked = "warn" +notice = "warn" + +# A list of advisory IDs to ignore. Note that ignored advisories will still +# output a note when they are encountered. +ignore = [ + + + # "RUSTSEC-0000-0000", +] + +[licenses] +# The lint level for crates which do not have a detectable license +unlicensed = "deny" +# List of explicitly allowed licenses +allow = [ + "Apache-2.0 WITH LLVM-exception", + "Apache-2.0", + "BSD-2-Clause", + "BSD-3-Clause", + "ISC", + "MIT-0", + "MIT", + "MPL-2.0", + "Unicode-DFS-2016", + "Unlicense", + "WTFPL", + "Zlib", +] +confidence-threshold = 0.8 + +[bans] +multiple-versions = "allow" +wildcards = "warn" + +[sources] +unknown-registry = "warn" +unknown-git = "warn" +allow-registry = ["https://github.com/rust-lang/crates.io-index"] +allow-git = []