Run cargo deny on CI

[Copilot]

Issue Addressed

Closes #8408

Proposed Changes

Adds cargo deny to CI to prevent dependency regressions by banning unwanted crates and detecting duplicate versions.

Configuration (deny.toml):

• Bans legacy crates: ethers, ethereum-types, protobuf
• Denies duplicate versions of reqwest specifically
• Warns on other duplicate crates globally
• Restricts sources to crates.io and sigp GitHub org

CI Integration:

• Adds cargo-deny to the check-code job's tool list
• Adds make deny-CI step to run the checks

Makefile:

• deny-CI — runs cargo deny check bans sources
• deny / install-deny — local development targets

Additional Info

The http crate currently has duplicates (0.2.12, 1.3.1), so it is not yet added to the deny list. Once consolidated, it can be added with deny-multiple-versions = true.

The multiple-versions = "warn" setting surfaces all duplicate crates as warnings without failing the build, while deny-multiple-versions = true on specific crates (like reqwest) causes hard failures.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• embarkstudios.github.io
  • Triggering command: /usr/bin/curl curl -s REDACTED (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Run cargo deny or similar on CI</issue_title>
<issue_description>## Description

We're successfully getting our dependencies under control, but it would be nice to prevent regressions.

We could set up cargo deny on CI with a list of "banished" crates that we never want to see again, including:

• ethers
• ethereum-types
• protobuf

There are also other crates, which once we remove duplicate versions, we would like to try to prevent reintroducing duplicates of, e.g.

• http
• reqwest

Reducing duplicates of heavy crates (particularly ones with build scripts) is a good way to reduce compilation time, as well as attack surface.
</issue_description>

<agent_instructions>Write as little code as possible to accomplish the task. Now that the reqwest consolidation PR is merged, you can include a deny rule for duplicates of reqwest</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes Run cargo deny or similar on CI #8408

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[jimmygchen]

🤖 The PR description includes "Closes #6164" but that issue is about PeerDAS proposer peer counts, not cargo deny. Should only reference "Fixes #8408".

The PR description mentions the http crate duplicates will be added to the deny list later. Is there a GitHub issue to track this follow-up work?