ci: Add cargo-deny job to workflow

Author: Techassi

.github/workflows/boil_build_release.yaml

@@ -16,9 +16,34 @@ env:
   RUST_VERSION: 1.87.0
 
 jobs:
+  # This job is always run to ensure we don't miss any new upstream advisories
+  cargo-deny:
+    name: Run cargo-deny
+    runs-on: ubuntu-latest
+    # Prevent sudden announcement of a new advisory from failing CI
+    continue-on-error: ${{ matrix.checks == 'advisories' }}
+    strategy:
+      matrix:
+        checks:
+          - advisories
+          - bans licenses sources
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+          submodules: recursive
+
+      - name: Run cargo-deny
+        uses: EmbarkStudios/cargo-deny-action@f2ba7abc2abebaf185c833c3961145a3c275caad # v2.0.13
+        with:
+          command: check ${{ matrix.checks }}
+
   create-release:
     name: Create Draft Release
     if: github.event_name == 'push'
+    needs:
+      - cargo-deny
     runs-on: ubuntu-latest
     steps:
       - name: Create Draft Release
@@ -27,6 +52,9 @@ jobs:
           draft: true
 
   build:
+    name: Build boil
+    needs:
+      - create-release
     strategy:
       fail-fast: false
       matrix:

deny.toml

@@ -0,0 +1,57 @@
+# This file is the source of truth for all our repos!
+# This includes repos not templated by operator-templating, please copy/paste the file for this repos.
+
+# TIP: Use "cargo deny check" to check if everything is fine
+
+[graph]
+targets = [
+  { triple = "x86_64-unknown-linux-gnu" },
+  { triple = "aarch64-unknown-linux-gnu" },
+  { triple = "x86_64-unknown-linux-musl" },
+  { triple = "aarch64-apple-darwin" },
+  { triple = "x86_64-apple-darwin" },
+]
+
+[advisories]
+yanked = "deny"
+
+[bans]
+multiple-versions = "allow"
+
+[licenses]
+unused-allowed-license = "allow"
+confidence-threshold = 1.0
+allow = [
+  "Apache-2.0",
+  "BSD-2-Clause",
+  "BSD-3-Clause",
+  "CC0-1.0",
+  "ISC",
+  "LicenseRef-ring",
+  "LicenseRef-webpki",
+  "MIT",
+  "MPL-2.0",
+  "OpenSSL",           # Needed for the ring and/or aws-lc-sys crate. See https://github.com/stackabletech/operator-templating/pull/464 for details
+  "Unicode-3.0",
+  "Unicode-DFS-2016",
+  "Zlib",
+  "Unlicense",
+]
+private = { ignore = true }
+
+[[licenses.clarify]]
+name = "ring"
+expression = "LicenseRef-ring"
+license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }]
+
+[[licenses.clarify]]
+name = "webpki"
+expression = "LicenseRef-webpki"
+license-files = [{ path = "LICENSE", hash = 0x001c7e6c }]
+
+[sources]
+unknown-registry = "deny"
+unknown-git = "deny"
+
+[sources.allow-org]
+github = ["stackabletech"]