Skip to content

ci: add cargo-deny workflow#38

Merged
avifenesh merged 2 commits into
mainfrom
ci/cargo-deny
Apr 26, 2026
Merged

ci: add cargo-deny workflow#38
avifenesh merged 2 commits into
mainfrom
ci/cargo-deny

Conversation

@avifenesh
Copy link
Copy Markdown
Contributor

@avifenesh avifenesh commented Apr 26, 2026
edited by cursor Bot
Loading

Summary

Why

deny.toml landed in #37 with a comment noting "CI integration is a follow-up; this file establishes the policy". This PR closes that follow-up so the policy is actually enforced.

Test plan

  • Workflow runs green on this PR (validates current advisory/license/source state)
  • Future dep bumps that introduce a CVE or banned license break CI

Note

Low Risk
Low risk: adds a GitHub Actions workflow that runs cargo deny check and does not change application code or dependency policy itself.

Overview
Adds a new GitHub Actions workflow, deny.yml, that runs cargo deny check --all-features on pull requests and pushes to main to enforce the existing deny.toml advisory/license/source policy in CI.

The workflow uses pinned SHAs for actions/checkout and EmbarkStudios/cargo-deny-action and logs at warn level.

Reviewed by Cursor Bugbot for commit ef1f03c. Configure here.

@avifenesh
ci: add cargo-deny workflow
ef1f03c 
Adds a GitHub Actions workflow that runs cargo-deny check on every
pull request and push to main. Uses the existing deny.toml added in
v0.8.0 so CI now enforces the advisory/license/source policy.

Actions pinned by commit SHA:
- actions/checkout@de0fac2e (v6.0.2)
- EmbarkStudios/cargo-deny-action@91bf2b62 (v2.0.17)

Closes the follow-up noted in deny.toml ("CI integration is a
follow-up; this file establishes the policy").
@gemini-code-assist
Copy link
Copy Markdown

gemini-code-assist Bot commented Apr 26, 2026

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

github-advanced-security[bot]
github-advanced-security AI found potential problems Apr 26, 2026
View reviewed changes
Comment thread .github/workflows/deny.yml Fixed
cursor[bot]
cursor Bot reviewed Apr 26, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit ef1f03c. Configure here.

Comment thread .github/workflows/deny.yml
@avifenesh
fix(ci): add minimal contents:read permissions to deny.yml
a46ad06 
CodeQL + Cursor flagged missing permissions block. cargo-deny only
reads the repo; explicit contents:read matches ci.yml and release.yml.
@avifenesh avifenesh merged commit 28ece17 into main Apr 26, 2026
5 checks passed
@avifenesh avifenesh deleted the ci/cargo-deny branch April 26, 2026 17:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

+1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@avifenesh @github-advanced-security