diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml index 01ee7ab3a..5804e1a60 100644 --- a/.github/workflows/CI.yml +++ b/.github/workflows/CI.yml @@ -33,6 +33,27 @@ jobs: - name: Check all targets run: cargo check --all --all-targets --all-features + deny-check: + name: cargo-deny check + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + - name: download cargo-deny + shell: bash + env: + DVS: "0.4.0" + DREPO: EmbarkStudios/cargo-deny + TARGET: x86_64-unknown-linux-musl + run: | + temp_archive=$(mktemp --suffix=.tar.gz) + curl -L --output "$temp_archive" https://github.com/$DREPO/releases/download/$DVS/cargo-deny-$DVS-$TARGET.tar.gz + + tar -xzvf "$temp_archive" -C . --strip-components=1 --wildcards "*/cargo-deny" + - name: cargo-deny check licenses + run: ./cargo-deny -L debug check license + - name: cargo-deny check bans + run: ./cargo-deny -L debug check ban + test: runs-on: ${{ matrix.os }} strategy: diff --git a/deny.toml b/deny.toml new file mode 100644 index 000000000..2e6b2e7a8 --- /dev/null +++ b/deny.toml @@ -0,0 +1,57 @@ +[bans] +multiple-versions = "deny" +deny = [ + # color-backtrace is nice but brings in too many dependencies and that are often outdated, so not worth it for us. + { name = "color-backtrace" }, + + # dirs crate has a lot of dependencies and there are better alternatives + { name = "dirs" }, + { name = "dirs-sys" }, + + # deprecated + { name = "quickersort" }, + + # term is not fully maintained, and termcolor is replacing it + { name = "term" }, +] +skip = [ + { name = "crossbeam-utils", version = "=0.6.6" }, +] +skip-tree = [ + { name = "rand", version = "=0.6.5" }, + { name = "syn", version = "=0.15.44" }, +] + +[licenses] +unlicensed = "deny" +# We want really high confidence when inferring licenses from text +confidence-threshold = 0.92 +allow = [ + "Apache-2.0", + "BSD-2-Clause", + "BSD-3-Clause", + "ISC", + "MIT", + "OpenSSL", +] + +[[licenses.clarify]] +name = "ring" +# SPDX considers OpenSSL to encompass both the OpenSSL and SSLeay licenses +# https://spdx.org/licenses/OpenSSL.html +# ISC - Both BoringSSL and ring use this for their new files +# MIT - "Files in third_party/ have their own licenses, as described therein. The MIT +# license, for third_party/fiat, which, unlike other third_party directories, is +# compiled into non-test libraries, is included below." +# OpenSSL - Obviously +expression = "ISC AND MIT AND OpenSSL" +license-files = [ + { path = "LICENSE", hash = 0xbd0eed23 }, +] + +[[licenses.clarify]] +name = "webpki" +expression = "ISC" +license-files = [ + { path = "LICENSE", hash = 0x001c7e6c }, +] diff --git a/tests/included_service/Cargo.toml b/tests/included_service/Cargo.toml index c70a3eb87..63fd80e16 100644 --- a/tests/included_service/Cargo.toml +++ b/tests/included_service/Cargo.toml @@ -4,6 +4,7 @@ version = "0.1.0" authors = ["Lucio Franco "] edition = "2018" publish = false +license = "MIT" # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html diff --git a/tests/same_name/Cargo.toml b/tests/same_name/Cargo.toml index 926997d0b..d96c538c9 100644 --- a/tests/same_name/Cargo.toml +++ b/tests/same_name/Cargo.toml @@ -4,6 +4,7 @@ version = "0.1.0" authors = ["Lucio Franco "] edition = "2018" publish = false +license = "MIT" # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html diff --git a/tests/wellknown/Cargo.toml b/tests/wellknown/Cargo.toml index c48298346..1cd06a11a 100644 --- a/tests/wellknown/Cargo.toml +++ b/tests/wellknown/Cargo.toml @@ -4,6 +4,7 @@ version = "0.1.0" authors = ["Lucio Franco "] edition = "2018" publish = false +license = "MIT" # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html diff --git a/tonic-examples/Cargo.toml b/tonic-examples/Cargo.toml index e5c51802d..807829e18 100644 --- a/tonic-examples/Cargo.toml +++ b/tonic-examples/Cargo.toml @@ -4,6 +4,7 @@ version = "0.1.0" authors = ["Lucio Franco "] edition = "2018" publish = false +license = "MIT" [[bin]] name = "helloworld-server" diff --git a/tonic-interop/Cargo.toml b/tonic-interop/Cargo.toml index 1bf3bc73d..2d6ef9189 100644 --- a/tonic-interop/Cargo.toml +++ b/tonic-interop/Cargo.toml @@ -4,6 +4,7 @@ version = "0.1.0" authors = ["Lucio Franco "] edition = "2018" publish = false +license = "MIT" [features] default = ["tonic"]