From c2c8108679552d80b16cbaef11f79d0692089b31 Mon Sep 17 00:00:00 2001 From: Jerry Xie Date: Tue, 12 May 2026 15:20:20 -0500 Subject: [PATCH 1/8] Add cargo-vet and cargo-deny supply-chain security --- .github/workflows/cargo-vet-pr-comment.yml | 137 +++++++++++++++++++++ .github/workflows/cargo-vet.yml | 53 ++++++++ supply-chain/audits.toml | 3 + supply-chain/config.toml | 13 ++ supply-chain/imports.lock | 7 ++ 5 files changed, 213 insertions(+) create mode 100644 .github/workflows/cargo-vet-pr-comment.yml create mode 100644 .github/workflows/cargo-vet.yml create mode 100644 supply-chain/audits.toml create mode 100644 supply-chain/config.toml create mode 100644 supply-chain/imports.lock diff --git a/.github/workflows/cargo-vet-pr-comment.yml b/.github/workflows/cargo-vet-pr-comment.yml new file mode 100644 index 0000000..ba9caa4 --- /dev/null +++ b/.github/workflows/cargo-vet-pr-comment.yml @@ -0,0 +1,137 @@ +# This workflow triggers after cargo-vet workflow has run. +# It adds a comment to the PR with the results of the cargo vet run. +# It first adds a comment if the cargo vet run fails, +# and updates the comment if the cargo vet run succeeds after having failed at least once. + +name: Cargo vet PR comment + +on: + workflow_run: + workflows: [cargo-vet] + types: + - completed + +permissions: + contents: read + pull-requests: write + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +jobs: + + find-pr-comment: + # This job runs when the cargo-vet job fails or succeeds + # It will download the artifact from the failed job and post a comment on the PR + runs-on: ubuntu-latest + outputs: + comment-id: ${{ steps.get-comment-id.outputs.comment-id }} + pr-number: ${{ steps.get-pr-number.outputs.pr_number }} + if: github.event.workflow_run.event == 'pull_request' + steps: + - name: 'Download artifact' + uses: actions/download-artifact@v4 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + name: pr + path: pr/ + run-id: ${{ github.event.workflow_run.id }} + + - name: 'Get PR number' + id: get-pr-number + run: echo "pr_number=$(cat ./pr/NR)" >> $GITHUB_OUTPUT + + - name: 'Find existing comment' + id: find-comment + uses: peter-evans/find-comment@v3 + with: + issue-number: ${{ steps.get-pr-number.outputs.pr_number }} + comment-author: 'github-actions[bot]' + body-includes: 'comment-tag: [cargo-vet]' + + - name: 'Get comment ID' + id: get-comment-id + if: ${{ steps.find-comment.outputs.comment-id != '' }} + run: echo "comment-id=${{ steps.find-comment.outputs.comment-id }}" >> $GITHUB_OUTPUT + + post-comment-failure: + # This job runs when the cargo-vet job fails + # It will download the artifact from the failed job and post a comment on the PR + runs-on: ubuntu-latest + needs: find-pr-comment + if: github.event.workflow_run.conclusion == 'failure' + steps: + - name: 'Comment on PR - Failure' + uses: peter-evans/create-or-update-comment@v4 + with: + comment-id: ${{ needs.find-pr-comment.outputs.comment-id }} + issue-number: ${{ needs.find-pr-comment.outputs.pr-number }} + body: | + # Cargo Vet Audit Failed + + `cargo vet` has failed in this PR. Please run `cargo vet --locked` locally to check for new or updated unvetted dependencies. + Details about the vetting process can be found in [supply-chain/README.md](../blob/main/supply-chain/README.md) + + ## If the unvetted dependencies are not needed + Please modify Cargo.toml file to avoid including the dependencies. + + ## If the unvetted dependencies are needed + Post a new comment with the questionnaire below to the PR to help the auditors vet the dependencies. + After the auditors have vetted the dependencies, the PR will need to be rebased to pick up the new audits and pass this check. + + ### Copy and paste the questionnaire as a new comment and provide your answers: + + **1. What crates (with version) need to be audited?** + + **2. How many of the crates are version updates vs new dependencies?** + + **3. To confirm none of the already included crates serve your needs, please provide a brief description of the purpose of the new crates.** + + **4. Any extra notes to the auditors to help with their audits.** + + + edit-mode: replace + + - name: 'Label PR' + uses: actions/github-script@v7 + with: + script: | + github.rest.issues.addLabels({ + issue_number: ${{ needs.find-pr-comment.outputs.pr-number }}, + owner: context.repo.owner, + repo: context.repo.repo, + labels: ['cargo vet'] + }) + + post-comment-success: + # This job runs when the cargo-vet job succeeds + # It will update the comment on the PR with a success message + runs-on: ubuntu-latest + needs: find-pr-comment + if: github.event.workflow_run.conclusion == 'success' + steps: + - name: 'Comment on PR - Success' + # Only update the comment if it exists + # This is to avoid creating a new comment if the cargo-vet job has never failed before + if: ${{ needs.find-pr-comment.outputs.comment-id }} + uses: peter-evans/create-or-update-comment@v4 + with: + comment-id: ${{ needs.find-pr-comment.outputs.comment-id }} + issue-number: ${{ needs.find-pr-comment.outputs.pr-number }} + body: | + # Cargo Vet Audit Passed + `cargo vet` has passed in this PR. No new unvetted dependencies were found. + + + edit-mode: replace diff --git a/.github/workflows/cargo-vet.yml b/.github/workflows/cargo-vet.yml new file mode 100644 index 0000000..8d825aa --- /dev/null +++ b/.github/workflows/cargo-vet.yml @@ -0,0 +1,53 @@ +# This workflow runs whenever a PR is opened or updated. It runs cargo vet to check for unvetted dependencies in the Cargo.lock file. +permissions: + contents: read +on: + pull_request: + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +name: cargo-vet +jobs: + vet: + # cargo-vet checks for unvetted dependencies in the Cargo.lock file + # This is to ensure that new dependencies are vetted before they are added to the project + name: vet-dependencies + runs-on: ubuntu-latest + env: + CARGO_VET_VERSION: 0.10.1 + + steps: + - uses: actions/checkout@v4 + with: + submodules: true + + - uses: actions/cache@v4 + with: + path: ${{ runner.tool_cache }}/cargo-vet + key: cargo-vet-bin-${{ env.CARGO_VET_VERSION }} + + - name: Add the tool cache directory to the search path + run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH + + - name: Ensure that the tool cache is populated with the cargo-vet binary + run: cargo install --root ${{ runner.tool_cache }}/cargo-vet --version ${{ env.CARGO_VET_VERSION }} cargo-vet + + - name: Invoke cargo-vet + run: cargo vet --locked + + - name: Save PR number + # PR number is saved as an artifact so it can be used to determine the PR to comment on by the vet-pr-comment workflow + # vet-pr-comment workflow is triggered by the workflow_run event so it runs in the context of the base branch and not the PR branch + if: ${{ failure() }} || ${{ success() }} + run: | + mkdir -p ./pr + echo ${{ github.event.number }} > ./pr/NR + - uses: actions/upload-artifact@v4 + # Need to upload the artifact in both success and failure cases so comment can be updated in either case + if: ${{ failure() }} || ${{ success() }} + with: + name: pr + path: pr/ + overwrite: true diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml new file mode 100644 index 0000000..bb0e94c --- /dev/null +++ b/supply-chain/audits.toml @@ -0,0 +1,3 @@ +# cargo-vet audits file + +[audits] diff --git a/supply-chain/config.toml b/supply-chain/config.toml new file mode 100644 index 0000000..f5150e2 --- /dev/null +++ b/supply-chain/config.toml @@ -0,0 +1,13 @@ +# cargo-vet config file + +[cargo-vet] +version = "0.10" + +[imports.OpenDevicePartnership] +url = "https://raw.githubusercontent.com/OpenDevicePartnership/rust-crate-audits/main/audits.toml" + +[imports.google] +url = "https://raw.githubusercontent.com/google/rust-crate-audits/main/audits.toml" + +[imports.mozilla] +url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock new file mode 100644 index 0000000..04903c1 --- /dev/null +++ b/supply-chain/imports.lock @@ -0,0 +1,7 @@ +# cargo-vet imports lock + +[audits.OpenDevicePartnership.audits] + +[audits.google.audits] + +[audits.mozilla.audits] From 779e91d0f3a9e44ff823e03efbf52216c19173c2 Mon Sep 17 00:00:00 2001 From: Jerry Xie <139205137+jerrysxie@users.noreply.github.com> Date: Sun, 17 May 2026 17:53:38 -0500 Subject: [PATCH 2/8] Add supply-chain/README.md --- supply-chain/README.md | 83 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 supply-chain/README.md diff --git a/supply-chain/README.md b/supply-chain/README.md new file mode 100644 index 0000000..07d41ff --- /dev/null +++ b/supply-chain/README.md @@ -0,0 +1,83 @@ +# Working with cargo vet + +## Introduction + +`cargo vet` is a tool to help ensure that third-party Rust dependencies have been audited by a trusted entity. +It matches all dependencies against a set of audits conducted by the authors of the project or entities they trust. +To learn more, visit [mozilla/cargo-vet](https://github.com/mozilla/cargo-vet) + +--- + +## Adding a new dependency + +When updating or adding a new dependency, we need to ensure it's audited before being merged into main. +For our repositories, we have designated experts who are responsible for vetting any new dependencies being added to their repository. +_It is the shared responsibility of the developer creating the PR and the auditors to conduct a successful audit._ +Follow the process below to ensure compliance: + +### For Developers +1. **Respond to `cargo vet` failures**: + - If your PR fails the `cargo vet` step, the cargo-vet workflow will add a comment to the PR with a template questionnaire + - Copy the questionnaire, fill it out and paste it as a new comment on the PR. This greatly helps the auditors get some context of the changes requiring the new dependencies + +2. **Engage with auditors**: + - Respond to any questions that the auditors might have regarding the need of any new dependencies + +3. **Rebase and verify**: + - At their discretion, auditors will check in their audits into either [rust-crate-audits](https://github.com/OpenDevicePartnership/rust-crate-audits) or into the same repository + - Once the new audits have been merged, rebase your branch on main and verify it passes `cargo vet` + ```bash + git fetch upstream + git rebase upstream/main + cargo vet + ``` + +4. **Update PR**: + - If the audits were checked into rust-crate-audits, they will show up in _imports.lock_ on running `cargo vet`. In this case add the updated _imports.lock_ to your PR + - If the audits were checked into the same repository, they will be present in _audits.toml_ after rebase and you can simply force push to your PR after rebase + ```bash + git push -f + ``` + +5. **Check PR status**: + - The existing PR comment from the previous failure will be updated with a success message once the check passes + +### For Auditors + +1. **Review the questionnaire**: + - Check the filled questionnaire on the PR once the developer responds to the `cargo vet` failure + - Respond to the developer comment in case more information is needed + +2. **Audit new dependencies**: + - Inspect the `cargo vet` failures using your preferred method + - Use [gh pr checkout](https://cli.github.com/manual/gh_pr_checkout) to checkout the PR and run `cargo vet --locked` + - Use [Github Pull Requests for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=GitHub.vscode-pull-request-github) to checkout the PR and run `cargo vet --locked` + - For more suggestions: [Checking out pull requests locally](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally) + +3. **Follow `cargo vet` recommendations**: + - Follow the recommendations of the `cargo vet` command output, either `cargo vet diff` for version update or `cargo vet inspect` for new dependencies + +4. **Record audits**: + - Use `cargo vet certify` to add new audits to _audits.toml_ + - Verify all dependencies pass using `cargo vet` + +5. **Decide audit location**: + - **Shared audits**: New audits should ideally be shared across ODP repositories to reduce the overhead of multiple audits for the same dependencies. To facilitate this, it's recommended to cut and paste the new audits and submit as a separate PR to the _audits.toml_ in [rust-crate-audits](https://github.com/OpenDevicePartnership/rust-crate-audits) + - If due to business reasons, the audits are not to be shared across repositories, copy the updated _audits.toml_ to a new branch off main in the same repository and submit the PR to update the audits + +6. **Communicate successful audit**: + - Communicate to the PR developer via a PR comment so they can update the PR and get `cargo vet` to pass + +--- + +## Tips for using `cargo vet`: + +- **Update _imports.lock_**: + - Import trusted third party audits to reduce the number of new audits to be performed. Running `cargo vet` without `--locked` fetches new imports and updates _imports.lock_ with any audits that are helpful for our project. + +- **Add exemptions**: + - If an audit cannot be performed for some dependency due to time sensitivity or business justified reasons, use `cargo vet add-exemption ` to add the dependency to exemptions in _config.toml_ + - To add all remaining audits to exemptions at once, use `cargo vet regenerate exemptions` + +- **Prune unnecessary entries**: + - Remove unnecessary exemptions and imports using `cargo vet prune` From baaa6a6b84e599b52e665948c895c4616fd75abf Mon Sep 17 00:00:00 2001 From: Jerry Xie <139205137+jerrysxie@users.noreply.github.com> Date: Sun, 17 May 2026 18:46:00 -0500 Subject: [PATCH 3/8] Fix supply-chain file formatting for cargo vet --- supply-chain/config.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/supply-chain/config.toml b/supply-chain/config.toml index f5150e2..55618c2 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -1,3 +1,4 @@ + # cargo-vet config file [cargo-vet] From cf5223c1447c54e3233ed742bc5ecccb0a8c22a2 Mon Sep 17 00:00:00 2001 From: Jerry Xie <139205137+jerrysxie@users.noreply.github.com> Date: Sun, 17 May 2026 18:46:02 -0500 Subject: [PATCH 4/8] Fix supply-chain file formatting for cargo vet --- supply-chain/audits.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml index bb0e94c..2772ccb 100644 --- a/supply-chain/audits.toml +++ b/supply-chain/audits.toml @@ -1,3 +1,4 @@ + # cargo-vet audits file [audits] From e35d8ecb0eeb403cd042a1a6f42b58bef23bbd70 Mon Sep 17 00:00:00 2001 From: Jerry Xie <139205137+jerrysxie@users.noreply.github.com> Date: Sun, 17 May 2026 18:46:03 -0500 Subject: [PATCH 5/8] Fix supply-chain file formatting for cargo vet --- supply-chain/imports.lock | 1 + 1 file changed, 1 insertion(+) diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 04903c1..219dba4 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -1,3 +1,4 @@ + # cargo-vet imports lock [audits.OpenDevicePartnership.audits] From 1a22489a68b626250c19dc81bebdc5dbd04882d6 Mon Sep 17 00:00:00 2001 From: Jerry Xie Date: Tue, 26 May 2026 10:31:49 -0500 Subject: [PATCH 6/8] Add cargo-vet audits and certifications for all dependencies --- supply-chain/audits.toml | 108 ++++++- supply-chain/config.toml | 6 + supply-chain/imports.lock | 608 +++++++++++++++++++++++++++++++++++++- 3 files changed, 718 insertions(+), 4 deletions(-) diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml index 2772ccb..7b2d821 100644 --- a/supply-chain/audits.toml +++ b/supply-chain/audits.toml @@ -1,4 +1,110 @@ # cargo-vet audits file -[audits] +[[audits.defmt]] +who = "Jerry Xie " +criteria = "safe-to-deploy" +delta = "0.3.100 -> 0.3.10" +notes = "Downgrade delta from compat shim to full impl. Unsafe FFI to linker-provided logger symbols is sound. build.rs writes linker script to OUT_DIR only. Assisted-by: copilot-cli:claude-opus-4.6" + +[[audits.defmt]] +who = "Jerry Xie " +criteria = "safe-to-deploy" +delta = "0.3.100 -> 0.3.10" +notes = "Downgrade delta from compat shim to full impl. Unsafe FFI to logger symbols is sound. build.rs writes linker script to OUT_DIR only. Assisted-by: copilot-cli:claude-opus-4.6" + +[[audits.defmt-macros]] +who = "Jerry Xie " +criteria = "safe-to-deploy" +delta = "1.0.1 -> 0.4.0" +notes = "Downgrade delta: removes configurable defmt crate path. No unsafe, no powerful imports. Assisted-by: copilot-cli:claude-opus-4.6" + +[[audits.defmt-macros]] +who = "Jerry Xie " +criteria = "safe-to-deploy" +delta = "1.0.1 -> 0.4.0" +notes = "Downgrade delta: removes configurable defmt crate path. No unsafe, no powerful imports. Assisted-by: copilot-cli:claude-opus-4.6" + +[[audits.defmt-parser]] +who = "Jerry Xie " +criteria = "safe-to-deploy" +delta = "1.0.0 -> 0.4.1" +notes = "Downgrade delta: removes Cbor display hint variant. No unsafe, no build script, no powerful imports. Assisted-by: copilot-cli:claude-opus-4.6" + +[[audits.defmt-parser]] +who = "Jerry Xie " +criteria = "safe-to-deploy" +delta = "1.0.0 -> 0.4.1" +notes = "Downgrade delta: removes Cbor display hint variant. No unsafe, no build script. Assisted-by: copilot-cli:claude-opus-4.6" + +[[audits.embedded-hal-mock]] +who = "Jerry Xie " +criteria = "safe-to-run" +delta = "0.8.0 -> 0.11.1" +notes = "Delta: adds embedded-hal 1.x support. No unsafe, no network/fs access. Test mock infrastructure. Assisted-by: copilot-cli:claude-opus-4.6" + +[[audits.embedded-time]] +who = "Jerry Xie " +criteria = "safe-to-run" +version = "0.12.1" +notes = "Full audit: no_std embedded time library. deny(unsafe_code). No build script, no ambient capabilities. Assisted-by: copilot-cli:claude-opus-4.6" + +[[audits.num]] +who = "Jerry Xie " +criteria = "safe-to-run" +delta = "0.4.0 -> 0.3.1" +notes = "Downgrade delta: version and dep changes only. no_std meta-crate. No unsafe, no build script. Assisted-by: copilot-cli:claude-opus-4.6" + +[[audits.num-complex]] +who = "Jerry Xie " +criteria = "safe-to-run" +delta = "0.4.2 -> 0.3.1" +notes = "Downgrade delta: removes ComplexFloat trait, bytemuck support. Strict feature subset, no unsafe. Assisted-by: copilot-cli:claude-opus-4.6" + +[[audits.num-rational]] +who = "Jerry Xie " +criteria = "safe-to-run" +delta = "0.4.1 -> 0.3.2" +notes = "Downgrade delta: removes Default impl, ldexp helper. Pure math, no unsafe. Assisted-by: copilot-cli:claude-opus-4.6" + +[[audits.syn]] +who = "Jerry Xie " +criteria = "safe-to-deploy" +delta = "2.0.109 -> 2.0.99" +notes = "Downgrade delta: parser logic adjustments. Pre-existing unsafe in buffer.rs unchanged. No build script, no ambient capabilities. Assisted-by: copilot-cli:claude-opus-4.6" + +[[audits.syn]] +who = "Jerry Xie " +criteria = "safe-to-deploy" +delta = "2.0.109 -> 2.0.99" +notes = "Downgrade delta: parser logic adjustments. Pre-existing unsafe unchanged. No build script. Assisted-by: copilot-cli:claude-opus-4.6" + +[[audits.thiserror]] +who = "Jerry Xie " +criteria = "safe-to-deploy" +delta = "2.0.17 -> 2.0.12" +notes = "Downgrade delta: simplifies build.rs OUT_DIR codegen. No unsafe. Build script limited to OUT_DIR and rustc probes. Assisted-by: copilot-cli:claude-opus-4.6" + +[[audits.thiserror]] +who = "Jerry Xie " +criteria = "safe-to-deploy" +delta = "2.0.17 -> 2.0.12" +notes = "Downgrade delta: simplifies build.rs. No unsafe. Build script limited to OUT_DIR. Assisted-by: copilot-cli:claude-opus-4.6" + +[[audits.thiserror-impl]] +who = "Jerry Xie " +criteria = "safe-to-deploy" +delta = "2.0.17 -> 2.0.12" +notes = "Downgrade delta: removes versioned __privateN module path. No unsafe. Proc-macro generates safe code. Assisted-by: copilot-cli:claude-opus-4.6" + +[[audits.thiserror-impl]] +who = "Jerry Xie " +criteria = "safe-to-deploy" +delta = "2.0.17 -> 2.0.12" +notes = "Downgrade delta: removes versioned __privateN module path. No unsafe. Proc-macro generates safe code. Assisted-by: copilot-cli:claude-opus-4.6" + +[[audits.tokio]] +who = "Jerry Xie " +criteria = "safe-to-run" +delta = "1.51.1 -> 1.52.1" +notes = "Delta: io-uring File read, eager driver handoff, trace_with API. All new unsafe is sound. No new deps. Assisted-by: copilot-cli:claude-opus-4.6" diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 55618c2..e72dc26 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -7,8 +7,14 @@ version = "0.10" [imports.OpenDevicePartnership] url = "https://raw.githubusercontent.com/OpenDevicePartnership/rust-crate-audits/main/audits.toml" +[imports.bytecode-alliance] +url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [imports.google] url = "https://raw.githubusercontent.com/google/rust-crate-audits/main/audits.toml" [imports.mozilla] url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml" + +[policy.bq25773] +audit-as-crates-io = false diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 219dba4..5a9e03b 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -1,8 +1,610 @@ # cargo-vet imports lock -[audits.OpenDevicePartnership.audits] +[[audits.OpenDevicePartnership.audits.bitfield-struct]] +who = "Jerry Xie " +criteria = "safe-to-deploy" +version = "0.10.1" +notes = "Proc-macro crate generating safe bitfield structs. No unsafe, no build script. Standard proc-macro deps only. Assisted-by: copilot-cli:claude-opus-4.6 cargo-vet" +aggregated-from = "https://raw.githubusercontent.com/OpenDevicePartnership/embedded-services/refs/heads/main/supply-chain/audits.toml" -[audits.google.audits] +[[audits.OpenDevicePartnership.audits.bitfield-struct]] +who = "matteotullo " +criteria = "safe-to-deploy" +delta = "0.10.1 -> 0.12.1" +notes = "Adds hash and bitenum derives, mostly parsing and refactoring changes. No code execution nor writing to the filesystem." +aggregated-from = "https://raw.githubusercontent.com/OpenDevicePartnership/embedded-services/refs/heads/main/supply-chain/audits.toml" -[audits.mozilla.audits] +[[audits.OpenDevicePartnership.audits.defmt]] +who = "Jerry Xie " +criteria = "safe-to-deploy" +version = "0.3.100" +notes = "Compatibility shim: no_std crate that re-exports defmt 1.x items for 0.3 API compatibility. No unsafe code, no build script, no powerful imports, no logic - pure pub-use re-exports. Assisted-by: copilot-cli:claude-opus-4.6 cargo-vet" +aggregated-from = "https://raw.githubusercontent.com/OpenDevicePartnership/embedded-services/refs/heads/main/supply-chain/audits.toml" + +[[audits.OpenDevicePartnership.audits.defmt-macros]] +who = "Felipe Balbi " +criteria = "safe-to-deploy" +version = "1.0.1" +aggregated-from = "https://raw.githubusercontent.com/OpenDevicePartnership/mcxa-pac/refs/heads/main/supply-chain/audits.toml" + +[[audits.OpenDevicePartnership.audits.defmt-parser]] +who = "Felipe Balbi " +criteria = "safe-to-deploy" +version = "1.0.0" +aggregated-from = "https://raw.githubusercontent.com/OpenDevicePartnership/mcxa-pac/refs/heads/main/supply-chain/audits.toml" + +[[audits.OpenDevicePartnership.audits.device-driver]] +who = "Felipe Balbi " +criteria = "safe-to-deploy" +version = "1.0.9" +aggregated-from = "https://raw.githubusercontent.com/OpenDevicePartnership/tps6699x/refs/heads/main/supply-chain/audits.toml" + +[[audits.OpenDevicePartnership.audits.embedded-batteries]] +who = "matteotullo " +criteria = "safe-to-deploy" +version = "0.3.4" +notes = "ODP crates are always trusted." +aggregated-from = "https://raw.githubusercontent.com/OpenDevicePartnership/embedded-services/refs/heads/main/supply-chain/audits.toml" + +[[audits.OpenDevicePartnership.audits.embedded-batteries-async]] +who = "matteotullo " +criteria = "safe-to-deploy" +version = "0.3.4" +notes = "ODP crates are always trusted." +aggregated-from = "https://raw.githubusercontent.com/OpenDevicePartnership/embedded-services/refs/heads/main/supply-chain/audits.toml" + +[[audits.OpenDevicePartnership.audits.embedded-hal]] +who = "Felipe Balbi " +criteria = "safe-to-deploy" +version = "0.2.7" +aggregated-from = "https://raw.githubusercontent.com/OpenDevicePartnership/mcxa-pac/refs/heads/main/supply-chain/audits.toml" + +[[audits.OpenDevicePartnership.audits.embedded-hal]] +who = "Jerry Xie " +criteria = "safe-to-deploy" +delta = "0.2.7 -> 1.0.0" +notes = "Pure no_std trait crate. Complete API redesign for 1.0: removed nb-based traits, CAN module, all unsafe code. Only defines traits/enums/types for digital, I2C, SPI, PWM, delay. No build script, no proc macros, no powerful imports. Assisted-by: copilot-cli:claude-opus-4.6 cargo-vet" +aggregated-from = "https://raw.githubusercontent.com/OpenDevicePartnership/embedded-services/refs/heads/main/supply-chain/audits.toml" + +[[audits.OpenDevicePartnership.audits.embedded-hal-async]] +who = "Jerry Xie " +criteria = "safe-to-deploy" +version = "1.0.0" +notes = "no_std async HAL trait definitions. No unsafe in library. Build script only runs rustc --version. Assisted-by: copilot-cli:claude-opus-4.6 cargo-vet" +aggregated-from = "https://raw.githubusercontent.com/OpenDevicePartnership/embedded-services/refs/heads/main/supply-chain/audits.toml" + +[[audits.OpenDevicePartnership.audits.embedded-hal-nb]] +who = "Jerry Xie " +criteria = "safe-to-deploy" +version = "1.0.0" +notes = "no_std trait-only crate. No unsafe, no build script, no proc macros, no powerful imports. Assisted-by: copilot-cli:claude-opus-4.6 cargo-vet" +aggregated-from = "https://raw.githubusercontent.com/OpenDevicePartnership/embedded-services/refs/heads/main/supply-chain/audits.toml" + +[[audits.OpenDevicePartnership.audits.embedded-io-async]] +who = "Jerry Xie " +criteria = "safe-to-deploy" +version = "0.6.1" +notes = "No unsafe. Build script only detects nightly via rustc --version. Pure async trait definitions for embedded I/O. Assisted-by: copilot-cli:claude-opus-4.6 cargo-vet" +aggregated-from = "https://raw.githubusercontent.com/OpenDevicePartnership/embedded-services/refs/heads/main/supply-chain/audits.toml" + +[[audits.OpenDevicePartnership.audits.num-iter]] +who = "Jerry Xie " +criteria = "safe-to-deploy" +delta = "0.1.43 -> 0.1.45" +notes = "Delta audit: edition upgrade to 2018, MSRV 1.31, build.rs removed, i128 now unconditional, DoubleEndedIterator uses Integer::dec(). No unsafe, no powerful imports, no_std only. Assisted-by: copilot-cli:claude-opus-4.6 cargo-vet" +aggregated-from = "https://raw.githubusercontent.com/OpenDevicePartnership/embedded-services/refs/heads/main/supply-chain/audits.toml" + +[[audits.OpenDevicePartnership.audits.proc-macro-error-attr2]] +who = "Felipe Balbi " +criteria = "safe-to-deploy" +version = "2.0.0" +aggregated-from = "https://raw.githubusercontent.com/OpenDevicePartnership/mcxa-pac/refs/heads/main/supply-chain/audits.toml" + +[[audits.OpenDevicePartnership.audits.proc-macro-error2]] +who = "Felipe Balbi " +criteria = "safe-to-deploy" +version = "2.0.1" +aggregated-from = "https://raw.githubusercontent.com/OpenDevicePartnership/mcxa-pac/refs/heads/main/supply-chain/audits.toml" + +[[audits.OpenDevicePartnership.audits.syn]] +who = "Felipe Balbi " +criteria = "safe-to-deploy" +version = "2.0.109" +aggregated-from = "https://raw.githubusercontent.com/OpenDevicePartnership/mcxa-pac/refs/heads/main/supply-chain/audits.toml" + +[[audits.OpenDevicePartnership.audits.thiserror]] +who = "Felipe Balbi " +criteria = "safe-to-deploy" +version = "2.0.17" +aggregated-from = "https://raw.githubusercontent.com/OpenDevicePartnership/mcxa-pac/refs/heads/main/supply-chain/audits.toml" + +[[audits.OpenDevicePartnership.audits.thiserror-impl]] +who = "Felipe Balbi " +criteria = "safe-to-deploy" +version = "2.0.17" +aggregated-from = "https://raw.githubusercontent.com/OpenDevicePartnership/mcxa-pac/refs/heads/main/supply-chain/audits.toml" + +[[audits.OpenDevicePartnership.audits.tokio]] +who = "Robert Zieba " +criteria = "safe-to-run" +version = "1.45.0" +aggregated-from = "https://raw.githubusercontent.com/OpenDevicePartnership/embedded-services/refs/heads/main/supply-chain/audits.toml" + +[[audits.OpenDevicePartnership.audits.tokio]] +who = "Felipe Balbi " +criteria = "safe-to-run" +delta = "1.45.0 -> 1.51.1" +aggregated-from = "https://raw.githubusercontent.com/OpenDevicePartnership/embedded-mcu/refs/heads/main/supply-chain/audits.toml" + +[[audits.OpenDevicePartnership.audits.tokio-macros]] +who = "Robert Zieba " +criteria = "safe-to-run" +version = "2.5.0" +aggregated-from = "https://raw.githubusercontent.com/OpenDevicePartnership/embedded-services/refs/heads/main/supply-chain/audits.toml" + +[[audits.OpenDevicePartnership.audits.tokio-macros]] +who = "Felipe Balbi " +criteria = "safe-to-run" +delta = "2.5.0 -> 2.7.0" +aggregated-from = "https://raw.githubusercontent.com/OpenDevicePartnership/embedded-mcu/refs/heads/main/supply-chain/audits.toml" + +[[audits.bytecode-alliance.audits.bitflags]] +who = "Jamey Sharp " +criteria = "safe-to-deploy" +delta = "2.1.0 -> 2.2.1" +notes = """ +This version adds unsafe impls of traits from the bytemuck crate when built +with that library enabled, but I believe the impls satisfy the documented +safety requirements for bytemuck. The other changes are minor. +""" + +[[audits.bytecode-alliance.audits.bitflags]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "2.3.2 -> 2.3.3" +notes = """ +Nothing outside the realm of what one would expect from a bitflags generator, +all as expected. +""" + +[[audits.bytecode-alliance.audits.bitflags]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "2.4.1 -> 2.6.0" +notes = """ +Changes in how macros are invoked and various bits and pieces of macro-fu. +Otherwise no major changes and nothing dealing with `unsafe`. +""" + +[[audits.bytecode-alliance.audits.bitflags]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "2.7.0 -> 2.9.4" +notes = "Tweaks to the macro, nothing out of order." + +[[audits.bytecode-alliance.audits.embedded-io]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "0.4.0" +notes = "No `unsafe` code and only uses `std` in ways one would expect the crate to do so." + +[[audits.bytecode-alliance.audits.embedded-io]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.4.0 -> 0.6.1" +notes = "Major updates, but almost all safe code. Lots of pruning/deletions, nothing out of the ordrinary." + +[[audits.bytecode-alliance.audits.num-traits]] +who = "Andrew Brown " +criteria = "safe-to-deploy" +version = "0.2.19" +notes = "As advertised: a numeric library. The only `unsafe` is from some float-to-int conversions, which seems expected." + +[[audits.bytecode-alliance.audits.pin-project-lite]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.2.13 -> 0.2.14" +notes = "No substantive changes in this update" + +[[audits.google.audits.autocfg]] +who = "Manish Goregaokar " +criteria = "safe-to-deploy" +version = "1.4.0" +notes = "Contains no unsafe" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.bitflags]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.3.2" +notes = """ +Security review of earlier versions of the crate can be found at +(Google-internal, sorry): go/image-crate-chromium-security-review + +The crate exposes a function marked as `unsafe`, but doesn't use any +`unsafe` blocks (except for tests of the single `unsafe` function). I +think this justifies marking this crate as `ub-risk-1`. + +Additional review comments can be found at https://crrev.com/c/4723145/31 +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.embedded-hal-mock]] +who = "George Burgess IV " +criteria = "safe-to-run" +version = "0.8.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.nb]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "1.0.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.nb]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +delta = "1.0.0 -> 0.1.3" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.nb]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +delta = "1.0.0 -> 1.1.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.num-integer]] +who = "Manish Goregaokar " +criteria = "safe-to-deploy" +version = "0.1.46" +notes = "Contains no unsafe" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.num-iter]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "0.1.43" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.pin-project-lite]] +who = "ChromeOS" +criteria = "safe-to-run" +version = "0.2.9" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.pin-project-lite]] +who = "David Koloski " +criteria = "safe-to-deploy" +delta = "0.2.9 -> 0.2.13" +notes = "Audited at https://fxrev.dev/946396" +aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.0.78" +notes = """ +Grepped for "crypt", "cipher", "fs", "net" - there were no hits +(except for a benign "fs" hit in a doc comment) + +Notes from the `unsafe` review can be found in https://crrev.com/c/5385745. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "1.0.78 -> 1.0.79" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "1.0.79 -> 1.0.80" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "Dustin J. Mitchell " +criteria = "safe-to-deploy" +delta = "1.0.80 -> 1.0.81" +notes = "Comment changes only" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "danakj " +criteria = "safe-to-deploy" +delta = "1.0.81 -> 1.0.82" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "Dustin J. Mitchell " +criteria = "safe-to-deploy" +delta = "1.0.82 -> 1.0.83" +notes = "Substantive change is replacing String with Box, saving memory." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.83 -> 1.0.84" +notes = "Only doc comment changes in `src/lib.rs`." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "danakj@chromium.org" +criteria = "safe-to-deploy" +delta = "1.0.84 -> 1.0.85" +notes = "Test-only changes." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.85 -> 1.0.86" +notes = """ +Comment-only changes in `build.rs`. +Reordering of `Cargo.toml` entries. +Just bumping up the version number in `lib.rs`. +Config-related changes in `test_size.rs`. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "danakj " +criteria = "safe-to-deploy" +delta = "1.0.86 -> 1.0.87" +notes = "No new unsafe interactions." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "Liza Burakova ", + "Erich Gubler ", +] +criteria = "safe-to-deploy" +delta = "2.6.0 -> 2.7.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.bitflags]] +who = "Benjamin VanderSloot " +criteria = "safe-to-deploy" +delta = "2.9.4 -> 2.10.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.num]] +who = "Josh Stone " +criteria = "safe-to-deploy" +version = "0.4.0" +notes = "All code written or reviewed by Josh Stone." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.num-complex]] +who = "Josh Stone " +criteria = "safe-to-deploy" +version = "0.4.2" +notes = "All code written or reviewed by Josh Stone." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.num-rational]] +who = "Josh Stone " +criteria = "safe-to-deploy" +version = "0.4.1" +notes = "All code written or reviewed by Josh Stone." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.pin-project-lite]] +who = "Nika Layzell " +criteria = "safe-to-deploy" +delta = "0.2.14 -> 0.2.16" +notes = """ +Only functional change is to work around a bug in the negative_impls feature +(https://github.com/taiki-e/pin-project/issues/340#issuecomment-2432146009) +""" +aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.zerocopy]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +version = "0.7.32" +notes = """ +This crate is `no_std` so doesn't use any side-effectful std functions. It +contains quite a lot of `unsafe` code, however. I verified portions of this. It +also has a large, thorough test suite. The project claims to run tests with +Miri to have stronger soundness checks, and also claims to use formal +verification tools to prove correctness. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.zerocopy]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +delta = "0.7.32 -> 0.8.27" +notes = """ +These changes are enormous, however unsafe code is kept somewhat minimal in +comparison. The safety properties of unsafe code blocks, traits, and other +types are thoroughly documented. The new build script is safe. All code is very +thoroughly tested. I expect their test coverage is quite high. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.zerocopy-derive]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +version = "0.7.32" +notes = "Clean, safe macros for zerocopy." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.zerocopy-derive]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +delta = "0.7.32 -> 0.8.27" +notes = """ +There are a lot of changes here, however they look reasonable. Unsafe code is +heavily documented, and there are extensive tests for the changes. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" From b8fb360489319db17555f3c0bfe44768b97d2cd8 Mon Sep 17 00:00:00 2001 From: Jerry Xie <139205137+jerrysxie@users.noreply.github.com> Date: Tue, 26 May 2026 14:42:20 -0500 Subject: [PATCH 7/8] Update cargo-vet to 0.10.2 --- .github/workflows/cargo-vet.yml | 54 +-------------------------------- 1 file changed, 1 insertion(+), 53 deletions(-) diff --git a/.github/workflows/cargo-vet.yml b/.github/workflows/cargo-vet.yml index 8d825aa..17b646c 100644 --- a/.github/workflows/cargo-vet.yml +++ b/.github/workflows/cargo-vet.yml @@ -1,53 +1 @@ -# This workflow runs whenever a PR is opened or updated. It runs cargo vet to check for unvetted dependencies in the Cargo.lock file. -permissions: - contents: read -on: - pull_request: - -concurrency: - group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} - cancel-in-progress: true - -name: cargo-vet -jobs: - vet: - # cargo-vet checks for unvetted dependencies in the Cargo.lock file - # This is to ensure that new dependencies are vetted before they are added to the project - name: vet-dependencies - runs-on: ubuntu-latest - env: - CARGO_VET_VERSION: 0.10.1 - - steps: - - uses: actions/checkout@v4 - with: - submodules: true - - - uses: actions/cache@v4 - with: - path: ${{ runner.tool_cache }}/cargo-vet - key: cargo-vet-bin-${{ env.CARGO_VET_VERSION }} - - - name: Add the tool cache directory to the search path - run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH - - - name: Ensure that the tool cache is populated with the cargo-vet binary - run: cargo install --root ${{ runner.tool_cache }}/cargo-vet --version ${{ env.CARGO_VET_VERSION }} cargo-vet - - - name: Invoke cargo-vet - run: cargo vet --locked - - - name: Save PR number - # PR number is saved as an artifact so it can be used to determine the PR to comment on by the vet-pr-comment workflow - # vet-pr-comment workflow is triggered by the workflow_run event so it runs in the context of the base branch and not the PR branch - if: ${{ failure() }} || ${{ success() }} - run: | - mkdir -p ./pr - echo ${{ github.event.number }} > ./pr/NR - - uses: actions/upload-artifact@v4 - # Need to upload the artifact in both success and failure cases so comment can be updated in either case - if: ${{ failure() }} || ${{ success() }} - with: - name: pr - path: pr/ - overwrite: true +# This workflow runs whenever a PR is opened or updated. It runs cargo vet to check for unvetted dependencies in the Cargo.lock file. permissions: contents: read on: pull_request: concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true name: cargo-vet jobs: vet: # cargo-vet checks for unvetted dependencies in the Cargo.lock file # This is to ensure that new dependencies are vetted before they are added to the project name: vet-dependencies runs-on: ubuntu-latest env: CARGO_VET_VERSION: 0.10.2 steps: - uses: actions/checkout@v4 with: submodules: true - uses: actions/cache@v4 with: path: ${{ runner.tool_cache }}/cargo-vet key: cargo-vet-bin-${{ env.CARGO_VET_VERSION }} - name: Add the tool cache directory to the search path run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH - name: Ensure that the tool cache is populated with the cargo-vet binary run: cargo install --root ${{ runner.tool_cache }}/cargo-vet --version ${{ env.CARGO_VET_VERSION }} cargo-vet - name: Invoke cargo-vet run: cargo vet --locked - name: Save PR number # PR number is saved as an artifact so it can be used to determine the PR to comment on by the vet-pr-comment workflow # vet-pr-comment workflow is triggered by the workflow_run event so it runs in the context of the base branch and not the PR branch if: ${{ failure() }} || ${{ success() }} run: | mkdir -p ./pr echo ${{ github.event.number }} > ./pr/NR - uses: actions/upload-artifact@v4 # Need to upload the artifact in both success and failure cases so comment can be updated in either case if: ${{ failure() }} || ${{ success() }} with: name: pr path: pr/ overwrite: true \ No newline at end of file From d9e972fcb31ce9f091f7220c97d2322c2bfe6583 Mon Sep 17 00:00:00 2001 From: Jerry Xie <139205137+jerrysxie@users.noreply.github.com> Date: Tue, 26 May 2026 17:28:55 -0500 Subject: [PATCH 8/8] Fix cargo-vet.yml formatting --- .github/workflows/cargo-vet.yml | 54 ++++++++++++++++++++++++++++++++- 1 file changed, 53 insertions(+), 1 deletion(-) diff --git a/.github/workflows/cargo-vet.yml b/.github/workflows/cargo-vet.yml index 17b646c..98aca0a 100644 --- a/.github/workflows/cargo-vet.yml +++ b/.github/workflows/cargo-vet.yml @@ -1 +1,53 @@ -# This workflow runs whenever a PR is opened or updated. It runs cargo vet to check for unvetted dependencies in the Cargo.lock file. permissions: contents: read on: pull_request: concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true name: cargo-vet jobs: vet: # cargo-vet checks for unvetted dependencies in the Cargo.lock file # This is to ensure that new dependencies are vetted before they are added to the project name: vet-dependencies runs-on: ubuntu-latest env: CARGO_VET_VERSION: 0.10.2 steps: - uses: actions/checkout@v4 with: submodules: true - uses: actions/cache@v4 with: path: ${{ runner.tool_cache }}/cargo-vet key: cargo-vet-bin-${{ env.CARGO_VET_VERSION }} - name: Add the tool cache directory to the search path run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH - name: Ensure that the tool cache is populated with the cargo-vet binary run: cargo install --root ${{ runner.tool_cache }}/cargo-vet --version ${{ env.CARGO_VET_VERSION }} cargo-vet - name: Invoke cargo-vet run: cargo vet --locked - name: Save PR number # PR number is saved as an artifact so it can be used to determine the PR to comment on by the vet-pr-comment workflow # vet-pr-comment workflow is triggered by the workflow_run event so it runs in the context of the base branch and not the PR branch if: ${{ failure() }} || ${{ success() }} run: | mkdir -p ./pr echo ${{ github.event.number }} > ./pr/NR - uses: actions/upload-artifact@v4 # Need to upload the artifact in both success and failure cases so comment can be updated in either case if: ${{ failure() }} || ${{ success() }} with: name: pr path: pr/ overwrite: true \ No newline at end of file +# This workflow runs whenever a PR is opened or updated. It runs cargo vet to check for unvetted dependencies in the Cargo.lock file. +permissions: + contents: read +on: + pull_request: + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +name: cargo-vet +jobs: + vet: + # cargo-vet checks for unvetted dependencies in the Cargo.lock file + # This is to ensure that new dependencies are vetted before they are added to the project + name: vet-dependencies + runs-on: ubuntu-latest + env: + CARGO_VET_VERSION: 0.10.2 + + steps: + - uses: actions/checkout@v4 + with: + submodules: true + + - uses: actions/cache@v4 + with: + path: ${{ runner.tool_cache }}/cargo-vet + key: cargo-vet-bin-${{ env.CARGO_VET_VERSION }} + + - name: Add the tool cache directory to the search path + run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH + + - name: Ensure that the tool cache is populated with the cargo-vet binary + run: cargo install --root ${{ runner.tool_cache }}/cargo-vet --version ${{ env.CARGO_VET_VERSION }} cargo-vet + + - name: Invoke cargo-vet + run: cargo vet --locked + + - name: Save PR number + # PR number is saved as an artifact so it can be used to determine the PR to comment on by the vet-pr-comment workflow + # vet-pr-comment workflow is triggered by the workflow_run event so it runs in the context of the base branch and not the PR branch + if: ${{ failure() }} || ${{ success() }} + run: | + mkdir -p ./pr + echo ${{ github.event.number }} > ./pr/NR + - uses: actions/upload-artifact@v4 + # Need to upload the artifact in both success and failure cases so comment can be updated in either case + if: ${{ failure() }} || ${{ success() }} + with: + name: pr + path: pr/ + overwrite: true \ No newline at end of file