From 29427dd73bd67d6105afe4a61a2a0f750a4b9e26 Mon Sep 17 00:00:00 2001 From: satyakwok Date: Wed, 13 May 2026 17:47:35 +0200 Subject: [PATCH 1/2] chore: add cargo-deny + dependency-review + commitlint workflows MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Mirrors the supply-chain hygiene already running on sentrix-labs/sentrix. Explorer-v2 is deployed as a public-facing WASM app — license + vuln gating on the dep tree matters because users trust the binary served from scan.sentriscloud.com. deny.toml: license allowlist + advisory yank-block. cargo-deny.yml: runs `cargo deny check` on PR + push to main. dependency-review.yml: pre-merge diff-only gate; license list mirrors deny.toml. commitlint.yml + .commitlintrc.json: Conventional Commits enforce. Bans `multiple-versions = warn` rather than `deny` because the leptos + alloy ecosystems regularly need two majors during migration. --- .commitlintrc.json | 12 +++++++ .github/workflows/cargo-deny.yml | 26 +++++++++++++++ .github/workflows/commitlint.yml | 22 +++++++++++++ .github/workflows/dependency-review.yml | 30 +++++++++++++++++ deny.toml | 44 +++++++++++++++++++++++++ 5 files changed, 134 insertions(+) create mode 100644 .commitlintrc.json create mode 100644 .github/workflows/cargo-deny.yml create mode 100644 .github/workflows/commitlint.yml create mode 100644 .github/workflows/dependency-review.yml create mode 100644 deny.toml diff --git a/.commitlintrc.json b/.commitlintrc.json new file mode 100644 index 0000000..e912347 --- /dev/null +++ b/.commitlintrc.json @@ -0,0 +1,12 @@ +{ + "extends": ["@commitlint/config-conventional"], + "rules": { + "header-max-length": [2, "always", 100], + "body-max-line-length": [0, "always"], + "footer-max-line-length": [0, "always"], + "type-enum": [2, "always", [ + "build", "chore", "ci", "docs", "feat", "fix", + "perf", "refactor", "revert", "style", "test" + ]] + } +} diff --git a/.github/workflows/cargo-deny.yml b/.github/workflows/cargo-deny.yml new file mode 100644 index 0000000..44672ea --- /dev/null +++ b/.github/workflows/cargo-deny.yml @@ -0,0 +1,26 @@ +name: cargo-deny + +# License + advisory + ban policy enforcement via deny.toml. Runs on PR +# + push to main + manual dispatch. Mirrors the cargo-deny gate already +# running on the chain repo (sentrix-labs/sentrix). + +on: + pull_request: + branches: [main] + push: + branches: [main] + workflow_dispatch: + +permissions: + contents: read + +jobs: + cargo-deny: + name: cargo-deny (licenses + advisories + bans) + runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + - uses: EmbarkStudios/cargo-deny-action@6c8f9facfa5047ec02d8485b6bf52b587b7777d1 # v2 + with: + command: check + arguments: --all-features diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml new file mode 100644 index 0000000..630cda2 --- /dev/null +++ b/.github/workflows/commitlint.yml @@ -0,0 +1,22 @@ +name: commitlint + +on: + pull_request: + branches: [main] + +permissions: + contents: read + pull-requests: read + +jobs: + commitlint: + name: commitlint + runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + with: + fetch-depth: 0 + + - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6 + with: + configFile: .commitlintrc.json diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..1681cec --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,30 @@ +name: Dependency review + +# Runs GitHub's dependency-review-action on PRs. Diffs the lockfile +# changes vs the base branch and BLOCKS merge if newly-introduced +# dependencies have HIGH-severity vulnerabilities OR licenses outside +# our allowlist. Complements cargo-deny (full-tree post-merge gate) +# with a pre-merge diff-only gate. + +on: + pull_request: + branches: [main] + +permissions: + contents: read + pull-requests: write + +jobs: + dependency-review: + name: Dependency review + runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + + - uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4 + with: + fail-on-severity: high + # Mirror deny.toml [licenses].allow. + allow-licenses: MIT, Apache-2.0, Apache-2.0 WITH LLVM-exception, BSD-2-Clause, BSD-3-Clause, ISC, MPL-2.0, Unicode-DFS-2016, Unicode-3.0, CC0-1.0, Zlib, 0BSD, BUSL-1.1, CDLA-Permissive-2.0 + allow-dependencies-licenses: pkg:githubactions/Swatinem/rust-cache + comment-summary-in-pr: on-failure diff --git a/deny.toml b/deny.toml new file mode 100644 index 0000000..0fbf93f --- /dev/null +++ b/deny.toml @@ -0,0 +1,44 @@ +# cargo-deny configuration. Loaded by .github/workflows/cargo-deny.yml. +# See https://embarkstudios.github.io/cargo-deny/ + +[graph] +all-features = true + +[advisories] +yanked = "deny" +ignore = [] + +[licenses] +unused-allowed-license = "allow" +confidence-threshold = 0.8 +allow = [ + "MIT", + "Apache-2.0", + "Apache-2.0 WITH LLVM-exception", + "BSD-2-Clause", + "BSD-3-Clause", + "ISC", + "MPL-2.0", + "Unicode-DFS-2016", + "Unicode-3.0", + "CC0-1.0", + "Zlib", + "0BSD", + "BUSL-1.1", + # webpki-roots v1.x: CDLA-Permissive-2.0 (transitive via reqwest -> rustls). + "CDLA-Permissive-2.0", +] + +[bans] +# Multiple major versions tolerated for now (leptos + alloy ecosystems +# regularly need two majors during migration). Tighten later if a +# specific crate becomes the problem. +multiple-versions = "warn" +wildcards = "warn" +allow-wildcard-paths = true +highlight = "all" + +[sources] +unknown-registry = "deny" +unknown-git = "deny" +allow-git = [] From 397b0d381e8a946b92cae2737dbbbbcfc02eb7b1 Mon Sep 17 00:00:00 2001 From: satyakwok Date: Wed, 13 May 2026 18:10:06 +0200 Subject: [PATCH 2/2] fix(deny): ignore RUSTSEC-2024-0436/0134 + allow BSL-1.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two CI failures from the initial hardening PR: 1. `paste` (RUSTSEC-2024-0436) and `rustls-pemfile` (RUSTSEC-2025-0134) are unmaintained / deprecated advisories with no actual vulnerability. Add to ignore list mirroring indexer-rs + chain repo policy. 2. `xxhash-rust` (transitive via leptos's hashing layer) ships under BSL-1.0 (Boost Software License). Permissive, OSI-approved. Add to the license allowlist. Tested locally: `cargo deny --all-features check` → all four checks ok. --- deny.toml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/deny.toml b/deny.toml index 0fbf93f..ec7c3dd 100644 --- a/deny.toml +++ b/deny.toml @@ -6,7 +6,15 @@ all-features = true [advisories] yanked = "deny" -ignore = [] +ignore = [ + # `paste` is unmaintained (author archived) but still a transitive dep + # of alloy / sqlx / prost. No vulnerability — just dormant. Mirrors + # the ignore in indexer-rs + the chain repo. + "RUSTSEC-2024-0436", + # `rustls-pemfile` is deprecated in favour of `rustls-pki-types`; + # transitive via reqwest -> rustls. No vulnerability. + "RUSTSEC-2025-0134", +] [licenses] unused-allowed-license = "allow" @@ -27,6 +35,9 @@ allow = [ "BUSL-1.1", # webpki-roots v1.x: CDLA-Permissive-2.0 (transitive via reqwest -> rustls). "CDLA-Permissive-2.0", + # Boost Software License — permissive OSI-approved, transitive via + # xxhash-rust used by leptos's hashing layer. + "BSL-1.0", ] [bans]