chore: add cargo-deny configuration #7119
Conversation
joshka-oai
commented
Nov 21, 2025
joshka-oai
commented
- add GitHub workflow running cargo-deny on push/PR
- document cargo-deny allowlist with workspace-dep notes and advisory ignores
- align workspace crates to inherit version/edition/license for consistent checks
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
joshka-oai
force-pushed
the
joshka/cargo-deny
branch
from
1108fe5 to
325c6d8
Compare
joshka-oai
left a comment
joshka-oai
left a comment
There was a problem hiding this comment.
Self review notes
| @@ -1,7 +1,8 @@ | |||
| [package] | |||
| name = "codex-backend-client" | |||
| version = "0.0.0" | |||
There was a problem hiding this comment.
I'm assuming that this is fine to bump - we're not publishing this, so it doesn't really matter what it's set to here
There was a problem hiding this comment.
2024 edition formatting changes
There was a problem hiding this comment.
2024 edition formatting changes
| @@ -1,7 +1,8 @@ | |||
| [package] | |||
| name = "codex-windows-sandbox" | |||
| version = "0.1.0" | |||
There was a problem hiding this comment.
I assume this version is not really relevant - please confirm @iceweasel-oai
| ignore = [ | ||
| { id = "RUSTSEC-2024-0388", reason = "derivative is unmaintained; pulled in via starlark v0.13.0 used by execpolicy/cli/core; no fixed release yet" }, | ||
| { id = "RUSTSEC-2025-0057", reason = "fxhash is unmaintained; pulled in via starlark_map/starlark v0.13.0 used by execpolicy/cli/core; no fixed release yet" }, | ||
| { id = "RUSTSEC-2024-0436", reason = "paste is unmaintained; pulled in via ratatui/rmcp/starlark used by tui/execpolicy; no fixed release yet" }, |
| # List of explicitly allowed licenses | ||
| # See https://spdx.org/licenses/ for list of possible licenses | ||
| # [possible values: any SPDX 3.11 short identifier (+ optional exception)]. | ||
| allow = [ |
There was a problem hiding this comment.
Added based on the current list of licenses. I also made codex fill in the comments here, mostly to help validate why we'e got each of these in our allow list - these will likely get out of date easily, this is not a big deal IMO)
| # https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html | ||
| [bans] | ||
| # Lint level for when multiple versions of the same crate are detected | ||
| multiple-versions = "warn" |
There was a problem hiding this comment.
This triggers a bunch. We may consider allow here if that's annoying. Fixing the problems here is out of scope for this change.
| github = [ | ||
| "nornagon", # ratatui and crossterm forks | ||
| ] |
There was a problem hiding this comment.
Mostly default - called out the actual changes (I also intentionally committed the default so that the changes are visible).
joshka-oai
force-pushed
the
joshka/cargo-deny
branch
5 times, most recently
from
c6f934c to
8b0559e
Compare
- add GitHub workflow running cargo-deny on push/PR - document cargo-deny allowlist with workspace-dep notes and advisory ignores - align workspace crates to inherit version/edition/license for consistent checks
joshka-oai
force-pushed
the
joshka/cargo-deny
branch
from
8b0559e to
c4e8da4
Compare
joshka-oai
left a comment
joshka-oai
left a comment
There was a problem hiding this comment.
undid a couple of edition (pty and windows-sandbox) as CI shows that changing the edition changes the behavior on these items.
| @@ -1,16 +1,13 @@ | |||
| [package] | |||
| edition = "2021" | |||
There was a problem hiding this comment.
Intentionally kept as 2021. This affects how the code in this runs
There was a problem hiding this comment.
Why? This does not sound like a good idea to have 2024 crates using 2021 on purpose
There was a problem hiding this comment.
Changing this for the windows and pty crates changes the behavior of a few things. Formatting changes quite a bit, and tests start to fail. I didn't dig deeply, and agree that we should should fix this, but it's a distinct thing which could need to be rolled back if it causes a problem. 2024 crates can use 2021 crates without a problem, so this is intentionally inconsistent pending a fix on that.
There was a problem hiding this comment.
Will do a fast follow on this.
| [package] | ||
| name = "codex-windows-sandbox" | ||
| version = "0.1.0" | ||
| edition = "2021" |
There was a problem hiding this comment.
Intentionally kept as 2021. This affects how the code in this runs
| edition = "2024" | ||
| name = "codex-ansi-escape" | ||
| version = { workspace = true } | ||
| version.workspace = true |
There was a problem hiding this comment.
Do we really need all those? Isn't it possible to do this at the repo level? I fear that people will forget to add them when creating new crates
There was a problem hiding this comment.
Pulling the version and edition items into this is not strictly necessary, it's just a small inoffensive cleanup to make it easy to set once and use everywhere. The necessary part is to set a license (as cargo-deny is about checking we only use valid licenses.
Creating a new crate in the repo using cargo new picks up the workspace level options automatically, so this is effectively just doing the same thing that we'd end up there. We can disable the check that is triggered by not specifically having a license on the crates by marking all of our crates as not published and setting an option to ignore private crates, but I think it's worth just leaving this setting at the default and making each crate pull from the workspace manifest.
cargo add foo
[package]
name = "foo"
version.workspace = true
edition.workspace = true
license.workspace = true
[dependencies]
[lints]
workspace = trueIf we don't set these license when creating a new package, CI will fail with an error telling the user to add a license for the new crate, which I'd hope would prompt codex to investigate bringing the new crate into the same pattern as the other crates like this.
