Skip to content

Setup dependencies CI#172

Merged
alice-i-cecile merged 6 commits intoDioxusLabs:mainfrom
Weibye:ci-deny
Jun 17, 2022
Merged

Setup dependencies CI#172
alice-i-cecile merged 6 commits intoDioxusLabs:mainfrom
Weibye:ci-deny

Conversation

@Weibye
Copy link
Copy Markdown
Collaborator

@Weibye Weibye commented Jun 16, 2022

Objective

Fixes #163

Context

Copied from Bevy's setup, then removed all the specific crates that Bevy is ignoring.

This will run on pull requests and pushes if a Cargo.toml file has changed, or the deny.toml has changed.

Feedback wanted

  • Should we strip it down even further?
  • What triggers should we run this on?
    • Should definitely run on pull request.
    • Should we ignore dependabot branches?
    • I'm not sure how useful the cron-job is for us?

@Weibye
Copy link
Copy Markdown
Collaborator Author

Weibye commented Jun 16, 2022

So, we have two offenders:

90│ serde_cbor 0.11.2 registry+https://github.com/rust-lang/crates.io-index
│-----------------------------------------------------------------------unmaintained advisory detected
│
= ID: RUSTSEC-2021-0127
= Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0127
= The `serde_cbor` crate is unmaintained. The author has archived the github repository.
     Alternatives proposed by the author:
      * [`ciborium`](https://crates.io/crates/ciborium)
      * [`minicbor`](https://crates.io/crates/minicbor)
= Announcement: https://github.com/pyfisch/cbor
= Solution: No safe upgrade is available!
= serde_cbor v0.[11](https://github.com/DioxusLabs/taffy/runs/6923733268?check_suite_focus=true#step:5:12).2
     └── criterion v0.3.5
         └── (dev) taffy v0.2.0

error[B004]: found 2 duplicate entries for crate 'itoa'
┌─ /home/runner/work/taffy/taffy/Cargo.lock:55:1
│
55│╭itoa 0.4.[8](https://github.com/DioxusLabs/taffy/runs/6923733529?check_suite_focus=true#step:5:9) registry+https://github.com/rust-lang/crates.io-index
56││itoa 1.0.2 registry+https://github.com/rust-lang/crates.io-index
│╰────────────────────────────────────────────────────────────────^ lock entries
│
= itoa v0.4.8
     └── csv v1.1.6
         └── criterion v0.3.5
             └── (dev) taffy v0.2.0
= itoa v1.0.2
     └── serde_json v1.0.81
         ├── criterion v0.3.5
         │   └── (dev) taffy v0.2.0
         └── tinytemplate v1.2.1
             └── criterion v0.3.5 (*)

Do we allow them or do we want to try to find replacements / push for upstream crates to update?

@alice-i-cecile
Copy link
Copy Markdown
Collaborator

alice-i-cecile commented Jun 16, 2022

  1. We should configure this to ignore clashes in dev-dependencies.
  2. We should make issues/ PRs upstream to help them update anyways :)

@Weibye Weibye added the build system Make continuous integration do the tedious things label Jun 16, 2022
@Weibye
Copy link
Copy Markdown
Collaborator Author

Weibye commented Jun 16, 2022

Seems it's not an explicit feature yet: EmbarkStudios/cargo-deny#322, so I'll just ignore them specifically for now.

Weibye
Weibye commented Jun 16, 2022
View reviewed changes
Weibye
Weibye commented Jun 16, 2022
View reviewed changes
@alice-i-cecile alice-i-cecile merged commit 2402403 into DioxusLabs:main Jun 17, 2022
@alice-i-cecile
Copy link
Copy Markdown
Collaborator

alice-i-cecile commented Jun 17, 2022

Nice work, thanks!

@Weibye Weibye deleted the ci-deny branch June 18, 2022 12:46
jkelleyrtp pushed a commit that referenced this pull request Oct 10, 2022
@Weibye
Check for duplicate dependencies in CI (#172)
a753f29 
* Setup dependencies CI

* eof

* Remove bors stuff

* Ignoring packages in dev-dependencies

* Update deny.toml

* Update deny.toml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

build system Make continuous integration do the tedious things

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Check for duplicate dependencies in CI

2 participants

@Weibye @alice-i-cecile