Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Setup dependencies CI #172

Merged
merged 6 commits into from
Jun 17, 2022
Merged

Setup dependencies CI #172

merged 6 commits into from
Jun 17, 2022

Conversation

Weibye
Copy link
Collaborator

@Weibye Weibye commented Jun 16, 2022

Objective

Fixes #163

Context

Copied from Bevy's setup, then removed all the specific crates that Bevy is ignoring.

This will run on pull requests and pushes if a Cargo.toml file has changed, or the deny.toml has changed.

Feedback wanted

  • Should we strip it down even further?
  • What triggers should we run this on?
    • Should definitely run on pull request.
    • Should we ignore dependabot branches?
    • I'm not sure how useful the cron-job is for us?

@Weibye
Copy link
Collaborator Author

Weibye commented Jun 16, 2022

So, we have two offenders:

90│ serde_cbor 0.11.2 registry+https://github.com/rust-lang/crates.io-index
│-----------------------------------------------------------------------unmaintained advisory detected
│
= ID: RUSTSEC-2021-0127
= Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0127
= The `serde_cbor` crate is unmaintained. The author has archived the github repository.
     Alternatives proposed by the author:
      * [`ciborium`](https://crates.io/crates/ciborium)
      * [`minicbor`](https://crates.io/crates/minicbor)
= Announcement: https://github.com/pyfisch/cbor
= Solution: No safe upgrade is available!
= serde_cbor v0.[11](https://github.com/DioxusLabs/taffy/runs/6923733268?check_suite_focus=true#step:5:12).2
     └── criterion v0.3.5
         └── (dev) taffy v0.2.0
error[B004]: found 2 duplicate entries for crate 'itoa'
┌─ /home/runner/work/taffy/taffy/Cargo.lock:55:1
│
55│╭itoa 0.4.[8](https://github.com/DioxusLabs/taffy/runs/6923733529?check_suite_focus=true#step:5:9) registry+https://github.com/rust-lang/crates.io-index
56││itoa 1.0.2 registry+https://github.com/rust-lang/crates.io-index
│╰────────────────────────────────────────────────────────────────^ lock entries
│
= itoa v0.4.8
     └── csv v1.1.6
         └── criterion v0.3.5
             └── (dev) taffy v0.2.0
= itoa v1.0.2
     └── serde_json v1.0.81
         ├── criterion v0.3.5
         │   └── (dev) taffy v0.2.0
         └── tinytemplate v1.2.1
             └── criterion v0.3.5 (*)

Do we allow them or do we want to try to find replacements / push for upstream crates to update?

@alice-i-cecile
Copy link
Collaborator

  1. We should configure this to ignore clashes in dev-dependencies.
  2. We should make issues/ PRs upstream to help them update anyways :)

@Weibye Weibye added the build system Make continuous integration do the tedious things label Jun 16, 2022
@Weibye
Copy link
Collaborator Author

Weibye commented Jun 16, 2022

Seems it's not an explicit feature yet: EmbarkStudios/cargo-deny#322, so I'll just ignore them specifically for now.

deny.toml Outdated Show resolved Hide resolved
deny.toml Outdated Show resolved Hide resolved
@alice-i-cecile alice-i-cecile merged commit 2402403 into DioxusLabs:main Jun 17, 2022
@alice-i-cecile
Copy link
Collaborator

Nice work, thanks!

@Weibye Weibye deleted the ci-deny branch June 18, 2022 12:46
jkelleyrtp pushed a commit that referenced this pull request Oct 10, 2022
* Setup dependencies CI

* eof

* Remove bors stuff

* Ignoring packages in dev-dependencies

* Update deny.toml

* Update deny.toml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
build system Make continuous integration do the tedious things
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Check for duplicate dependencies in CI
2 participants