Check for duplicate crate dependencies in CI

.github/workflows/ci.yml

@@ -169,7 +169,7 @@ jobs:
           command: build
           args: --verbose --release
 
-  clippy:
+  clippy-cargo-lock:
     name: Clippy (stable)
     timeout-minutes: 30
     runs-on: ubuntu-latest
@@ -204,7 +204,14 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
           args: --all-features --all-targets -- -D warnings
 
-  fmt:
+      # This check makes sure the crate dependency check is accurate
+      - name: Check Cargo.lock is up to date
+        uses: actions-rs/cargo@v1.0.3
+        with:
+          command: check
+          args: --locked --all-features --all-targets
+
+  fmt-deps:
     name: Rustfmt
     timeout-minutes: 30
     runs-on: ubuntu-latest
@@ -231,7 +238,21 @@ jobs:
             echo "CARGO_INCREMENTAL=${{ env.CARGO_INCREMENTAL }}"
             echo "RUST_BACKTRACE=${{ env.RUST_BACKTRACE }}"
 
-      - uses: actions-rs/cargo@v1.0.3
+      - name: Check rustfmt
+        uses: actions-rs/cargo@v1.0.3
         with:
           command: fmt
           args: --all -- --check
+
+      # Edit zebra/deny.toml to allow duplicates
+      - name: Check for dependent crates with different versions
+        uses: EmbarkStudios/cargo-deny-action@v1.2.6
+        with:
+          command: check bans
+          args: --all-features --workspace
+
+      - name: Check crate sources
+        uses: EmbarkStudios/cargo-deny-action@v1.2.6
+        with:
+          command: check sources
+          args: --all-features --workspace

deny.toml

@@ -0,0 +1,102 @@
+# Note that all fields that take a lint level have these possible values:
+# * deny - An error will be produced and the check will fail
+# * warn - A warning will be produced, but the check will not fail
+# * allow - No warning or error will be produced, though in some cases a note
+# will be
+
+# This section is considered when running `cargo deny check bans`.
+# More documentation about the 'bans' section can be found here:
+# https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html
+[bans]
+# Lint level for when multiple versions of the same crate are detected
+multiple-versions = "deny"
+# The graph highlighting used when creating dotgraphs for crates
+# with multiple versions
+# * lowest-version - The path to the lowest versioned duplicate is highlighted
+# * simplest-path - The path to the version with the fewest edges is highlighted
+# * all - Both lowest-version and simplest-path are used
+highlight = "all"
+
+# List of crates that are allowed. Use with care!
+allow = [
+    #{ name = "ansi_term", version = "=0.11.0" },
+]
+
+# Certain crates/versions that will be skipped when doing duplicate detection.
+skip = [
+    #{ name = "ansi_term", version = "=0.11.0" },
+]
+# Similarly to `skip` allows you to skip certain crates during duplicate
+# detection. Unlike skip, it also includes the entire tree of transitive
+# dependencies starting at the specified crate, up to a certain depth, which is
+# by default infinite
+skip-tree = [
+    # ticket #2200: tokio dependencies
+    { name = "metrics-exporter-prometheus", version = "=0.1.0-alpha.7" },
+    { name = "tower", version = "=0.4.0" },
+    { name = "tokio", version = "=0.2.23" },
+    { name = "tokio-util", version = "=0.3.1" },
+
+    # ticket #2953: tracing dependencies
+    { name = "tracing-subscriber", version = "=0.1.6" },
+
+    # ticket #2952: cryptography dependencies
+    { name = "aes", version = "=0.6.0" },
+    { name = "bellman", version = "=0.10.0" },
+    { name = "bls12_381", version = "=0.5.0" },
+    { name = "fpe", version = "=0.4.0" },
+
+    # ticket #2982: librustzcash and orchard git versions
+    { name = "zcash_primitives", version = "=0.5.0" },
+
+    # ticket #2983: criterion dependencies
+    { name = "criterion", version = "=0.3.4" },
+
+    # ticket #2981: bindgen dependencies
+    { name = "rocksdb", version = "=0.16.0" },
+
+    # ticket #2984: owo-colors dependencies
+    { name = "color-eyre", version = "=0.5.11" },
+
+    # tickets #2985 and #2391: tempdir & rand dependencies
+    { name = "tempdir", version = "=0.3.7" },
+
+    # ticket #2980: inferno dependencies
+    { name = "inferno", version = "=0.10.7" },
+
+    # upgrade orchard from deprecated `bigint` to `uint`: https://github.com/zcash/orchard/issues/219
+    # alternative: downgrade Zebra to `bigint`
+    { name = "bigint", version = "=4.4.3" },
+]
+
+# This section is considered when running `cargo deny check sources`.
+# More documentation about the 'sources' section can be found here:
+# https://embarkstudios.github.io/cargo-deny/checks/sources/cfg.html
+[sources]
+# Lint level for what to happen when a crate from a crate registry that is not
+# in the allow list is encountered
+unknown-registry = "deny"
+# Lint level for what to happen when a crate from a git repository that is not
+# in the allow list is encountered
+unknown-git = "deny"
+# List of URLs for allowed crate registries. Defaults to the crates.io index
+# if not specified. If it is specified but empty, no registries are allowed.
+allow-registry = ["https://github.com/rust-lang/crates.io-index"]
+# List of URLs for allowed Git repositories
+allow-git = [
+    # ticket #2200: tokio dependencies
+    "https://github.com/kellpossible/sentry-tracing",
+
+    # ticket #2982: librustzcash and orchard git versions
+    "https://github.com/str4d/redjubjub",
+]
+
+[sources.allow-org]
+github = [
+    "ZcashFoundation",
+    "zcash",
+
+    # ticket #2200: tokio dependencies
+    "hyperium",
+    "tower-rs",
+]