From 08fa629b8272ffbbe203bcf0ab3fd0173726e4d7 Mon Sep 17 00:00:00 2001
From: Aidan Gauland <aidalgol@fastmail.net>
Date: Fri, 20 Oct 2023 08:36:56 +1300
Subject: [PATCH 1/2] cargoLib.cargoDeny: init

---
 CHANGELOG.md                             |  3 ++
 checks/cargoDeny.nix                     |  7 ++++
 checks/default.nix                       |  2 ++
 checks/simple-with-deny-toml/Cargo.lock  | 16 +++++++++
 checks/simple-with-deny-toml/Cargo.toml  |  8 +++++
 checks/simple-with-deny-toml/deny.toml   |  5 +++
 checks/simple-with-deny-toml/src/main.rs | 23 +++++++++++++
 docs/API.md                              | 43 ++++++++++++++++++++++++
 examples/quick-start/flake.nix           |  5 +++
 lib/cargoDeny.nix                        | 28 +++++++++++++++
 lib/default.nix                          |  1 +
 11 files changed, 141 insertions(+)
 create mode 100644 checks/cargoDeny.nix
 create mode 100644 checks/simple-with-deny-toml/Cargo.lock
 create mode 100644 checks/simple-with-deny-toml/Cargo.toml
 create mode 100644 checks/simple-with-deny-toml/deny.toml
 create mode 100644 checks/simple-with-deny-toml/src/main.rs
 create mode 100644 lib/cargoDeny.nix

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 380e85e4..d87e6fda 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## Unreleased
 
+### Added
+* `cargoDeny` added for running [`cargo-deny`](https://github.com/EmbarkStudios/cargo-deny).
+
 ### Changed
 * The `use-zstd` artifact installation mode now uses a chained, incremental
   approach to avoid redundancy. Old behavior (taking a full snapshot of the
diff --git a/checks/cargoDeny.nix b/checks/cargoDeny.nix
new file mode 100644
index 00000000..ecba704e
--- /dev/null
+++ b/checks/cargoDeny.nix
@@ -0,0 +1,7 @@
+{ cargoDeny
+, buildDepsOnly
+}:
+
+cargoDeny {
+  src = ./simple-with-deny-toml;
+}
diff --git a/checks/default.nix b/checks/default.nix
index 8d5d5873..ae8d4447 100644
--- a/checks/default.nix
+++ b/checks/default.nix
@@ -48,6 +48,8 @@ in
 
   cargoAuditTests = callPackage ./cargoAudit.nix { };
 
+  cargoDenyTests = callPackage ./cargoDeny.nix { };
+
   cargoLlvmCov = myLibLlvmTools.cargoLlvmCov {
     src = ./simple;
     cargoArtifacts = myLib.buildDepsOnly {
diff --git a/checks/simple-with-deny-toml/Cargo.lock b/checks/simple-with-deny-toml/Cargo.lock
new file mode 100644
index 00000000..d9f041e8
--- /dev/null
+++ b/checks/simple-with-deny-toml/Cargo.lock
@@ -0,0 +1,16 @@
+# This file is automatically @generated by Cargo.
+# It is not intended for manual editing.
+version = 3
+
+[[package]]
+name = "byteorder"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b"
+
+[[package]]
+name = "simple"
+version = "0.1.0"
+dependencies = [
+ "byteorder",
+]
diff --git a/checks/simple-with-deny-toml/Cargo.toml b/checks/simple-with-deny-toml/Cargo.toml
new file mode 100644
index 00000000..801af865
--- /dev/null
+++ b/checks/simple-with-deny-toml/Cargo.toml
@@ -0,0 +1,8 @@
+[package]
+name = "simple"
+version = "0.1.0"
+edition = "2021"
+license = "CC0-1.0"
+
+[dependencies]
+byteorder = "*"
diff --git a/checks/simple-with-deny-toml/deny.toml b/checks/simple-with-deny-toml/deny.toml
new file mode 100644
index 00000000..bd246730
--- /dev/null
+++ b/checks/simple-with-deny-toml/deny.toml
@@ -0,0 +1,5 @@
+[licenses]
+allow = [
+    "CC0-1.0",
+    "MIT"
+]
diff --git a/checks/simple-with-deny-toml/src/main.rs b/checks/simple-with-deny-toml/src/main.rs
new file mode 100644
index 00000000..5cc386ef
--- /dev/null
+++ b/checks/simple-with-deny-toml/src/main.rs
@@ -0,0 +1,23 @@
+fn main() {
+    println!("Hello, world!");
+}
+
+#[test]
+fn first() {
+    assert_eq!(1 + 1, 2);
+}
+
+#[test]
+fn second() {
+    assert_eq!(84 / 2, 42);
+}
+
+#[test]
+fn third() {
+    assert_eq!(5 * 5, 25);
+}
+
+#[test]
+fn fourth() {
+    assert_eq!(81 / 3, 27);
+}
diff --git a/docs/API.md b/docs/API.md
index 6c3e5ce5..8f87e8f6 100644
--- a/docs/API.md
+++ b/docs/API.md
@@ -337,6 +337,49 @@ environment variables during the build, you can bring them back via
 * `cargoAuditExtraArgs`
 * `cargoExtraArgs`
 
+### `craneLib.cargoDeny`
+`cargoDeny :: set -> drv`
+
+Create a derivation which will run a `cargo deny` invocation in a cargo
+workspace.
+
+Note that although `cargo deny` can serve as a replacement for `cargo audit`,
+`craneLib.cargoDeny` does not expose this functionality because `cargo deny`
+requires the full source tree, rather than working from just the `Cargo.lock`
+file, meaning it will be re-run when any source file changes, rather than only
+when dependencies change.
+
+Except where noted below, all derivation attributes are delegated to
+`mkCargoDerivation`, and can be used to influence its behavior.
+* `buildPhaseCargoCommand` will be set to run
+  `cargo deny --offline check bans licenses sources`
+  in the workspace.
+* `pnameSuffix` will be set to `"-deny"`
+
+#### Required attributes
+* `src`: The project source to audit, it must contain `Cargo.toml` and
+  `Cargo.lock` files.
+
+#### Optional attributes
+* `cargoDenyChecks`: check types to run
+  - Default value: `"bans licenses sources"`
+* `cargoDenyExtraArgs`: additional flags to be passed in the cargo-deny invocation
+  - Default value: `""`
+* `cargoExtraArgs`: additional flags to be passed in the cargo invocation
+  - Default value: `""`
+
+#### Native build dependencies
+The `cargo-deny` package is automatically appended as a native build input to any
+other `nativeBuildInputs` specified by the caller.
+
+#### Remove attributes
+The following attributes will be removed before being lowered to
+`mkCargoDerivation`. If you absolutely need these attributes present as
+environment variables during the build, you can bring them back via
+`.overrideAttrs`.
+* `cargoDenyExtraArgs`
+* `cargoExtraArgs`
+
 ### `craneLib.cargoBuild`
 
 `cargoBuild :: set -> drv`
diff --git a/examples/quick-start/flake.nix b/examples/quick-start/flake.nix
index 186804cb..f87f5e9a 100644
--- a/examples/quick-start/flake.nix
+++ b/examples/quick-start/flake.nix
@@ -98,6 +98,11 @@
             inherit src advisory-db;
           };
 
+          # Audit licenses
+          my-crate-deny = craneLib.cargoDeny {
+            inherit cargoArtifacts;
+          };
+
           # Run tests with cargo-nextest
           # Consider setting `doCheck = false` on `my-crate` if you do not want
           # the tests to run twice
diff --git a/lib/cargoDeny.nix b/lib/cargoDeny.nix
new file mode 100644
index 00000000..28de68d3
--- /dev/null
+++ b/lib/cargoDeny.nix
@@ -0,0 +1,28 @@
+{ cargo-deny
+, mkCargoDerivation
+}:
+
+{ cargoDenyExtraArgs ? ""
+, cargoDenyChecks ? "bans licenses sources"
+, cargoExtraArgs ? ""
+, src
+, ...
+}@origArgs:
+let
+  args = builtins.removeAttrs origArgs [
+    "cargoDenyExtraArgs"
+    "cargoExtraArgs"
+  ];
+in
+mkCargoDerivation (args // {
+  buildPhaseCargoCommand = ''
+    cargo --offline ${cargoExtraArgs} \
+      deny ${cargoDenyExtraArgs} check ${cargoDenyChecks}
+  '';
+
+  cargoArtifacts = null;
+  doInstallCargoArtifacts = false;
+  pnameSuffix = "-deny";
+
+  nativeBuildInputs = (args.nativeBuildInputs or [ ]) ++ [ cargo-deny ];
+})
diff --git a/lib/default.nix b/lib/default.nix
index 6d070a01..e3d891e7 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -19,6 +19,7 @@ in
   cargoAudit = callPackage ./cargoAudit.nix { };
   cargoBuild = callPackage ./cargoBuild.nix { };
   cargoClippy = callPackage ./cargoClippy.nix { };
+  cargoDeny = callPackage ./cargoDeny.nix { };
   cargoDoc = callPackage ./cargoDoc.nix { };
   cargoFmt = callPackage ./cargoFmt.nix { };
   cargoHelperFunctionsHook = callPackage ./setupHooks/cargoHelperFunctions.nix { };

From 20d988bf9f38757257dbcf172f52fdfe1e428ec0 Mon Sep 17 00:00:00 2001
From: Ivan Petkov <ivanppetkov@gmail.com>
Date: Fri, 20 Oct 2023 14:30:49 -0700
Subject: [PATCH 2/2] Minor fixes

---
 docs/API.md                     | 6 ++++--
 examples/quick-start/Cargo.toml | 1 +
 examples/quick-start/deny.toml  | 4 ++++
 examples/quick-start/flake.nix  | 2 +-
 4 files changed, 10 insertions(+), 3 deletions(-)
 create mode 100644 examples/quick-start/deny.toml

diff --git a/docs/API.md b/docs/API.md
index 8f87e8f6..5633056f 100644
--- a/docs/API.md
+++ b/docs/API.md
@@ -352,8 +352,10 @@ when dependencies change.
 Except where noted below, all derivation attributes are delegated to
 `mkCargoDerivation`, and can be used to influence its behavior.
 * `buildPhaseCargoCommand` will be set to run
-  `cargo deny --offline check bans licenses sources`
-  in the workspace.
+  `cargo --offline $cargoExtraArgs deny $cargoDenyExtraArgs check
+  $cargoDenyChecks` in the workspace.
+* `cargoArtifacts` will be set to `null`
+* `doInstallCargoArtifacts` will be set to `false`
 * `pnameSuffix` will be set to `"-deny"`
 
 #### Required attributes
diff --git a/examples/quick-start/Cargo.toml b/examples/quick-start/Cargo.toml
index d83bbdf2..3e2467c1 100644
--- a/examples/quick-start/Cargo.toml
+++ b/examples/quick-start/Cargo.toml
@@ -2,6 +2,7 @@
 name = "quick-start"
 version = "0.1.0"
 edition = "2021"
+license = "MIT"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
diff --git a/examples/quick-start/deny.toml b/examples/quick-start/deny.toml
new file mode 100644
index 00000000..b951a73f
--- /dev/null
+++ b/examples/quick-start/deny.toml
@@ -0,0 +1,4 @@
+[licenses]
+allow = [
+  "MIT"
+]
diff --git a/examples/quick-start/flake.nix b/examples/quick-start/flake.nix
index f87f5e9a..312fdb44 100644
--- a/examples/quick-start/flake.nix
+++ b/examples/quick-start/flake.nix
@@ -100,7 +100,7 @@
 
           # Audit licenses
           my-crate-deny = craneLib.cargoDeny {
-            inherit cargoArtifacts;
+            inherit src;
           };
 
           # Run tests with cargo-nextest