Skip to content

Add cargo-vet and cargo-deny supply-chain security#25

Merged
jerrysxie merged 11 commits into
OpenDevicePartnership:mainfrom
jerrysxie:add-supply-chain-security
Jun 12, 2026
Merged

Add cargo-vet and cargo-deny supply-chain security#25
jerrysxie merged 11 commits into
OpenDevicePartnership:mainfrom
jerrysxie:add-supply-chain-security

Conversation

@jerrysxie

@jerrysxie jerrysxie commented May 12, 2026

Copy link
Copy Markdown
Contributor

This PR adds supply-chain security tooling based on the
embedded-rust-template:

  • cargo-vet (supply-chain/) – dependency audit tracking with imports
    from ODP shared audits, Google, and Mozilla.
  • CI workflowscargo-vet.yml + PR comment workflow

Copilot AI review requested due to automatic review settings May 12, 2026 20:24
@jerrysxie jerrysxie requested a review from a team as a code owner May 12, 2026 20:24

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces Rust supply-chain security checks by adding cargo-vet configuration (including imported third-party audits) and integrating cargo-deny/cargo-vet into GitHub Actions workflows to continuously validate dependencies in CI.

Changes:

  • Add cargo-vet configuration under supply-chain/ and set up audit imports.
  • Add GitHub Actions workflows to run cargo vet on PRs and post/update PR comments with results.
  • Integrate cargo-deny configuration and a CI job to check advisories/licenses/bans/sources.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
supply-chain/imports.lock Initializes cargo-vet import lock structure for upstream audit sources.
supply-chain/config.toml Configures cargo-vet and defines upstream audit import URLs.
supply-chain/audits.toml Adds the local audits file scaffold for cargo-vet.
.github/workflows/cargo-vet.yml Adds CI job to install and run cargo-vet on PRs and upload PR metadata artifact.
.github/workflows/cargo-vet-pr-comment.yml Adds workflow_run-based PR commenting/labeling based on cargo-vet outcomes.
deny.toml Adds cargo-deny policy configuration for dependency checks.
.github/workflows/check.yml Adds/updates CI to run cargo-deny as part of the main check workflow.

Comment thread .github/workflows/cargo-vet.yml
Comment thread .github/workflows/cargo-vet.yml
Comment thread .github/workflows/cargo-vet.yml
Comment thread .github/workflows/cargo-vet-pr-comment.yml
Comment thread .github/workflows/cargo-vet-pr-comment.yml
Comment thread supply-chain/config.toml
Copilot AI review requested due to automatic review settings May 17, 2026 23:47

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 6 changed files in this pull request and generated 6 comments.

Comment thread .github/workflows/cargo-vet.yml
Comment thread .github/workflows/cargo-vet.yml
Comment thread .github/workflows/cargo-vet.yml
Comment thread .github/workflows/cargo-vet-pr-comment.yml
Comment thread .github/workflows/cargo-vet-pr-comment.yml
Comment thread supply-chain/README.md
felipebalbi
felipebalbi previously approved these changes May 18, 2026
@jerrysxie jerrysxie self-assigned this May 28, 2026
Certify 10 previously unvetted dependencies for safe-to-deploy:
- memchr 2.7.6->2.8.0, rustc-hash 2.1.1->2.1.2, zmij 1.0.20->1.0.21,
  itoa 1.0.15->1.0.18 (delta audits)
- embedded-hal and embedded-hal-async 1.0.0->1.0.0@git:e6b10a66,
  embassy-sync 0.8.0->0.7.2 (delta audits)
- anyhow 1.0.102, prettyplease 0.2.37, serde_json 1.0.149 (full audits)

Fix corrupted policy keys for embedded-hal and embedded-hal-async in
config.toml. Remove duplicate audit entries from prior sessions.
Refresh imports.lock.

Assisted-by: GitHub Copilot:claude-opus-4.6 cargo-vet
@jerrysxie jerrysxie merged commit cf5d615 into OpenDevicePartnership:main Jun 12, 2026
9 of 10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants