fix(ci): fix build failures and add security audit workflow

- build-linux-stable: disable forklift GCS cache (RUSTC_WRAPPER="") that panics without GCP credentials on VPS runners - prepare-bridges-zombienet-artifacts: fix bridges/testing path to pezbridges/testing (rebrand path was not updated in workflow) - build-rustdoc: use CARGO_TARGET_DIR instead of ./target for doc output path (docs generated at /cache/target/doc, not ./target/doc) - build-push-image-*: add workspace permission fix step before checkout to handle root-owned files left by Docker container jobs - All build jobs: increase timeout from 120 to 180 minutes for VPS - Add cargo-deny + cargo-audit security audit workflow (weekly + on PR) - Add deny.toml with license, advisory, and source checks
2026-02-25 19:39:47 +03:00
parent 97bc5a5092
commit c55a371edb
4 changed files with 182 additions and 22 deletions
@@ -0,0 +1,73 @@
+# cargo-deny configuration for Pezkuwi SDK
+# https://embarkstudios.github.io/cargo-deny/
+
+[graph]
+targets = [
+	{ triple = "x86_64-unknown-linux-gnu" },
+	{ triple = "x86_64-unknown-linux-musl" },
+	{ triple = "wasm32-unknown-unknown" },
+]
+# Exclude test/bench-only crates from checks
+exclude = []
+
+# Advisory database - check for known vulnerabilities
+[advisories]
+vulnerability = "deny"
+unmaintained = "warn"
+yanked = "warn"
+notice = "warn"
+ignore = [
+	# Add specific advisory IDs to ignore here with justification:
+	# "RUSTSEC-0000-0000", # reason for ignoring
+]
+
+# License compliance
+[licenses]
+unlicensed = "deny"
+copyleft = "warn"
+allow-osi-fsf-free = "either"
+default = "deny"
+confidence-threshold = 0.8
+allow = [
+	"Apache-2.0",
+	"Apache-2.0 WITH LLVM-exception",
+	"MIT",
+	"MIT-0",
+	"BSD-2-Clause",
+	"BSD-3-Clause",
+	"ISC",
+	"Unlicense",
+	"CC0-1.0",
+	"BSL-1.0",
+	"Unicode-3.0",
+	"Unicode-DFS-2016",
+	"Zlib",
+	"MPL-2.0",
+	"OpenSSL",
+	"GPL-3.0-only WITH Classpath-exception-2.0",
+	"GPL-3.0-or-later WITH Classpath-exception-2.0",
+]
+exceptions = [
+	# ring uses a custom ISC-style license
+	{ allow = ["OpenSSL"], name = "ring" },
+]
+
+[licenses.private]
+ignore = true
+
+# Banned crates and duplicate version detection
+[bans]
+multiple-versions = "warn"
+wildcards = "allow"
+highlight = "simplest-path"
+# Deny specific problematic crates
+deny = []
+skip = []
+skip-tree = []
+
+# Source origin checks
+[sources]
+unknown-registry = "warn"
+unknown-git = "warn"
+allow-registry = ["https://github.com/rust-lang/crates.io-index"]
+allow-git = []