Enable cargo-vet (#4444)

* Initialize cargo-vet on wasmtime. * Add cargo-vet to CI. * Add README.
2022-07-25 13:21:14 -07:00
parent 3ef89b7787
commit 89f9de7cc3
5 changed files with 1333 additions and 0 deletions
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -45,6 +45,25 @@ jobs:
        echo `pwd` >> $GITHUB_PATH
    - run: cargo deny check bans licenses

+  # Ensure dependencies are vetted. See https://mozilla.github.io/cargo-vet/
+  cargo_vet:
+    name: Cargo vet
+    runs-on: ubuntu-latest
+    env:
+      CARGO_VET_VERSION: 0.2.0
+    steps:
+    - uses: actions/checkout@v2
+      with:
+        submodules: true
+    - uses: ./.github/actions/install-rust
+    - uses: actions/cache@v2
+      with:
+        path: ${{ runner.tool_cache }}/cargo-vet
+        key: cargo-vet-bin-${{ env.CARGO_VET_VERSION }}
+    - run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH
+    - run: cargo install --root ${{ runner.tool_cache }}/cargo-vet --version ${{ env.CARGO_VET_VERSION }} cargo-vet
+    - run: cargo vet --locked
+
  doc:
    name: Doc build
    runs-on: ubuntu-latest
--- a/supply-chain/README
+++ b/supply-chain/README
@@ -0,0 +1,7 @@
+This directory contains the state for cargo-vet, a tool to help projects ensure
+that third-party Rust dependencies have been audited by a trusted entity.
+
+More about the tool can be found here: https://mozilla.github.io/cargo-vet/
+
+The audits.toml file may be imported by other projects, and therefore should be
+handled with care. Ask for help if you're not sure.
--- a/supply-chain/audits.toml
+++ b/supply-chain/audits.toml
@@ -0,0 +1,5 @@
+
+# cargo-vet audits file
+
+[audits]
+
--- a/supply-chain/config.toml
+++ b/supply-chain/config.toml
--- a/supply-chain/imports.lock
+++ b/supply-chain/imports.lock
@@ -0,0 +1,5 @@
+
+# cargo-vet imports lock
+
+[audits]
+