Enable cargo-vet (#4444)

* Initialize cargo-vet on wasmtime.

* Add cargo-vet to CI.

* Add README.

.github/workflows/main.yml

@@ -45,6 +45,25 @@ jobs:
         echo `pwd` >> $GITHUB_PATH
     - run: cargo deny check bans licenses
 
+  # Ensure dependencies are vetted. See https://mozilla.github.io/cargo-vet/
+  cargo_vet:
+    name: Cargo vet
+    runs-on: ubuntu-latest
+    env:
+      CARGO_VET_VERSION: 0.2.0
+    steps:
+    - uses: actions/checkout@v2
+      with:
+        submodules: true
+    - uses: ./.github/actions/install-rust
+    - uses: actions/cache@v2
+      with:
+        path: ${{ runner.tool_cache }}/cargo-vet
+        key: cargo-vet-bin-${{ env.CARGO_VET_VERSION }}
+    - run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH
+    - run: cargo install --root ${{ runner.tool_cache }}/cargo-vet --version ${{ env.CARGO_VET_VERSION }} cargo-vet
+    - run: cargo vet --locked
+
   doc:
     name: Doc build
     runs-on: ubuntu-latest

supply-chain/README

@@ -0,0 +1,7 @@
+This directory contains the state for cargo-vet, a tool to help projects ensure
+that third-party Rust dependencies have been audited by a trusted entity.
+
+More about the tool can be found here: https://mozilla.github.io/cargo-vet/
+
+The audits.toml file may be imported by other projects, and therefore should be
+handled with care. Ask for help if you're not sure.

supply-chain/audits.toml

@@ -0,0 +1,5 @@
+
+# cargo-vet audits file
+
+[audits]
+

supply-chain/imports.lock

@@ -0,0 +1,5 @@
+
+# cargo-vet imports lock
+
+[audits]
+