Skip to content

ci: add cargo-deny for paste crate#9579

Open
dyc3 wants to merge 2 commits intomainfrom
dyc3/cargo-deny
Open

ci: add cargo-deny for paste crate#9579
dyc3 wants to merge 2 commits intomainfrom
dyc3/cargo-deny

Conversation

@dyc3
Copy link
Contributor

@dyc3 dyc3 commented Mar 21, 2026

Summary

Adds cargo-deny to our ci to prevent pulling in this crate again.

generated by opus 4.6

Test Plan

ci should be green

Docs

@changeset-bot
Copy link

changeset-bot bot commented Mar 21, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: 609f7c6

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@dyc3 dyc3 force-pushed the dyc3/cargo-deny branch from 1e50c04 to dd923cb Compare March 21, 2026 20:35
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Mar 21, 2026
edited
Loading

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 46d6379b-0168-4702-a6e5-c6dec45630b0

📥 Commits

Reviewing files that changed from the base of the PR and between 1a001c9 and 609f7c6.

📒 Files selected for processing (2)
  • .github/workflows/main.yml
  • .github/workflows/pull_request.yml

Walkthrough

Adds a new GitHub Actions job deny (named "Cargo Deny") that runs on depot-ubuntu-24.04-arm. The job is inserted to run after check-dependencies and before test, checks out the code, installs cargo-deny via taiki-e/install-action, and runs cargo deny check bans. The pull_request workflow filter was extended to include deny.toml. A new deny.toml config sets all-features = true, multiple-versions = "allow", and bans the paste crate with use-instead = "pastey".

Possibly related PRs

Suggested reviewers

  • arendjr
🚥 Pre-merge checks | ✅ 2
✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely summarises the main change: adding cargo-deny CI configuration to prevent the paste crate from being pulled in again.
Description check ✅ Passed The description is directly related to the changeset, explaining the motivation (preventing the paste crate) and the test plan, though it's quite brief.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dyc3/cargo-deny

Comment @coderabbitai help to get the list of available commands and usage tips.

Tip

CodeRabbit can use TruffleHog to scan for secrets in your code with verification capabilities.

Add a TruffleHog config file (e.g. trufflehog-config.yml, trufflehog.yml) to your project to customize detectors and scanning behavior. The tool runs only when a config file is present.

coderabbitai[bot]
coderabbitai bot reviewed Mar 21, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/pull_request.yml:
- Around line 69-78: The pull_request.paths filter currently excludes deny.toml
so the "deny" job (job name: deny) can be skipped; update the pull_request.paths
configuration to include "deny.toml" and ".github/workflows/**" in the paths
list so changes to deny.toml or workflows will trigger the deny job (ensure the
existing exclude/include patterns are adjusted accordingly).
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6a76b61e-0f9b-4ce0-9a0a-7fb98e1148d5

📥 Commits

Reviewing files that changed from the base of the PR and between a62487a and dd923cb.

📒 Files selected for processing (3)
  • .github/workflows/main.yml
  • .github/workflows/pull_request.yml
  • deny.toml

@dyc3 dyc3 force-pushed the dyc3/cargo-deny branch from dd923cb to 0bc11c6 Compare March 21, 2026 20:44
@dyc3 dyc3 force-pushed the dyc3/cargo-deny branch from 0bc11c6 to e78c3c0 Compare March 22, 2026 12:14
@dyc3 dyc3 force-pushed the dyc3/cargo-deny branch from e78c3c0 to 1a001c9 Compare March 22, 2026 12:20
coderabbitai[bot]
coderabbitai bot reviewed Mar 22, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

♻️ Duplicate comments (1)
.github/workflows/pull_request.yml (1)

9-17: ⚠️ Potential issue | 🟠 Major

Include workflow file changes in pull_request.paths.

Line 17 adds deny.toml, good catch — but without .github/workflows/**, CI-only edits can still dodge this workflow.

Suggested patch 
     paths: # Only run when changes are made to rust code or root Cargo
       - "crates/**"
       - "fuzz/**"
       - "xtask/**"
       - "Cargo.toml"
       - "Cargo.lock"
       - "rust-toolchain.toml"
       - "rustfmt.toml"
       - "deny.toml"
+      - ".github/workflows/**"
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pull_request.yml around lines 9 - 17, The pull_request
workflow's paths list (pull_request.paths) omits workflow files so changes to CI
YAML can bypass the job; update the paths array to include the workflow
directory pattern ".github/workflows/**" (in addition to the existing entries
like "deny.toml") so edits to workflow files will trigger the pull_request
workflow.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/pull_request.yml:
- Around line 9-17: The pull_request workflow's paths list (pull_request.paths)
omits workflow files so changes to CI YAML can bypass the job; update the paths
array to include the workflow directory pattern ".github/workflows/**" (in
addition to the existing entries like "deny.toml") so edits to workflow files
will trigger the pull_request workflow.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 7ce2126f-9805-43d3-89d6-cb7b5ea64928

📥 Commits

Reviewing files that changed from the base of the PR and between e78c3c0 and 1a001c9.

📒 Files selected for processing (3)
  • .github/workflows/main.yml
  • .github/workflows/pull_request.yml
  • deny.toml
✅ Files skipped from review due to trivial changes (1)
  • deny.toml

@dyc3
Copy link
Contributor Author

dyc3 commented Mar 22, 2026

It appears that boa uses paste

cargo tree -i paste
paste v1.0.15 (proc-macro)
├── boa_engine v0.21.0
│   └── biome_js_runtime v0.0.1 (/home/carson/Documents/code/other/biome/crates/biome_js_runtime)
└── boa_string v0.21.0
    ├── boa_ast v0.21.0
    │   ├── boa_engine v0.21.0 (*)
    │   └── boa_parser v0.21.0
    │       └── boa_engine v0.21.0 (*)
    ├── boa_engine v0.21.0 (*)
    └── boa_gc v0.21.0
        ├── boa_engine v0.21.0 (*)
        └── boa_interner v0.21.0
            ├── boa_ast v0.21.0 (*)
            ├── boa_engine v0.21.0 (*)
            └── boa_parser v0.21.0 (*)

@ematipico
Copy link
Member

ematipico commented Mar 22, 2026

Maybe it's too soon to add deny for paste, unless it's possible to configure deny to check only our direct dependencies.

@dyc3
Copy link
Contributor Author

dyc3 commented Mar 22, 2026
edited
Loading

Yeah, seems to be an open issue for cargo-deny EmbarkStudios/cargo-deny#662

Went ahead and made this PR anyway: boa-dev/boa#5223

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@ematipico ematipico ematipico approved these changes

@siketyan siketyan siketyan approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dyc3 @ematipico @siketyan