From 5cce6073a31df475ed98b0a816e07073a7c0611a Mon Sep 17 00:00:00 2001
From: satyakwok <satyakwok@users.noreply.github.com>
Date: Wed, 13 May 2026 17:47:39 +0200
Subject: [PATCH] chore: add cargo-deny + dependency-review + commitlint
 workflows
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Mirrors the supply-chain hygiene already running on sentrix-labs/sentrix.
sentrix-grpc-wasm publishes to crates.io and ships as a WASM bundle for
browser dApps — license + vuln gating on the dep tree matters because
every release is a public artifact.

deny.toml: license allowlist + advisory yank-block + wildcard warning.
cargo-deny.yml: runs `cargo deny check` on PR + push to main.
dependency-review.yml: pre-merge diff-only gate; license list mirrors deny.toml.
commitlint.yml + .commitlintrc.json: Conventional Commits enforce.

cargo-audit is intentionally NOT added — `cargo deny check` already scans
the RustSec advisory DB through deny.toml [advisories].
---
 .commitlintrc.json                      | 12 ++++++++
 .github/workflows/cargo-deny.yml        | 26 ++++++++++++++++
 .github/workflows/commitlint.yml        | 22 +++++++++++++
 .github/workflows/dependency-review.yml | 30 ++++++++++++++++++
 deny.toml                               | 41 +++++++++++++++++++++++++
 5 files changed, 131 insertions(+)
 create mode 100644 .commitlintrc.json
 create mode 100644 .github/workflows/cargo-deny.yml
 create mode 100644 .github/workflows/commitlint.yml
 create mode 100644 .github/workflows/dependency-review.yml
 create mode 100644 deny.toml

diff --git a/.commitlintrc.json b/.commitlintrc.json
new file mode 100644
index 0000000..e912347
--- /dev/null
+++ b/.commitlintrc.json
@@ -0,0 +1,12 @@
+{
+  "extends": ["@commitlint/config-conventional"],
+  "rules": {
+    "header-max-length": [2, "always", 100],
+    "body-max-line-length": [0, "always"],
+    "footer-max-line-length": [0, "always"],
+    "type-enum": [2, "always", [
+      "build", "chore", "ci", "docs", "feat", "fix",
+      "perf", "refactor", "revert", "style", "test"
+    ]]
+  }
+}
diff --git a/.github/workflows/cargo-deny.yml b/.github/workflows/cargo-deny.yml
new file mode 100644
index 0000000..44672ea
--- /dev/null
+++ b/.github/workflows/cargo-deny.yml
@@ -0,0 +1,26 @@
+name: cargo-deny
+
+# License + advisory + ban policy enforcement via deny.toml. Runs on PR
+# + push to main + manual dispatch. Mirrors the cargo-deny gate already
+# running on the chain repo (sentrix-labs/sentrix).
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  cargo-deny:
+    name: cargo-deny (licenses + advisories + bans)
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      - uses: EmbarkStudios/cargo-deny-action@6c8f9facfa5047ec02d8485b6bf52b587b7777d1 # v2
+        with:
+          command: check
+          arguments: --all-features
diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml
new file mode 100644
index 0000000..630cda2
--- /dev/null
+++ b/.github/workflows/commitlint.yml
@@ -0,0 +1,22 @@
+name: commitlint
+
+on:
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  commitlint:
+    name: commitlint
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          fetch-depth: 0
+
+      - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6
+        with:
+          configFile: .commitlintrc.json
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
new file mode 100644
index 0000000..1681cec
--- /dev/null
+++ b/.github/workflows/dependency-review.yml
@@ -0,0 +1,30 @@
+name: Dependency review
+
+# Runs GitHub's dependency-review-action on PRs. Diffs the lockfile
+# changes vs the base branch and BLOCKS merge if newly-introduced
+# dependencies have HIGH-severity vulnerabilities OR licenses outside
+# our allowlist. Complements cargo-deny (full-tree post-merge gate)
+# with a pre-merge diff-only gate.
+
+on:
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  dependency-review:
+    name: Dependency review
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+
+      - uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4
+        with:
+          fail-on-severity: high
+          # Mirror deny.toml [licenses].allow.
+          allow-licenses: MIT, Apache-2.0, Apache-2.0 WITH LLVM-exception, BSD-2-Clause, BSD-3-Clause, ISC, MPL-2.0, Unicode-DFS-2016, Unicode-3.0, CC0-1.0, Zlib, 0BSD, BUSL-1.1, CDLA-Permissive-2.0
+          allow-dependencies-licenses: pkg:githubactions/Swatinem/rust-cache
+          comment-summary-in-pr: on-failure
diff --git a/deny.toml b/deny.toml
new file mode 100644
index 0000000..dd3e549
--- /dev/null
+++ b/deny.toml
@@ -0,0 +1,41 @@
+# cargo-deny configuration. Loaded by .github/workflows/cargo-deny.yml.
+# See https://embarkstudios.github.io/cargo-deny/
+
+[graph]
+all-features = true
+
+[advisories]
+yanked = "deny"
+ignore = []
+
+[licenses]
+unused-allowed-license = "allow"
+confidence-threshold = 0.8
+allow = [
+    "MIT",
+    "Apache-2.0",
+    "Apache-2.0 WITH LLVM-exception",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "ISC",
+    "MPL-2.0",
+    "Unicode-DFS-2016",
+    "Unicode-3.0",
+    "CC0-1.0",
+    "Zlib",
+    "0BSD",
+    "BUSL-1.1",
+    # webpki-roots v1.x: CDLA-Permissive-2.0 (transitive via reqwest -> rustls).
+    "CDLA-Permissive-2.0",
+]
+
+[bans]
+multiple-versions = "warn"
+wildcards = "warn"
+allow-wildcard-paths = true
+highlight = "all"
+
+[sources]
+unknown-registry = "deny"
+unknown-git = "deny"
+allow-git = []