Skip to content

chore: add cargo-deny + dependency-review + commitlint workflows #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
satyakwok merged 1 commit into from
May 13, 2026
Merged

chore: add cargo-deny + dependency-review + commitlint workflows #16

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions .commitlintrc.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{
"extends": ["@commitlint/config-conventional"],
"rules": {
"header-max-length": [2, "always", 100],
"body-max-line-length": [0, "always"],
"footer-max-line-length": [0, "always"],
"type-enum": [2, "always", [
"build", "chore", "ci", "docs", "feat", "fix",
"perf", "refactor", "revert", "style", "test"
]]
}
}
26 changes: 26 additions & 0 deletions .github/workflows/cargo-deny.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
name: cargo-deny

# License + advisory + ban policy enforcement via deny.toml. Runs on PR
# + push to main + manual dispatch. Mirrors the cargo-deny gate already
# running on the chain repo (sentrix-labs/sentrix).

on:
pull_request:
branches: [main]
push:
branches: [main]
workflow_dispatch:

permissions:
contents: read

jobs:
cargo-deny:
name: cargo-deny (licenses + advisories + bans)
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
- uses: EmbarkStudios/cargo-deny-action@6c8f9facfa5047ec02d8485b6bf52b587b7777d1 # v2
with:
command: check
arguments: --all-features
22 changes: 22 additions & 0 deletions .github/workflows/commitlint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
name: commitlint

on:
pull_request:
branches: [main]

permissions:
contents: read
pull-requests: read

jobs:
commitlint:
name: commitlint
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 13, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the pinned SHAs correspond to the claimed versions

echo "Checking actions/checkout v5..."
gh api /repos/actions/checkout/git/refs/tags/v5 --jq '{tag: "v5", sha: .object.sha}'

echo "Checking wagoid/commitlint-github-action v6..."
gh api /repos/wagoid/commitlint-github-action/git/refs/tags/v6 --jq '{tag: "v6", sha: .object.sha}'

Repository: Sentriscloud/sentrix-grpc-wasm

Length of output: 277

🏁 Script executed:

cat -n .github/workflows/commitlint.yml | sed -n '14,22p'

Repository: Sentriscloud/sentrix-grpc-wasm

Length of output: 438

Update wagoid/commitlint-github-action SHA to match v6 tag.

The pinned SHA for wagoid/commitlint-github-action does not correspond to the v6 release. The v6 tag points to f133a0d95090ef2609192b4a21f54e20af819ea9, but line 20 uses b948419dd99f3fd78a6548d48f94e3df7f6bf3ed. Update to the correct SHA or remove the pinning to use the tag directly. The actions/checkout v5 SHA on line 16 is correctly pinned.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/commitlint.yml at line 16, The commitlint action SHA is
pinned to the wrong commit for the v6 tag; update the
wagoid/commitlint-github-action reference (the uses line for that action) to the
correct SHA f133a0d95090ef2609192b4a21f54e20af819ea9 or remove the explicit SHA
and use the v6 tag directly (e.g., wagoid/commitlint-github-action@v6); leave
the actions/checkout v5 pin as-is since it is correct.

Copy link
Copy Markdown
Member Author

@satyakwok satyakwok May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skip — finding incorrect. The pinned SHA b948419dd99f3fd78a6548d48f94e3df7f6bf3ed IS the right value for v6. Verified:

$ gh api /repos/wagoid/commitlint-github-action/git/refs/tags/v6
{"object":{"sha":"f133a0d95090ef2609192b4a21f54e20af819ea9","type":"tag"}}

$ gh api /repos/wagoid/commitlint-github-action/tags --jq '.[] | select(.name=="v6") | .commit.sha'
b948419dd99f3fd78a6548d48f94e3df7f6bf3ed

f133a0d95... is the annotated tag object's SHA (a wrapper that holds the tagger metadata). b948419dd... is the commit the tag points to — that's what GitHub Actions resolves to when you reference the action. SHA-pinning Actions uses the commit SHA, not the tag-object SHA. Our pin is correct.

Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@satyakwok, you're absolutely right — I apologize for the incorrect finding. I queried git/refs/tags/v6 which returns the annotated tag object SHA (f133a0d95...), not the underlying commit SHA. For annotated tags, GitHub Actions resolves the commit SHA (b948419dd...), which is what gh api /repos/<owner>/<repo>/tags --jq '.[] | select(.name=="<tag>") | .commit.sha' returns. Your pin is correct.

Thank you for the detailed explanation — adding this as a learning to avoid the same mistake in future reviews.

  (\_/)
  (•ᴗ•)
 /     \   I'll remember this!
✏️ Learnings added 
Learnt from: satyakwok
Repo: Sentriscloud/sentrix-grpc-wasm PR: 16
File: .github/workflows/commitlint.yml:16-16
Timestamp: 2026-05-13T17:32:01.876Z
Learning: When verifying SHA-pinned GitHub Actions (e.g., `uses: wagoid/commitlint-github-action@<sha>`), the correct SHA to use is the **commit SHA** that the tag points to, NOT the annotated tag object SHA. These differ for annotated tags:
- `gh api /repos/<owner>/<repo>/git/refs/tags/<tag>` returns the tag-object SHA (wrong for pinning).
- `gh api /repos/<owner>/<repo>/tags --jq '.[] | select(.name=="<tag>") | .commit.sha'` returns the commit SHA (correct for pinning).
GitHub Actions resolves the commit SHA at runtime, so the pin must match the commit SHA.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

with:
fetch-depth: 0

- uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6
with:
configFile: .commitlintrc.json
30 changes: 30 additions & 0 deletions .github/workflows/dependency-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: Dependency review

# Runs GitHub's dependency-review-action on PRs. Diffs the lockfile
# changes vs the base branch and BLOCKS merge if newly-introduced
# dependencies have HIGH-severity vulnerabilities OR licenses outside
# our allowlist. Complements cargo-deny (full-tree post-merge gate)
# with a pre-merge diff-only gate.

on:
pull_request:
branches: [main]

permissions:
contents: read
pull-requests: write

jobs:
dependency-review:
name: Dependency review
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5

- uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4
with:
fail-on-severity: high
# Mirror deny.toml [licenses].allow.
allow-licenses: MIT, Apache-2.0, Apache-2.0 WITH LLVM-exception, BSD-2-Clause, BSD-3-Clause, ISC, MPL-2.0, Unicode-DFS-2016, Unicode-3.0, CC0-1.0, Zlib, 0BSD, BUSL-1.1, CDLA-Permissive-2.0
allow-dependencies-licenses: pkg:githubactions/Swatinem/rust-cache
comment-summary-in-pr: on-failure
41 changes: 41 additions & 0 deletions deny.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
# cargo-deny configuration. Loaded by .github/workflows/cargo-deny.yml.
# See https://embarkstudios.github.io/cargo-deny/

[graph]
all-features = true

[advisories]
yanked = "deny"
ignore = []

[licenses]
unused-allowed-license = "allow"
confidence-threshold = 0.8
allow = [
"MIT",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"BSD-2-Clause",
"BSD-3-Clause",
"ISC",
"MPL-2.0",
"Unicode-DFS-2016",
"Unicode-3.0",
"CC0-1.0",
"Zlib",
"0BSD",
"BUSL-1.1",
# webpki-roots v1.x: CDLA-Permissive-2.0 (transitive via reqwest -> rustls).
"CDLA-Permissive-2.0",
]
Comment on lines +27 to +30
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 13, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

find . -name "deny.toml" -type f

Repository: Sentriscloud/sentrix-grpc-wasm

Length of output: 86

🏁 Script executed:

cat -n deny.toml

Repository: Sentriscloud/sentrix-grpc-wasm

Length of output: 1150

🏁 Script executed:

rg "BUSL-1.1|exception" deny.toml

Repository: Sentriscloud/sentrix-grpc-wasm

Length of output: 128

🌐 Web query:

cargo-deny license exceptions configuration

💡 Result:

License exceptions in cargo-deny are configured in the [licenses] section of deny.toml (or cargo-deny.toml) to allow specific licenses for particular crates without globally permitting them everywhere [1][2]. This prevents implicit allowance of licenses in future dependencies. The exceptions field is an array of tables, each specifying: - crate: the crate name (required) - version: optional version constraint (e.g., "=0.1.1") - allow: array of SPDX license identifiers (e.g., ["Zlib"]) [1] Example: [licenses] allow = ["Apache-2.0", "MIT"] exceptions = [ { crate = "cloudabi", allow = ["BSD-2-Clause"] }, { name = "adler32", version = "0.1.1", allow = ["Zlib"] }, ] Here, BSD-2-Clause is only allowed for the cloudabi crate, and Zlib only for adler32 v0.1.1 [1][3]. Alternative table syntax: [[licenses.exceptions]] name = "adler32" version = "0.1.1" allow = ["Zlib"] Uses PackageSpecs for selection [1]. Project-local exceptions can be in separate files like deny.exceptions.toml,.deny.exceptions.toml, or.cargo/deny.exceptions.toml, containing only exceptions = [...] [1]. Recent addition (v0.18.6, Nov 2025): unused-license-exception option warns about unused exceptions, similar to unused-allowed-license [4]. Official docs: https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html [1].

Citations:

🏁 Script executed:

fd Cargo.lock && cat Cargo.lock | grep -A 5 -B 5 "BUSL\|Business"

Repository: Sentriscloud/sentrix-grpc-wasm

Length of output: 85

🏁 Script executed:

git ls-files | head -20

Repository: Sentriscloud/sentrix-grpc-wasm

Length of output: 516

🏁 Script executed:

cat Cargo.lock | head -100

Repository: Sentriscloud/sentrix-grpc-wasm

Length of output: 3000

🏁 Script executed:

rg "license.*BUSL\|BUSL.*license" --type json --type yaml --type toml

Repository: Sentriscloud/sentrix-grpc-wasm

Length of output: 56

🏁 Script executed:

grep -i "busl" Cargo.lock

Repository: Sentriscloud/sentrix-grpc-wasm

Length of output: 56

🏁 Script executed:

grep -i "busl" Cargo.toml

Repository: Sentriscloud/sentrix-grpc-wasm

Length of output: 56

🏁 Script executed:

git log --oneline -- deny.toml | head -20

Repository: Sentriscloud/sentrix-grpc-wasm

Length of output: 147

🏁 Script executed:

git show HEAD:deny.toml | grep -A 2 -B 2 "BUSL"

Repository: Sentriscloud/sentrix-grpc-wasm

Length of output: 222

🏁 Script executed:

git show 5cce607:deny.toml | head -40

Repository: Sentriscloud/sentrix-grpc-wasm

Length of output: 848

Move BUSL-1.1 to a package exception instead of the global allow list.

Line 27 globally allows BUSL-1.1 without any package reference, despite it not being in the current dependency tree. Business Source License is restrictive, not permissive, and should only be allowed for specific packages when required. Adding restrictive licenses to the global list risks accepting them in future dependencies without explicit review. Use the exceptions mechanism to scope it to a specific crate when needed:

[[licenses.exceptions]]
name = "crate-name"
allow = ["BUSL-1.1"]

Note: CDLA-Permissive-2.0 (line 29) has a similar issue—it's tied to webpki-roots v1.x in the comment but globally allowed; consider moving it to an exception as well for consistency.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deny.toml` around lines 27 - 30, Remove "BUSL-1.1" from the global allow list
and instead create a scoped exception under licenses.exceptions that names the
specific crate that requires BUSL-1.1 (e.g., add a [[licenses.exceptions]] block
with name = "crate-name" and allow = ["BUSL-1.1"]); likewise, move
"CDLA-Permissive-2.0" out of the global list and add an exceptions entry tied to
"webpki-roots" (or the exact crate/version) so these restrictive licenses are
only permitted for the specific packages rather than globally.

Copy link
Copy Markdown
Member Author

@satyakwok satyakwok May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skip — same forward-compat reasoning as sister comments on sdk-rs#22 + sentrix-explorer-v2#31. Sentrix Chain workspace crates are all BUSL-1.1; sentrix-grpc-wasm consumes sentrix-proto from crates.io which IS BUSL-1.1. Per-crate exceptions would be cleaner but the maintenance overhead (one entry per BUSL crate, each needing version-pin) outweighs the precision. Re-evaluate at 1.0 stabilisation.

Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@satyakwok, understood — if sentrix-proto itself is BUSL-1.1 and the broader Sentrix Chain workspace crates share that license, a global allow avoids an ever-growing per-version exceptions list. The maintenance trade-off makes sense for this stage of the project.

( ˘•ω•˘ ) 🐇

✏️ Learnings added 
Learnt from: satyakwok
Repo: Sentriscloud/sentrix-grpc-wasm PR: 16
File: deny.toml:27-30
Timestamp: 2026-05-13T17:31:55.922Z
Learning: In the sentrix-grpc-wasm repository (deny.toml), BUSL-1.1 is intentionally kept in the global `[licenses] allow` list (not scoped to per-crate exceptions) because sentrix-proto (consumed from crates.io) is itself BUSL-1.1 licensed and Sentrix Chain workspace crates are all BUSL-1.1. Per-crate exceptions were deemed too high maintenance (one entry + version pin per crate). Plan to re-evaluate at 1.0 stabilisation. Same reasoning applied to sister PRs sdk-rs#22 and sentrix-explorer-v2#31.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.


[bans]
multiple-versions = "warn"
wildcards = "warn"
allow-wildcard-paths = true
highlight = "all"

[sources]
unknown-registry = "deny"
unknown-git = "deny"
allow-git = []
Loading