ci(deny): add cargo-deny dependency audit workflow

[panos-xyz]

Summary

• Add deny.toml and .github/workflows/deny.yml to run cargo deny check all on Cargo.lock changes
• Checks: security advisories, license compliance, banned crates, trusted git sources
• Upgrades transitive deps to fix known vulnerabilities:
  • tar 0.4.44 → 0.4.45 (RUSTSEC-2026-0067, RUSTSEC-2026-0068)
  • rustls-webpki 0.103.9 → 0.103.10 (RUSTSEC-2026-0049)
  • tracing-subscriber 0.3.22 → 0.3.23
• lru 0.12.x (RUSTSEC-2026-0002) ignored — pinned by reth fork, fix requires semver-incompatible 0.16.3

Test plan

• cargo deny check all passes locally (advisories ok, bans ok, licenses ok, sources ok)
• CI workflow triggers correctly on Cargo.lock changes

Summary by CodeRabbit

• Chores
  • Added automated dependency security and license compliance checks to CI that run on relevant changes and PRs.
  • Checks warn on known issues (yanked crates, provenance) and enforce approved licenses while allowing specified exceptions and trusted external sources.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bb698934-8ea3-4394-80bf-de0ad07731cf

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds cargo-deny configuration and a GitHub Actions workflow to run cargo-deny check all on pushes to main and on PRs that change Cargo.lock or deny.toml, with rules for advisories, bans, licenses, and source verification.

Changes

Cohort / File(s)	Summary
Workflow \.github/workflows/deny.yml	New GitHub Actions workflow Deny that runs EmbarkStudios/cargo-deny-action@v2 (cargo-deny check all) on push to main and pull_request when Cargo.lock or deny.toml change; uses ubuntu-latest, actions/checkout@v4, and permissions: contents: read.
cargo-deny config deny.toml	New deny.toml enabling advisories, bans, license, and source checks: warns on yanked crates, ignores specific RustSec IDs, warns on multi-version bans, SPDX license checks (v2, 0.8 confidence) with an allowlist and clarifications for ring and rustls-webpki, denies unknown git sources and allows two explicit GitHub git sources.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I hopped through crates and scanned each line,

Cargo-deny helped keep my stash benign.
Licenses checked and sources made clear,
I twirl my whiskers—no warnings near! 🎉

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'ci(deny): add cargo-deny dependency audit workflow' directly and clearly describes the main change: adding a cargo-deny workflow for dependency auditing.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch panos/ci-improvements

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

.github/workflows/deny.yml (1)

6-8: Also trigger deny checks when policy changes.

Current path filters only watch Cargo.lock. If deny.toml changes alone, CI won’t validate the new policy.

Suggested patch

   push:
     branches: [main]
-    paths: [Cargo.lock]
+    paths: [Cargo.lock, deny.toml]
   pull_request:
-    paths: [Cargo.lock]
+    paths: [Cargo.lock, deny.toml]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/deny.yml around lines 6 - 8, The workflow currently only
watches Cargo.lock (the two occurrences of paths: [Cargo.lock] under the push
and pull_request triggers), so changes to deny.toml won't run the deny checks;
update both trigger path lists to include "deny.toml" (e.g., change paths:
[Cargo.lock] to paths: [Cargo.lock, deny.toml]) so policy updates also trigger
the CI job.

deny.toml (1)

6-14: Add GitHub issue links and review dates to tracked RustSec advisories.

The three ignored advisories are well-rationalized but lack tracking metadata. While two (paste, bincode) are permanently unmaintained and one (lru) requires a semver-incompatible upgrade, adding linked issues and review dates would help track when these suppressions should be revisited. Use the existing GitHub Issues process documented in CONTRIBUTING.md to track remediation paths for each.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deny.toml` around lines 6 - 14, The deny.toml ignore list currently
suppresses three advisories ("RUSTSEC-2024-0436", "RUSTSEC-2025-0141",
"RUSTSEC-2026-0002") but lacks tracking metadata; update deny.toml to append for
each advisory an inline comment or structured metadata entry pointing to the
corresponding GitHub issue URL(s) and a planned review date (e.g., YYYY-MM-DD)
so each ignored advisory has a linked issue and a revisit date per the
repository CONTRIBUTING.md process; ensure you reference the exact advisory
strings ("RUSTSEC-2024-0436", "RUSTSEC-2025-0141", "RUSTSEC-2026-0002") when
creating issues and include the issue numbers/URLs and review dates next to
them.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/deny.yml:
- Around line 19-22: The workflow uses mutable tags "actions/checkout@v4" and
"EmbarkStudios/cargo-deny-action@v2"; replace those tag references with the
corresponding full 40-character commit SHAs (e.g., actions/checkout@<full_sha>
and EmbarkStudios/cargo-deny-action@<full_sha>) so the runner pins to immutable
commits—update the uses entries for actions/checkout and
EmbarkStudios/cargo-deny-action accordingly and verify the SHAs match the
intended release commits.

In `@deny.toml`:
- Around line 62-65: The clarify entry for the dependency "ring"
(licenses.clarify with name "ring" and expression "LicenseRef-ring") will fail
cargo-deny because "LicenseRef-ring" isn't present in the allow list; add
"LicenseRef-ring" to the existing allow list (the table that contains the
allowed license identifiers) or change the clarify expression to a license
already allowlisted (similar to the rustls-webpki pattern), ensuring the allow
list and the clarify.name "ring" / clarify.expression "LicenseRef-ring" are
consistent so cargo deny check licenses succeeds.

---

Nitpick comments:
In @.github/workflows/deny.yml:
- Around line 6-8: The workflow currently only watches Cargo.lock (the two
occurrences of paths: [Cargo.lock] under the push and pull_request triggers), so
changes to deny.toml won't run the deny checks; update both trigger path lists
to include "deny.toml" (e.g., change paths: [Cargo.lock] to paths: [Cargo.lock,
deny.toml]) so policy updates also trigger the CI job.

In `@deny.toml`:
- Around line 6-14: The deny.toml ignore list currently suppresses three
advisories ("RUSTSEC-2024-0436", "RUSTSEC-2025-0141", "RUSTSEC-2026-0002") but
lacks tracking metadata; update deny.toml to append for each advisory an inline
comment or structured metadata entry pointing to the corresponding GitHub issue
URL(s) and a planned review date (e.g., YYYY-MM-DD) so each ignored advisory has
a linked issue and a revisit date per the repository CONTRIBUTING.md process;
ensure you reference the exact advisory strings ("RUSTSEC-2024-0436",
"RUSTSEC-2025-0141", "RUSTSEC-2026-0002") when creating issues and include the
issue numbers/URLs and review dates next to them.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b26f3e4b-c5fa-4a2a-8bb0-cd97e2b8d6f7

📥 Commits

Reviewing files that changed from the base of the PR and between b2275d4 and b76396a.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• .github/workflows/deny.yml
• deny.toml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify all workflow actions are SHA-pinned (40 hex chars)
rg -n 'uses:\s*[^@]+@([0-9a-f]{40})$' .github/workflows/deny.yml
rg -n 'uses:\s*[^@]+@' .github/workflows/deny.yml
# Expected: every `uses:` line should appear in the first command's output.

Repository: morph-l2/morph-reth

Length of output: 151

---

Pin GitHub Actions to immutable commit SHAs.

Lines 19 and 22 pin actions to mutable tags (@v4, @v2). This weakens supply-chain security; pin to full 40-character commit SHAs instead.

Suggested patch

        uses: actions/checkout@v4
+        uses: actions/checkout@<full_commit_sha>

      - name: Run cargo-deny
-        uses: EmbarkStudios/cargo-deny-action@v2
+        uses: EmbarkStudios/cargo-deny-action@<full_commit_sha>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/deny.yml around lines 19 - 22, The workflow uses mutable
tags "actions/checkout@v4" and "EmbarkStudios/cargo-deny-action@v2"; replace
those tag references with the corresponding full 40-character commit SHAs (e.g.,
actions/checkout@<full_sha> and EmbarkStudios/cargo-deny-action@<full_sha>) so
the runner pins to immutable commits—update the uses entries for
actions/checkout and EmbarkStudios/cargo-deny-action accordingly and verify the
SHAs match the intended release commits.

[chengwenxi]

LGTM. cargo-deny with well-configured policy — advisories with justified suppressions, permissive license allow-list, unknown-git = deny with explicit allowlist. Cargo.lock bumps resolve known CVEs (tar path traversal, rustls-webpki). Recommend opening a tracking issue for RUSTSEC-2026-0002 (lru unsound IterMut) to revisit when rebasing the reth fork.