morph-l2 · panos-xyz · Mar 31, 2026 · Mar 26, 2026 · Mar 26, 2026 · Mar 26, 2026
diff --git a/.github/workflows/deny.yml b/.github/workflows/deny.yml
@@ -0,0 +1,24 @@
+name: Deny
+
+on:
+  push:
+    branches: [main]
+    paths: [Cargo.lock, deny.toml]
+  pull_request:
+    paths: [Cargo.lock, deny.toml]
+
+permissions:
+  contents: read
+
+jobs:
+  deny:
+    name: cargo-deny
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Run cargo-deny
+        uses: EmbarkStudios/cargo-deny-action@v2
+        with:
+          command: check all
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/deny.toml b/deny.toml
@@ -0,0 +1,83 @@
+# This section is considered when running `cargo deny check advisories`
+# More documentation for the advisories section can be found here:
+# https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html
+[advisories]
+yanked = "warn"
+ignore = [
+    # https://rustsec.org/advisories/RUSTSEC-2024-0436 paste! is unmaintained
+    "RUSTSEC-2024-0436",
+    # https://rustsec.org/advisories/RUSTSEC-2025-0141 bincode is unmaintained
+    "RUSTSEC-2025-0141",
+    # https://rustsec.org/advisories/RUSTSEC-2026-0002 lru 0.12.x unsound IterMut
+    # pinned by reth fork at 0.12.5, fix requires 0.16.3 (semver-incompatible)
+    "RUSTSEC-2026-0002",
+]
+
+# This section is considered when running `cargo deny check bans`.
+# More documentation about the 'bans' section can be found here:
+# https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html
+[bans]
+# Lint level for when multiple versions of the same crate are detected
+multiple-versions = "warn"
+# Lint level for when a crate version requirement is `*`
+wildcards = "allow"
+highlight = "all"
+deny = []
+skip = []
+skip-tree = []
+
+[licenses]
+version = 2
+confidence-threshold = 0.8
+# Ignore private workspace members entirely
+private = { ignore = true }
+
+# List of explicitly allowed licenses
+# See https://spdx.org/licenses/ for list of possible licenses
+# [possible values: any SPDX 3.7 short identifier (+ optional exception)].
+allow = [
+    "MIT",
+    "MIT-0",
+    "Apache-2.0",
+    "Apache-2.0 WITH LLVM-exception",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "BSL-1.0",
+    "0BSD",
+    "CC0-1.0",
+    "ISC",
+    "Unlicense",
+    "Unicode-3.0",
+    "Zlib",
+    # https://github.com/rustls/webpki/blob/main/LICENSE ISC Style
+    "LicenseRef-rustls-webpki",
+    # https://github.com/briansmith/ring/blob/main/LICENSE ISC + OpenSSL + SSLeay
+    "LicenseRef-ring",
+    "CDLA-Permissive-2.0",
+    "MPL-2.0",
+]
+
+exceptions = [
+    { allow = ["MPL-2.0"], name = "option-ext" },
+]
+
+[[licenses.clarify]]
+name = "ring"
+expression = "LicenseRef-ring"
+license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }]
+
+[[licenses.clarify]]
+name = "rustls-webpki"
+expression = "LicenseRef-rustls-webpki"
+license-files = [{ path = "LICENSE", hash = 0x001c7e6c }]
+
+# This section is considered when running `cargo deny check sources`.
+# More documentation about the 'sources' section can be found here:
+# https://embarkstudios.github.io/cargo-deny/checks/sources/cfg.html
+[sources]
+unknown-registry = "warn"
+unknown-git = "deny"
+allow-git = [
+    "https://github.com/morph-l2/reth",
+    "https://github.com/rustyhorde/vergen",
+]