Publish pre-built binaries of cargo-vet #484
Comments
|
Would be happy to take a patch for this. |
repi
added a commit
to EmbarkStudios/puffin
that referenced
this issue
Jun 14, 2023
## Overview This adds a CI step to require that all dependencies used in the workspace are either audited or exempted for audit, using the [`cargo-vet`](https://github.com/mozilla/cargo-vet) workflow and tool. It is a bit of an experiment to see how it behaves in our open source crates and to expose more of our devs to the workflow and see how it works. ## New workflow In general when adding or changing any dependencies one need to keep the audit config & imports up-to-date now or CI will fail, this is done by running `cargo vet` which will tell which new/updated dependencies are not exempted or audited. To add all new dependencies to the list of exemptions (if they don't have imported audits) one can simply run `cargo vet regenerate exemptions` and then check in the file in the PR doing the update. It is also good to sometimes run `cargo vet regenerate imports` or `cargo vet prune` to re-import the list of audit registries (including our own) which removes crates from the exemption list if we have an audit of that exact version. See the [cargo-vet book](https://mozilla.github.io/cargo-vet/) for more details about this new workflow. In general I expect us mostly to just update the exemptions/imports on PRs, not actively audit all dependencies for this project, as that is something we are doing for our other bigger internal projects (see Embark internal https://github.com/EmbarkStudios/ark/issues/7090). Also see #147 (comment) as an example of how it can look like when upgrading a dependency in this repo and what next steps to run. ## Implementation details For now this builds `cargo-vet` from source in CI (but does cache it), this works but is not fully ideal though not a bottleneck in practice. Should be replaced with pre-builds later on: - mozilla/cargo-vet#484
|
this could be very good use case for the new maybe something @Gankra at axo would be interested in as another real test project to use it on? |
staktrace
added a commit
to staktrace/cargo-vet
that referenced
this issue
Mar 27, 2024
This PR was generated by running `cargo dist init` and selecting all the default options. It seems to have pretty sane behaviour out of the box. This requires the repository URL fix in mozilla#599 to work correctly. Fixes mozilla#484
staktrace
added a commit
to staktrace/cargo-vet
that referenced
this issue
Apr 2, 2024
This PR was generated by running `cargo dist init` and selecting all the default options. It seems to have pretty sane behaviour out of the box. This requires the repository URL fix in mozilla#599 to work correctly. Fixes mozilla#484
staktrace
added a commit
to staktrace/cargo-vet
that referenced
this issue
Apr 2, 2024
This PR was generated by running `cargo dist init` and selecting all the default options. It seems to have pretty sane behaviour out of the box. This requires the repository URL fix in mozilla#599 to work correctly. Fixes mozilla#484
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
While this tool is still in development, I do feel it and the ecosystem has matured quite a bit and would love to easily run it in CI in multiple of our repositories now.
One can do it with building & caching it as suggested in the docs, but it would be much more preferable to have pre-built binaries published for main linux/windows/mac targets (esp. linux) directly in the releases here (for example like cargo-deny or scache does it). Would be faster CI and easier to integrate in solutions that do not have caching.
Would this be possible to setup? One can take inspiration from some existing repos (like mentioned above) of how they build and publish it through github actions.
The text was updated successfully, but these errors were encountered: