Enable cargo-deny in CI

algesten · web-flow · commit 186f9913c8a5 · 2026-03-07T21:47:32.000+01:00
diff --git a/.github/workflows/cargo.yml b/.github/workflows/cargo.yml
@@ -75,32 +75,11 @@ jobs:
         env:
           RUSTDOCFLAGS: -Dwarnings
 
-  # cargo-deny:
-  #   name: cargo-deny
-
-  #   # TODO: remove this matrix when https://github.com/EmbarkStudios/cargo-deny/issues/324 is resolved
-  #   strategy:
-  #     fail-fast: false
-  #     matrix:
-  #       platform:
-  #         - aarch64-apple-ios
-  #         - aarch64-linux-android
-  #         - i686-pc-windows-gnu
-  #         - i686-pc-windows-msvc
-  #         - i686-unknown-linux-gnu
-  #         - wasm32-unknown-unknown
-  #         - x86_64-apple-darwin
-  #         - x86_64-apple-ios
-  #         - x86_64-pc-windows-gnu
-  #         - x86_64-pc-windows-msvc
-  #         - x86_64-unknown-linux-gnu
-  #         - x86_64-unknown-redox
-
-  #   runs-on: ubuntu-latest
-  #   steps:
-  #   - uses: actions/checkout@v6
-  #   - uses: EmbarkStudios/cargo-deny-action@v1
-  #     with:
-  #       command: check
-  #       log-level: error
-  #       arguments: --all-features --target ${{ matrix.platform }}
+  cargo-deny:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: EmbarkStudios/cargo-deny-action@v2
+        with:
+          command: check
+          arguments: --all-features
diff --git a/deny.toml b/deny.toml
@@ -8,6 +8,7 @@
 
 # Note: running just `cargo deny check` without a `--target` can result in
 # false positives due to https://github.com/EmbarkStudios/cargo-deny/issues/324
+[graph]
 targets = [
   { triple = "aarch64-apple-darwin" },
   { triple = "i686-pc-windows-gnu" },
@@ -26,7 +27,14 @@ exclude = ["rand_core"]
 
 [advisories]
 yanked = "deny"
-ignore = []
+ignore = [
+  # DoS via stack exhaustion in time RFC 2822 parsing.
+  # Fix (>=0.3.47) requires Rust 1.88.0, our MSRV is 1.85.0.
+  # dimpl only uses OffsetDateTime::now_utc() and Duration::days() for
+  # certificate generation — no RFC 2822 parsing. A clippy disallowed-types
+  # rule prevents accidental introduction of Rfc2822.
+  "RUSTSEC-2026-0009",
+]
 
 [bans]
 multiple-versions = "deny"
