Summary
cargo-deny runs in CI, but GitHub does not mark it as a required check for the PR merge gate. As a result, Dependabot PR automation does not enforce cargo-deny failures as a hard block.
Expected behavior
If cargo-deny is intended to enforce advisory, license, source, or ban policy, it should be a required GitHub merge check.
Actual behavior
In today’s live repo state, cargo-deny runs but is not required by GitHub’s live merge protections.
Relevant log output
From live PR #6403 on 2026-04-27:
- `cargo-deny`: `conclusion = FAILURE`
- `cargo-deny`: `isRequired = false`
Possible Solution
Add cargo-deny to the live required merge protections, or document explicitly that it is advisory-only and not part of enforcement.
Version
No response
Would you like to work on fixing this bug?
Yes
Summary
cargo-denyruns in CI, but GitHub does not mark it as a required check for the PR merge gate. As a result, Dependabot PR automation does not enforcecargo-denyfailures as a hard block.Expected behavior
If
cargo-denyis intended to enforce advisory, license, source, or ban policy, it should be a required GitHub merge check.Actual behavior
In today’s live repo state,
cargo-denyruns but is not required by GitHub’s live merge protections.Relevant log output
Possible Solution
Add
cargo-denyto the live required merge protections, or document explicitly that it is advisory-only and not part of enforcement.Version
No response
Would you like to work on fixing this bug?
Yes