Skip to content

Add cargo-vet and cargo-deny supply-chain security#27

Open
jerrysxie wants to merge 1 commit into
OpenDevicePartnership:mainfrom
jerrysxie:add-supply-chain-security
Open

Add cargo-vet and cargo-deny supply-chain security#27
jerrysxie wants to merge 1 commit into
OpenDevicePartnership:mainfrom
jerrysxie:add-supply-chain-security

Conversation

@jerrysxie
Copy link
Copy Markdown
Contributor

@jerrysxie jerrysxie commented May 12, 2026

This PR adds supply-chain security tooling based on the
embedded-rust-template:

  • cargo-vet (supply-chain/) – dependency audit tracking with imports
    from ODP shared audits, Google, and Mozilla.
  • cargo-deny (deny.toml) – license, advisory, ban, and source checks.
  • CI workflowscargo-vet.yml + PR comment workflow, and the
    deny job in check.yml.

After merging, run cargo vet locally to populate exemptions for any
existing unaudited dependencies:

cargo vet regenerate exemptions
cargo vet

Copilot AI review requested due to automatic review settings May 12, 2026 20:20
@jerrysxie jerrysxie requested a review from a team as a code owner May 12, 2026 20:20
Copilot AI reviewed May 12, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces supply-chain security tooling for the crate, adding cargo-vet (with upstream audit imports) and cargo-deny (policy checks) plus CI automation to enforce them.

Changes:

  • Add cargo-vet configuration under supply-chain/ (local audits file, import config, imports lock).
  • Add GitHub Actions workflows to run cargo vet on PRs and (on failure/success transitions) comment on the PR.
  • Add cargo-deny configuration (deny.toml) and run cargo deny check in the main CI workflow.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
supply-chain/imports.lock Initializes cargo-vet imports lock for external audit sources.
supply-chain/config.toml Declares cargo-vet version and audit import URLs (ODP/Google/Mozilla).
supply-chain/audits.toml Adds local cargo-vet audits file scaffold.
.github/workflows/cargo-vet.yml Runs cargo vet in CI for pull requests.
.github/workflows/cargo-vet-pr-comment.yml Posts/updates PR comments based on cargo-vet results via workflow_run.
.github/workflows/check.yml Adds a cargo-deny job to CI checks.
deny.toml Defines cargo-deny policy for advisories/licenses/bans/sources.
Comments suppressed due to low confidence (1)

.github/workflows/cargo-vet-pr-comment.yml:44

  • echo "pr_number=$(cat ./pr/NR)" >> $GITHUB_OUTPUT writes attacker-controlled file contents into the GITHUB_OUTPUT command file (newlines can inject additional outputs). If you keep reading from a file, sanitize/validate it as a numeric PR number and use the multiline-safe output format; ideally remove this entirely by using the PR number from the workflow_run event payload.
      - name: 'Get PR number'
        id: get-pr-number
        run: echo "pr_number=$(cat ./pr/NR)" >> $GITHUB_OUTPUT

Comment thread .github/workflows/cargo-vet-pr-comment.yml
Comment on lines +26 to +49
# It will download the artifact from the failed job and post a comment on the PR
runs-on: ubuntu-latest
outputs:
comment-id: ${{ steps.get-comment-id.outputs.comment-id }}
pr-number: ${{ steps.get-pr-number.outputs.pr_number }}
if: github.event.workflow_run.event == 'pull_request'
steps:
- name: 'Download artifact'
uses: actions/download-artifact@v4
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
name: pr
path: pr/
run-id: ${{ github.event.workflow_run.id }}

- name: 'Get PR number'
id: get-pr-number
run: echo "pr_number=$(cat ./pr/NR)" >> $GITHUB_OUTPUT

- name: 'Find existing comment'
id: find-comment
uses: peter-evans/find-comment@v3
with:
issue-number: ${{ steps.get-pr-number.outputs.pr_number }}
Comment thread .github/workflows/cargo-vet-pr-comment.yml
# Cargo Vet Audit Failed

`cargo vet` has failed in this PR. Please run `cargo vet --locked` locally to check for new or updated unvetted dependencies.
Details about the vetting process can be found in [supply-chain/README.md](../blob/main/supply-chain/README.md)
Comment thread .github/workflows/cargo-vet-pr-comment.yml
pull-requests: write

concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
Comment thread .github/workflows/cargo-vet.yml
Comment on lines +43 to +49
if: ${{ failure() }} || ${{ success() }}
run: |
mkdir -p ./pr
echo ${{ github.event.number }} > ./pr/NR
- uses: actions/upload-artifact@v4
# Need to upload the artifact in both success and failure cases so comment can be updated in either case
if: ${{ failure() }} || ${{ success() }}
Comment thread .github/workflows/cargo-vet.yml
Comment on lines +22 to +53
- uses: actions/checkout@v4
with:
submodules: true

- uses: actions/cache@v4
with:
path: ${{ runner.tool_cache }}/cargo-vet
key: cargo-vet-bin-${{ env.CARGO_VET_VERSION }}

- name: Add the tool cache directory to the search path
run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH

- name: Ensure that the tool cache is populated with the cargo-vet binary
run: cargo install --root ${{ runner.tool_cache }}/cargo-vet --version ${{ env.CARGO_VET_VERSION }} cargo-vet

- name: Invoke cargo-vet
run: cargo vet --locked

- name: Save PR number
# PR number is saved as an artifact so it can be used to determine the PR to comment on by the vet-pr-comment workflow
# vet-pr-comment workflow is triggered by the workflow_run event so it runs in the context of the base branch and not the PR branch
if: ${{ failure() }} || ${{ success() }}
run: |
mkdir -p ./pr
echo ${{ github.event.number }} > ./pr/NR
- uses: actions/upload-artifact@v4
# Need to upload the artifact in both success and failure cases so comment can be updated in either case
if: ${{ failure() }} || ${{ success() }}
with:
name: pr
path: pr/
overwrite: true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@kurtjd kurtjd Awaiting requested review from kurtjd kurtjd is a code owner automatically assigned from OpenDevicePartnership/ec-code-owners

@tullom tullom Awaiting requested review from tullom tullom is a code owner automatically assigned from OpenDevicePartnership/ec-code-owners

@RobertZ2011 RobertZ2011 Awaiting requested review from RobertZ2011 RobertZ2011 is a code owner automatically assigned from OpenDevicePartnership/ec-code-owners

@williampMSFT williampMSFT Awaiting requested review from williampMSFT williampMSFT is a code owner automatically assigned from OpenDevicePartnership/ec-code-owners

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jerrysxie