Add cargo-machete as a CI step to catch unused workspace dependencies before they accumulate.
Change
machete:
name: cargo-machete
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: bnjbvr/cargo-machete@mainWhy
- Dependencies tend to silently outlive their callers. Unused deps inflate build time, lockfile churn, supply-chain surface area, and
cargo audit noise.
cargo-machete runs in ~5s on most repos; near-zero CI cost.- This is how the gix-stash PR caught 3 unused deps (
gix-dir, gix-trace, smallvec) on the gitoxide upstream CI — same tool, same pattern.
- Aligns with the gitoxide / wider Rust ecosystem convention.
False positives
When the false-positive happens (rare — usually deps used only in tests/benches or via re-export), add to Cargo.toml:
[package.metadata.cargo-machete]
ignored = ["dep-name"]
Reference
Umbrella note
This repo vendors sub-crates via git submodules (see .gitmodules). The same CI change should also be applied to each sub-crate repo individually — running the check in the umbrella scans them too (defense in depth), but the authoritative signal lives on each sub-crate's own CI so failures land in the right repo.
Add
cargo-macheteas a CI step to catch unused workspace dependencies before they accumulate.Change
machetejob (or step insidelint) to.github/workflows/ci.yml:Why
cargo auditnoise.cargo-macheteruns in ~5s on most repos; near-zero CI cost.gix-dir,gix-trace,smallvec) on the gitoxide upstream CI — same tool, same pattern.False positives
When the false-positive happens (rare — usually deps used only in tests/benches or via re-export), add to
Cargo.toml:Reference
Umbrella note
This repo vendors sub-crates via git submodules (see
.gitmodules). The same CI change should also be applied to each sub-crate repo individually — running the check in the umbrella scans them too (defense in depth), but the authoritative signal lives on each sub-crate's own CI so failures land in the right repo.