chore(build): Add cargo-deny CI workflow and configuration

.github/workflows/CI.yml

@@ -33,6 +33,27 @@ jobs:
     - name: Check all targets
       run: cargo check --all --all-targets --all-features
 
+  deny-check:
+    name: cargo-deny check
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v1
+    - name: download cargo-deny
+      shell: bash
+      env:
+        DVS: "0.4.0"
+        DREPO: EmbarkStudios/cargo-deny
+        TARGET: x86_64-unknown-linux-musl
+      run: |
+        temp_archive=$(mktemp --suffix=.tar.gz)
+        curl -L --output "$temp_archive" https://github.com/$DREPO/releases/download/$DVS/cargo-deny-$DVS-$TARGET.tar.gz
+
+        tar -xzvf "$temp_archive" -C . --strip-components=1 --wildcards "*/cargo-deny"
+    - name: cargo-deny check licenses
+      run: ./cargo-deny -L debug check license
+    - name: cargo-deny check bans
+      run: ./cargo-deny -L debug check ban
+
   test:
     runs-on: ${{ matrix.os }}
     strategy:

deny.toml

@@ -0,0 +1,57 @@
+[bans]
+multiple-versions = "deny"
+deny = [
+    # color-backtrace is nice but brings in too many dependencies and that are often outdated, so not worth it for us.
+    { name = "color-backtrace" },
+
+    # dirs crate has a lot of dependencies and there are better alternatives
+    { name = "dirs" },
+    { name = "dirs-sys" },
+
+    # deprecated
+    { name = "quickersort" },
+
+    # term is not fully maintained, and termcolor is replacing it
+    { name = "term" },
+]
+skip = [
+    { name = "crossbeam-utils", version = "=0.6.6" },
+]
+skip-tree = [
+    { name = "rand", version = "=0.6.5" },
+    { name = "syn",  version = "=0.15.44" },
+]
+
+[licenses]
+unlicensed = "deny"
+# We want really high confidence when inferring licenses from text
+confidence-threshold = 0.92
+allow = [
+    "Apache-2.0",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "ISC",
+    "MIT",
+    "OpenSSL",
+]
+
+[[licenses.clarify]]
+name = "ring"
+# SPDX considers OpenSSL to encompass both the OpenSSL and SSLeay licenses
+# https://spdx.org/licenses/OpenSSL.html
+# ISC - Both BoringSSL and ring use this for their new files
+# MIT - "Files in third_party/ have their own licenses, as described therein. The MIT
+# license, for third_party/fiat, which, unlike other third_party directories, is
+# compiled into non-test libraries, is included below."
+# OpenSSL - Obviously
+expression = "ISC AND MIT AND OpenSSL"
+license-files = [
+    { path = "LICENSE", hash = 0xbd0eed23 },
+]
+
+[[licenses.clarify]]
+name = "webpki"
+expression = "ISC"
+license-files = [
+    { path = "LICENSE", hash = 0x001c7e6c },
+]

tests/included_service/Cargo.toml

@@ -4,6 +4,7 @@ version = "0.1.0"
 authors = ["Lucio Franco <luciofranco14@gmail.com>"]
 edition = "2018"
 publish = false
+license = "MIT"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 

tests/same_name/Cargo.toml

@@ -4,6 +4,7 @@ version = "0.1.0"
 authors = ["Lucio Franco <luciofranco14@gmail.com>"]
 edition = "2018"
 publish = false
+license = "MIT"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 

tests/wellknown/Cargo.toml

@@ -4,6 +4,7 @@ version = "0.1.0"
 authors = ["Lucio Franco <luciofranco14@gmail.com>"]
 edition = "2018"
 publish = false
+license = "MIT"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 

tonic-examples/Cargo.toml

@@ -4,6 +4,7 @@ version = "0.1.0"
 authors = ["Lucio Franco <luciofranco14@gmail.com>"]
 edition = "2018"
 publish = false
+license = "MIT"
 
 [[bin]]
 name = "helloworld-server"

tonic-interop/Cargo.toml

@@ -4,6 +4,7 @@ version = "0.1.0"
 authors = ["Lucio Franco <luciofranco14@gmail.com>"]
 edition = "2018"
 publish = false
+license = "MIT"
 
 [features]
 default = ["tonic"]