From b50f8e7bba92b11ed8b8dfe278272577cfbee3bc Mon Sep 17 00:00:00 2001 From: brhutchins Date: Sun, 28 Jun 2026 17:52:52 +0200 Subject: [PATCH] build(nix): add deny and audit to flake checks - Add flake check for `cargo deny` - Add flake check for `cargo audit` --- flake.lock | 17 +++++++++++++++++ flake.nix | 21 ++++++++++++++++++++- 2 files changed, 37 insertions(+), 1 deletion(-) diff --git a/flake.lock b/flake.lock index 5d189ae..3c9b6ca 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,21 @@ { "nodes": { + "advisory-db": { + "flake": false, + "locked": { + "lastModified": 1782467904, + "narHash": "sha256-2ROADxDdmTMFV+jbwPbCU33qNZIO+WRcpUXmoQGLTLI=", + "owner": "rustsec", + "repo": "advisory-db", + "rev": "e69927bf37afb7707575bc95aff6a9ef3f2534fb", + "type": "github" + }, + "original": { + "owner": "rustsec", + "repo": "advisory-db", + "type": "github" + } + }, "crane": { "locked": { "lastModified": 1780532242, @@ -51,6 +67,7 @@ }, "root": { "inputs": { + "advisory-db": "advisory-db", "crane": "crane", "flake-utils": "flake-utils", "nixpkgs": "nixpkgs", diff --git a/flake.nix b/flake.nix index 8d49e41..e8fd8d4 100644 --- a/flake.nix +++ b/flake.nix @@ -11,9 +11,13 @@ url = "github:oxalica/rust-overlay"; inputs.nixpkgs.follows = "nixpkgs"; }; + advisory-db = { + url = "github:rustsec/advisory-db"; + flake = false; + }; }; - outputs = { self, nixpkgs, flake-utils, crane, rust-overlay, ... }: + outputs = { self, nixpkgs, flake-utils, crane, rust-overlay, advisory-db, ... }: flake-utils.lib.eachDefaultSystem (system: let pkgs = import nixpkgs { @@ -36,6 +40,13 @@ src = lib.cleanSource ./.; }; + denySrc = lib.cleanSourceWith { + filter = path: type: + (craneLib.filterCargoSources path type) || + (lib.hasSuffix "deny.toml" path); + src = lib.cleanSource ./.; + }; + commonArgs = { inherit src; strictDeps = true; @@ -79,6 +90,14 @@ fmt = craneLib.cargoFmt { inherit src; }; + deny = craneLib.cargoDeny { + src = denySrc; + cargoDenyExtraArgs = "--all-features"; + }; + audit = craneLib.cargoAudit { + src = craneLib.cleanCargoSource ./.; + inherit advisory-db; + }; }; devShells.default = craneLib.devShell {