On CI, have cargo deny allow RUSTSEC-2025-0021 via gix-testtools

EliahKagan · EliahKagan · commit 67d9bf494315 · 2025-04-05T02:02:29.000-04:00
This splits the `EmbarkStudios/cargo-deny-action` step in
`cargo-deny-advisories` into two such steps:

- Scan the workspace except prune `gix-testtools` and everything
  reachable through it (following it neither as a root, nor when it
  is found as dev dependency of another crate). This doesn't get to
  its obsolete dependencies, while still ensuring that nothing in
  the workspace *except* what we reach through `gix-testtools` is
  affected by RUSTSEC-2025-0021.

- Scan the whole workspace, including `gix-testtools` and all its
  dependencies, including the obsolete version of `gix-features`
  that is affected by RUSTSEC-2025-0021. But ignore that advisory.

To support this, steps are added to install the `yq`-associated
`tomlq` command and use it to produce the modified configuration
file for the second scan in a way that shouldn't break under any
changes to comments, spacing, style, or ordering in `deny.toml`.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -344,10 +344,28 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
-      - uses: EmbarkStudios/cargo-deny-action@v2
+      - name: Install tomlq
+        run: |
+          # The runner already has the `yq` command but not its associated `tomlq` command.
+          sudo apt-get update
+          sudo apt-get install yq
+      - name: Strict check, but omit gix-testtools
+        uses: EmbarkStudios/cargo-deny-action@v2
+        with:
+          command: check advisories
+          arguments: --workspace --all-features --exclude gix-testtools
+      - name: Configure less strict check
+        run: |
+          filter='.advisories.ignore += [
+            { id: "RUSTSEC-2025-0021", reason: "gix-testtools can’t upgrade from old gix-features yet" }
+          ]'
+          tomlq "$filter" deny.toml --toml-output > deny-but-ignore-RUSTSEC-2025-0021.toml
+      - name: Less strict check, but include gix-testtools
+        uses: EmbarkStudios/cargo-deny-action@v2
         with:
           command: check advisories
           arguments: --workspace --all-features
+          command-arguments: --config deny-but-ignore-RUSTSEC-2025-0021.toml
 
   cargo-deny:
     runs-on: ubuntu-latest
