Add cargo deny on CI (#8580)

Closes: - https://github.com/sigp/lighthouse/issues/8408 Add `cargo deny` on CI with deprecated crates (`ethers` and `ethereum-types`) banned and duplicates banned for `reqwest`. Co-Authored-By: Michael Sproul <michael@sigmaprime.io>
2026-03-02 16:21:42 +00:00 · 2025-12-16 20:02:34 +11:00
parent 4c268bc0d5
commit 4e35e9d587
3 changed files with 35 additions and 1 deletions
--- a/.github/workflows/test-suite.yml
+++ b/.github/workflows/test-suite.yml
@@ -324,7 +324,7 @@ jobs:
          channel: stable
          cache-target: release
          components: rustfmt,clippy
-          bins: cargo-audit
+          bins: cargo-audit,cargo-deny
    - name: Check formatting with cargo fmt
      run: make cargo-fmt
    - name: Lint code for quality and style with Clippy
@@ -337,6 +337,8 @@ jobs:
      run:  make arbitrary-fuzz
    - name: Run cargo audit
      run: make audit-CI
+    - name: Run cargo deny
+      run: make deny-CI
    - name: Run cargo vendor to make sure dependencies can be vendored for packaging, reproducibility and archival purpose
      run:  CARGO_HOME=$(readlink -f $HOME) make vendor
    - name: Markdown-linter
--- a/9
+++ b/9
@@ -326,6 +326,15 @@ install-audit:
 audit-CI:
 	cargo audit

+# Runs cargo deny (check for banned crates, duplicate versions, and source restrictions)
+deny: install-deny deny-CI
+
+install-deny:
+	cargo install --force cargo-deny --version 0.18.2
+
+deny-CI:
+	cargo deny check bans sources --hide-inclusion-graph
+
 # Runs `cargo vendor` to make sure dependencies can be vendored for packaging, reproducibility and archival purpose.
 vendor:
 	cargo vendor
--- a/deny.toml
+++ b/deny.toml
@@ -0,0 +1,23 @@
+# cargo-deny configuration for Lighthouse
+# See https://embarkstudios.github.io/cargo-deny/
+
+[bans]
+# Warn when multiple versions of the same crate are detected
+multiple-versions = "warn"
+deny = [
+    # Legacy Ethereum crates that have been replaced with alloy
+    { crate = "ethers", reason = "use alloy instead" },
+    { crate = "ethereum-types", reason = "use alloy-primitives instead" },
+    # Replaced by quick-protobuf
+    { crate = "protobuf", reason = "use quick-protobuf instead" },
+    # Prevent duplicate versions of reqwest - heavy crate with build scripts
+    { crate = "reqwest", deny-multiple-versions = true, reason = "prevent duplicate versions" },
+]
+
+[sources]
+unknown-registry = "deny"
+unknown-git = "warn"
+allow-registry = ["https://github.com/rust-lang/crates.io-index"]
+
+[sources.allow-org]
+github = ["sigp"]