From 528977532c28ad859bea7ba0cb5e6cb3e0fce56b Mon Sep 17 00:00:00 2001 From: Jon Gjengset Date: Sun, 31 Mar 2024 10:42:53 +0200 Subject: [PATCH 1/5] Add cargo-semver-checks --- .github/workflows/check.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index c869ee7..98834bf 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -59,6 +59,19 @@ jobs: with: reporter: 'github-pr-check' github_token: ${{ secrets.GITHUB_TOKEN }} + semver: + runs-on: ubuntu-latest + name: semver + steps: + - uses: actions/checkout@v4 + with: + submodules: true + - name: Install stable + uses: dtolnay/rust-toolchain@stable + with: + components: rustfmt + - name: cargo-semver-checks + uses: obi1kenobi/cargo-semver-checks-action@v2 doc: # run docs generation on nightly rather than stable. This enables features like # https://doc.rust-lang.org/beta/unstable-book/language-features/doc-cfg.html which allows an From dcf68836181145511a35a269e8392d0a0f0c61e1 Mon Sep 17 00:00:00 2001 From: Jon Gjengset Date: Sun, 7 Jul 2024 10:05:52 +0200 Subject: [PATCH 2/5] More intelligent dependabot behaviour --- .github/dependabot.yml | 59 +++++++++++++++++++++++++++++++++++++----- 1 file changed, 53 insertions(+), 6 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index d0f091e..f9d7d1c 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,16 +4,63 @@ updates: directory: / schedule: interval: daily + # Cargo major version update notifications (PRs) we always want - package-ecosystem: cargo directory: / - schedule: - interval: daily ignore: - dependency-name: "*" - # patch and minor updates don't matter for libraries as consumers of this library build - # with their own lockfile, rather than the version specified in this library's lockfile - # remove this ignore rule if your package has binaries to ensure that the binaries are - # built with the exact set of dependencies and those are up to date. update-types: - "version-update:semver-patch" - "version-update:semver-minor" + schedule: + # we want to know about them immediately + interval: daily + groups: + # we group major bumps for dev-dependencies together in case there are + # related groups of breaking changes. that _can_ be the case for + # production dependencies too, but there one should be more diligent + # about each major bump in case it constitutes a breaking change to the + # current crate too. + major-dev: + dependency-type: "development" + update-types: + - "major" + # patch and minor updates don't matter for libraries, as consumers of a + # library build with their own lockfile, rather than the version specified in + # this library's lockfile. so for libraries (which is most crates), we should + # never update non-major versions, and so the following rule is disabled by + # default. + # + # if your package has binaries, enable this rule by commenting out the + # `open-pull-requests-limit` line. this will open a PR once a month that + # effectively runs `cargo update` to ensure that the binaries are built with + # the exact set of dependencies and those are up to date. + - package-ecosystem: cargo + # this rule is disabled by default; comment out this line to re-enable: + open-pull-requests-limit: 0 + directory: / + schedule: + interval: monthly + # select only minor + patch by excluding major. dependabot doesn't appear + # to have an include-only rule, so we have to do it by exclusion. + ignore: + - dependency-name: "*" + update-types: + - "version-update:semver-major" + # never bump the version in `Cargo.toml` for minor/patch upgrades; it + # should only change when the major version changes to avoid requiring + # downstream packages from also running a `cargo update` (and possibly + # bumping MSRV unnecessarily as a result). + # + # TODO: https://github.com/dependabot/dependabot-core/issues/4009 + # versioning-strategy: "increase-if-necessary" + versioning-strategy: "lockfile-only" + groups: + # note that since this is perfectly disjoint with the `ignore` rule, all + # minor/patch updates will end up in a single group, and thus in a single + # PR. grouping all of these together only (generally) works because the + # Rust community is fairly good about respecting semver. + cargo-update: + update-types: + - "minor" + - "patch" From 799c99e0cf77d2289ab47e84fa3b8296cfc5beb1 Mon Sep 17 00:00:00 2001 From: Jon Gjengset Date: Sun, 7 Jul 2024 10:18:50 +0200 Subject: [PATCH 3/5] Revert "More intelligent dependabot behaviour" This reverts commit dcf68836181145511a35a269e8392d0a0f0c61e1. Will not work due to https://github.com/dependabot/dependabot-core/issues/10160 --- .github/dependabot.yml | 59 +++++------------------------------------- 1 file changed, 6 insertions(+), 53 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index f9d7d1c..d0f091e 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,63 +4,16 @@ updates: directory: / schedule: interval: daily - # Cargo major version update notifications (PRs) we always want - package-ecosystem: cargo directory: / - ignore: - - dependency-name: "*" - update-types: - - "version-update:semver-patch" - - "version-update:semver-minor" schedule: - # we want to know about them immediately interval: daily - groups: - # we group major bumps for dev-dependencies together in case there are - # related groups of breaking changes. that _can_ be the case for - # production dependencies too, but there one should be more diligent - # about each major bump in case it constitutes a breaking change to the - # current crate too. - major-dev: - dependency-type: "development" - update-types: - - "major" - # patch and minor updates don't matter for libraries, as consumers of a - # library build with their own lockfile, rather than the version specified in - # this library's lockfile. so for libraries (which is most crates), we should - # never update non-major versions, and so the following rule is disabled by - # default. - # - # if your package has binaries, enable this rule by commenting out the - # `open-pull-requests-limit` line. this will open a PR once a month that - # effectively runs `cargo update` to ensure that the binaries are built with - # the exact set of dependencies and those are up to date. - - package-ecosystem: cargo - # this rule is disabled by default; comment out this line to re-enable: - open-pull-requests-limit: 0 - directory: / - schedule: - interval: monthly - # select only minor + patch by excluding major. dependabot doesn't appear - # to have an include-only rule, so we have to do it by exclusion. ignore: - dependency-name: "*" + # patch and minor updates don't matter for libraries as consumers of this library build + # with their own lockfile, rather than the version specified in this library's lockfile + # remove this ignore rule if your package has binaries to ensure that the binaries are + # built with the exact set of dependencies and those are up to date. update-types: - - "version-update:semver-major" - # never bump the version in `Cargo.toml` for minor/patch upgrades; it - # should only change when the major version changes to avoid requiring - # downstream packages from also running a `cargo update` (and possibly - # bumping MSRV unnecessarily as a result). - # - # TODO: https://github.com/dependabot/dependabot-core/issues/4009 - # versioning-strategy: "increase-if-necessary" - versioning-strategy: "lockfile-only" - groups: - # note that since this is perfectly disjoint with the `ignore` rule, all - # minor/patch updates will end up in a single group, and thus in a single - # PR. grouping all of these together only (generally) works because the - # Rust community is fairly good about respecting semver. - cargo-update: - update-types: - - "minor" - - "patch" + - "version-update:semver-patch" + - "version-update:semver-minor" From 5ed5ed26c75685740abb4af25c17b18cc091edcf Mon Sep 17 00:00:00 2001 From: Charles Edward Gagnon <76854355+carloskiki@users.noreply.github.com> Date: Sun, 18 Aug 2024 03:28:39 -0400 Subject: [PATCH 4/5] documentation check with `cargo-docs-rs` (#23) --- .github/workflows/check.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 98834bf..5251954 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -84,10 +84,10 @@ jobs: submodules: true - name: Install nightly uses: dtolnay/rust-toolchain@nightly - - name: cargo doc - run: cargo doc --no-deps --all-features - env: - RUSTDOCFLAGS: --cfg docsrs + - name: Install cargo-docs-rs + uses: dtolnay/install@cargo-docs-rs + - name: cargo docs-rs + run: cargo docs-rs hack: # cargo-hack checks combinations of feature flags to ensure that features are all additive # which is required for feature unification From 2ebf7635e703d8b0dc1744fcf101e5e988a1ee90 Mon Sep 17 00:00:00 2001 From: Jon Gjengset Date: Sun, 18 Aug 2024 09:41:27 +0200 Subject: [PATCH 5/5] Match newer cargo-deny semantics See https://github.com/EmbarkStudios/cargo-deny/pull/606 --- deny.toml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/deny.toml b/deny.toml index d25d512..89d01f6 100644 --- a/deny.toml +++ b/deny.toml @@ -1,15 +1,16 @@ [advisories] -vulnerability = "deny" -unmaintained = "warn" -notice = "warn" +version = 2 ignore = [] [licenses] -unlicensed = "deny" -allow = [] -deny = [] -copyleft = "warn" -allow-osi-fsf-free = "either" +version = 2 +allow = [ + "MIT", + "BSD-2-Clause", + "CC0-1.0", + "Apache-2.0", + "Apache-2.0 WITH LLVM-exception", +] confidence-threshold = 0.8 [bans]