Commit Graph

2 Commits

Author SHA1 Message Date
adlee-was-taken
85a58ab880 deny: workaround cargo-deny 0.18.x GPL-3.0-or-later parse bug
cargo-deny 0.18.3 (the latest that installs on rust 1.85) can't parse
the SPDX 'GPL-3.0-or-later' suffix — 'expected a <bare-gnu-license>'.
CI uses cargo-deny-action@v1 (bundles 0.19+) which parses it correctly.

Switching to bare 'GPL-3.0' lets local 'cargo deny check' work on the
pinned toolchain. ADR-0004's GPL-3.0-or-later stance is unchanged; this
is a parser workaround flagged for revert when the MSRV lifts past 1.88
(where cargo-deny 0.19.x installs natively).

Three of four 'cargo deny check' subcommands now pass locally:
  - licenses ok
  - bans ok
  - sources ok
  - advisories: fails locally only because the advisory-db contains CVSS 4.0
    entries (anchor-lang RUSTSEC-2026-0146) that cargo-deny 0.18.3's parser
    rejects. Unfixable on the rust 1.85 toolchain; CI's 0.19+ parses fine.

Surfaced by Task 7's done-checklist run; not a Task 7 code change.
2026-06-28 13:08:19 -04:00
adlee-was-taken
f92e6f467b ci: cargo-deny + GitHub Actions workflow (spec §6.1, §6.2)
deny.toml allows the permissive Rust-ecosystem licenses + our own
GPL-3.0-or-later; bans duplicate versions of tokio/serde/bytes/tracing
to catch dep-tree divergence early; restricts sources to crates.io. CI
runs fmt --check, clippy -D warnings, test --all (matrix: stable +
MSRV 1.85), and cargo deny check on push + PR to main. The CI job
installs libopus-dev — the opus crate's FFI dependency (PORT_PLAN §7
'Core (FFI)' disposition).
2026-06-28 12:59:29 -04:00