From 316e1b91f3e0c6cdcc57c44a8236bf4067a3f377 Mon Sep 17 00:00:00 2001
From: Ryan Butler <thebutlah@gmail.com>
Date: Thu, 10 Oct 2024 18:10:22 -0400
Subject: [PATCH] add cargo deny check to CI

---
 .github/workflows/licensing.yaml | 18 ++++++++++
 deny.toml                        | 59 ++++++++++++++++++++++++++++++++
 2 files changed, 77 insertions(+)
 create mode 100644 .github/workflows/licensing.yaml
 create mode 100644 deny.toml

diff --git a/.github/workflows/licensing.yaml b/.github/workflows/licensing.yaml
new file mode 100644
index 0000000..1a23f76
--- /dev/null
+++ b/.github/workflows/licensing.yaml
@@ -0,0 +1,18 @@
+name: Rust CI
+on:
+  pull_request:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+      - prod
+    tags:
+      - '**'
+
+cargo-deny:
+    name: Check licensing
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3
+      - uses: EmbarkStudios/cargo-deny-action@8371184bd11e21dcf8ac82ebf8c9c9f74ebf7268 # pin@v2.0.1
+
diff --git a/deny.toml b/deny.toml
new file mode 100644
index 0000000..c9bef22
--- /dev/null
+++ b/deny.toml
@@ -0,0 +1,59 @@
+[graph]
+# Cargo deny will check dependencies via `--all-features`
+all-features = true
+
+[advisories]
+version = 2
+ignore = [
+]
+
+[sources]
+unknown-registry = "deny"
+
+[licenses]
+version = 2
+# We want really high confidence when inferring licenses from text
+confidence-threshold = 1.0
+
+# List of explicitly allowed licenses
+# See https://spdx.org/licenses/ for list of possible licenses
+allow = [
+    "0BSD",
+    "Apache-2.0 WITH LLVM-exception",
+    "Apache-2.0",
+    "BSD-2-Clause",
+    "BSD-2-Clause-Patent",
+    "BSD-3-Clause",
+    "BSL-1.0",
+    "CC0-1.0",
+    "ISC",
+	"LicenseRef-ftdi-proprietary",
+    "LicenseRef-ring", # See https://github.com/briansmith/ring/blob/95948b3977013aed16db92ae32e6b8384496a740/deny.toml#L12
+    "LicenseRef-wc-proprietary",
+    "MIT",
+    "MPL-2.0", # Although this is copyleft, it is scoped to modifying the original files
+    "Unicode-DFS-2016",
+    "Unlicense",
+    "Zlib",
+]
+
+# See https://github.com/briansmith/ring/blob/95948b3977013aed16db92ae32e6b8384496a740/deny.toml#L12
+[[licenses.clarify]]
+name = "ring"
+expression = "LicenseRef-ring"
+license-files = [
+    { path = "LICENSE", hash = 0xbd0eed23 },
+]
+
+[[licenses.clarify]]
+# @thebutlah reviewed the license code. It doesn't impose any copyleft
+# restrictions on us, and doesn't seem to impose any restrictions on
+# distribution. As long as we don't put any other copyleft code in
+# orb-software, we won't run afoul of any license restrictions AFAICT. We
+# should seek to reimplement pyftdi in rust using nusb if we can, though.
+# Because its not good to have these proprietary libs in here.
+name = "libftd2xx-ffi"
+expression = "LicenseRef-ftdi-proprietary"
+license-files = [
+    { path = "LICENSE", hash = 0x0d4f9606 } 
+]