ci: add CodeQL and cargo-deny workflows with pinned SHAs

Author: Topgrade Tester

.github/workflows/cargo-deny.yml

@@ -0,0 +1,38 @@
+name: cargo-deny
+
+on:
+  pull_request:
+  push:
+    branches: [ main ]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+          fetch-depth: 1
+
+      - name: Install cargo-deny
+        uses: taiki-e/install-action@0c5db7f7f897c03b771660e91d065338615679f4 # v2.60.0
+        with:
+          tool: [email protected]
+
+      - name: Run cargo deny (advisories)
+        run: cargo deny check advisories --all-features
+
+      - name: Run cargo deny (licenses)
+        run: cargo deny check licenses --all-features
+
+      - name: Run cargo deny (bans)
+        run: cargo deny check bans --all-features

.github/workflows/codeql.yml

@@ -0,0 +1,41 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+  schedule:
+    - cron: '0 3 * * 1'
+
+permissions:
+  contents: read
+  security-events: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  analyze:
+    name: Analyze (Rust)
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+          fetch-depth: 1
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@014f16e7ab1402f30e7c3329d33797e7948572db # v4.31.3
+        with:
+          languages: rust
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@014f16e7ab1402f30e7c3329d33797e7948572db # v4.31.3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@014f16e7ab1402f30e7c3329d33797e7948572db # v4.31.3
+        with:
+          category: '/language:rust'

README.md

@@ -8,6 +8,8 @@
   <a href="https://aur.archlinux.org/packages/topgrade"><img alt="AUR" src="https://img.shields.io/aur/version/topgrade.svg"></a>
   <a href="https://formulae.brew.sh/formula/topgrade"><img alt="Homebrew" src="https://img.shields.io/homebrew/v/topgrade.svg"></a>
 
+  <a href="https://github.com/topgrade-rs/topgrade/actions/workflows/codeql.yml"><img alt="CodeQL" src="https://github.com/topgrade-rs/topgrade/actions/workflows/codeql.yml/badge.svg?branch=main"></a>
+
   <img alt="Demo" src="doc/topgrade_demo.gif">
 </div>
 

deny.toml

@@ -0,0 +1,27 @@
+[advisories]
+vulnerability = "deny"
+unmaintained = "warn"
+unsound = "deny"
+yanked = "warn"
+ignore = [
+  # Add RUSTSEC IDs here with expiry and reason once triaged
+]
+
+[licenses]
+unlicensed = "deny"
+allow = ["MIT", "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "ISC", "Zlib"]
+exceptions = [
+  # { name = "some-crate", version = "=1.2.3", allow = ["License-Ref-..."], rationale = "..." }
+]
+confidence-threshold = 0.8
+
+[bans]
+multiple-versions = "warn"
+wildcards = "deny"
+deny = [
+  # { name = "old-crate", version = "<1.0.0", note = "Use maintained fork" }
+]
+
+[sources]
+unknown-registry = "deny"
+unknown-git = "warn"