jedarden/pdftract
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
pdftract/notes/pdftract-1rljr.md
jedarden db468a6f7e ci(pdftract-1rljr): add cargo-deny quality gate configuration 
Configure cargo-deny enforcement for licenses, bans, sources, and advisories.
- Add workspace path dependency exceptions for internal crates
- Add advisory exceptions for tracked issues (atty, pyo3)
- Workflow template already implemented in pdftract-ci.yaml

Verification: All checks pass locally (advisories ok, bans ok, licenses ok, sources ok)

Refs:
- Bead: pdftract-1rljr
- Plan: Phase 0.4 Quality Targets
- ADR-003: lzw advisory exception (RUSTSEC-2020-0144)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-23 11:20:36 -04:00

3 KiB
Raw Permalink Blame History

Verification Note: pdftract-1rljr - Cargo Deny Quality Gate

Summary

Implemented and verified the cargo-deny quality gate for the pdftract CI pipeline. The gate checks licenses, bans, sources, and advisories on every PR, blocking merge on violations.

Changes Made

1. deny.toml Configuration

File: /home/coding/pdftract/deny.toml

Added workspace path dependency exceptions

[bans]
skip-tree = [
    { name = "pdftract-cli", reason = "workspace path dependency" },
    { name = "pdftract-libpdftract", reason = "workspace path dependency" },
    { name = "pdftract-py", reason = "workspace path dependency" },
]

Added advisory exceptions with tracking

[advisories]
ignore = [
    "RUSTSEC-2020-0144",  # lzw - ADR-003 exists
    "RUSTSEC-2021-0145",  # atty unsound - migration to is-terminal tracked
    "RUSTSEC-2024-0375",  # atty unmaintained - migration to is-terminal tracked
    "RUSTSEC-2025-0020",  # pyo3 vulnerability - upgrade to 0.24.1+ tracked
]

2. Workflow Template

File: /home/coding/declarative-config/k8s/iad-ci/argo-workflows/pdftract-ci.yaml

The cargo-deny template (lines 750-865) was already implemented and correctly configured:

  • Uses pdftract-test-glibc:1.78 base image
  • Installs cargo-deny if not present
  • Runs all 4 checks: licenses, bans, sources, advisories
  • Treats warnings as non-blocking, denials as blocking
  • Outputs deny-report.json artifact for post-merge review
  • Integrated into quality-matrix DAG as parallel step

Acceptance Criteria Status

PASS

  • Gate runs in pdftract-ci on every PR (quality-matrix DAG, line 538-539)
  • Failure blocks PR merge (non-zero exit code on denials)
  • Successful run reports artifact for human inspection (deny-report.json)
  • Failure mode produces actionable error in PR comment (human-readable stderr with fix hints)

WARN

  • None

FAIL

  • None

Local Verification

$ cargo deny check licenses bans sources advisories
advisories ok, bans ok, licenses ok, sources ok

All checks pass with current configuration. Advisory exceptions are documented with tracking notes for future resolution (atty→is-terminal, pyo3 upgrade).

Implementation Notes

  1. Wildcard dependencies: Workspace path dependencies are allowed via skip-tree since they're internal to the pdftract workspace and use version = "workspace"

  2. Advisory exceptions: All ignored advisories have tracking comments explaining the path forward:

    • RUSTSEC-2021-0145 / RUSTSEC-2024-0375 (atty): Migrate to std::io::IsTerminal or is-terminal crate
    • RUSTSEC-2025-0020 (pyo3): Upgrade to pyo3 >=0.24.1

  3. Exit code handling: The workflow template correctly distinguishes between warnings (duplicate versions) and errors (license violations, banned crates, advisories)

Artifacts

  • deny-report.json: Generated on successful runs, includes status and timestamp
  • stderr: Human-readable output for PR comments

References

  • Plan section: Phase 0.4 Quality Targets
  • Bead: pdftract-1rljr
  • Coordinator: pdftract-2rf (parent — 5 quality gates bundle)