Skip to content

chore: improve dependency maintenance #46

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
thomasjiangcy merged 1 commit into from
May 9, 2026
Merged

chore: improve dependency maintenance #46

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,11 @@ updates:
time: "06:00"
timezone: "UTC"
versioning-strategy: "auto"
groups:
cargo-patch-minor:
update-types:
- "minor"
- "patch"

- package-ecosystem: "github-actions"
directory: "/"
Expand Down
15 changes: 13 additions & 2 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,18 @@ jobs:
run: cargo fmt --all --check

- name: Lint
run: cargo clippy --all-targets --all-features -- -D warnings
run: cargo clippy --locked --all-targets --all-features -- -D warnings

- name: Install dependency tooling
uses: taiki-e/install-action@v2.77.2
with:
tool: cargo-deny@0.19.4,cargo-machete@0.9.2

- name: Dependency policy
run: cargo deny check

- name: Unused dependencies
run: cargo machete

- name: Test
run: cargo test --all-targets --all-features
run: cargo test --locked --all-targets --all-features
6 changes: 6 additions & 0 deletions CONTRIBUTING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ Thanks for contributing. This guide focuses on the fastest path to ship safe cha
- `mise`
- `just`
- `lefthook`
- `cargo-deny` (installed by `mise install`)
- `cargo-machete` (installed by `mise install`)

## Setup

Expand All @@ -29,6 +31,10 @@ just lint
# test
just test

# dependency policy and unused dependency checks
just deps-check
just deps-unused

# full local gate (required before PR)
just ci

Expand Down
3 changes: 3 additions & 0 deletions Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@
name = "pkgrep"
version = "0.7.0"
edition = "2024"
description = "Dependency source cache helper for developers and coding agents"
license = "MIT"
repository = "https://github.com/thomasjiangcy/pkgrep"

[dependencies]
anyhow = "1.0.102"
Expand Down
12 changes: 11 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -310,6 +310,8 @@ Prerequisites:
- `mise` (required for project tooling)
- `just` (required task runner)
- `lefthook` (required for git hook checks)
- `cargo-deny` (installed by `mise install`)
- `cargo-machete` (installed by `mise install`)

### Tooling via mise

Expand All @@ -323,6 +325,8 @@ Common development commands:
```bash
just fmt
just lint
just deps-check
just deps-unused
just test
just ci
just hooks-run
Expand All @@ -331,7 +335,13 @@ just hooks-run
Git hooks:

- `pre-commit`: no-mocks policy + `cargo fmt --check`
- `pre-push`: clippy (`-D warnings`) + full test suite
- `pre-push`: full `just ci` gate

Dependency maintenance:

- Dependabot checks Cargo and GitHub Actions daily.
- `just deps-check` runs `cargo-deny` for advisories, license policy, duplicate versions, and allowed sources.
- `just deps-unused` runs `cargo-machete` to detect unused direct dependencies.

### Maintainer Release Flow

Expand Down
32 changes: 32 additions & 0 deletions deny.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
[advisories]
version = 2
db-path = "~/.cargo/advisory-db"
db-urls = ["https://github.com/rustsec/advisory-db"]
yanked = "deny"
ignore = []

[licenses]
version = 2
confidence-threshold = 0.8
allow = [
"0BSD",
"Apache-2.0",
"BSD-3-Clause",
"CDLA-Permissive-2.0",
"ISC",
"MIT",
"MPL-2.0",
"Unicode-3.0",
"Unlicense",
"Zlib",
]

[bans]
multiple-versions = "warn"
wildcards = "deny"
highlight = "all"

[sources]
unknown-registry = "deny"
unknown-git = "deny"
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
14 changes: 10 additions & 4 deletions justfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,19 @@ fmt-check:
cargo fmt --all --check

lint:
cargo clippy --all-targets --all-features -- -D warnings
cargo clippy --locked --all-targets --all-features -- -D warnings

check:
cargo check --all-targets --all-features
cargo check --locked --all-targets --all-features

test:
cargo test --all-targets --all-features
cargo test --locked --all-targets --all-features

deps-check:
cargo deny check

deps-unused:
cargo machete

test-no-mocks:
./.dev/check_no_mocks.sh
Expand All @@ -27,4 +33,4 @@ hooks-install:
hooks-run:
lefthook run pre-commit && lefthook run pre-push

ci: fmt-check lint test-no-mocks test
ci: fmt-check lint deps-check deps-unused test-no-mocks test
2 changes: 1 addition & 1 deletion lefthook.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,4 @@ pre-commit:
pre-push:
commands:
ci:
run: cargo clippy --all-targets --all-features -- -D warnings && cargo test --all-targets --all-features -q
run: mise exec -- just ci
2 changes: 2 additions & 0 deletions mise.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,5 @@
rust = "stable"
just = "latest"
lefthook = "latest"
"cargo:cargo-deny" = "0.19.4"
"cargo:cargo-machete" = "0.9.2"
Loading