From e67b8f0463ac3861b0b0f967a0249cc20e38e0e2 Mon Sep 17 00:00:00 2001
From: Nicolas Dreno <nicolas.dreno@gluendo.com>
Date: Wed, 13 May 2026 11:00:12 +0200
Subject: [PATCH] ci: cover fmt, clippy, tests, doc, advisories, and MSRV

Rewrites the CI workflow so the fork can stand on its own: the original
job did only fmt + build/test, which left clippy regressions, doc-link
breakage, and advisory drift to surface in PR review. The new pipeline
runs six parallel jobs sharing a Swatinem cargo cache:

  - fmt        cargo fmt --check
  - clippy     -D warnings, excluding typify-test (its codegen output
               trips clippy::derivable_impls / redundant_closure; those
               are codegen quality issues, not source-tree issues)
  - test       build + test on Linux, Windows, macOS
  - doc        cargo doc --no-deps -D warnings (intra-doc-link guard)
  - deny       cargo deny check advisories
  - msrv       cargo build on Rust 1.82

Adds a `deny.toml` ignore-list for four pre-existing unmaintained-crate
advisories (adler, paste, tempdir, remove_dir_all). Each entry carries
a note explaining the chain and the cleanup path; the tempdir/CVE pair
cancels automatically once cargo-typify swaps to tempfile.

Adds `#[allow(dead_code)]` to two `#[cfg(test)]` helpers in util.rs
(`all_mutually_exclusive`, `resolve`) that are currently unused but
referenced by a TODO comment to be wired back up.
---
 .github/workflows/rust.yml | 96 ++++++++++++++++++++++++++++++--------
 deny.toml                  | 30 ++++++++++++
 typify-impl/src/util.rs    |  2 +
 3 files changed, 108 insertions(+), 20 deletions(-)
 create mode 100644 deny.toml

diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index f5c69049..745d7792 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -1,34 +1,90 @@
 #
-# Configuration for GitHub-based CI
+# Configuration for GitHub-based CI.
 #
-name: Build
+# Runs fmt / clippy / tests / docs / advisories / MSRV in parallel on
+# every PR and every push to main. All jobs share a Swatinem cargo
+# cache keyed off Cargo.lock. Toolchain is `stable` everywhere except
+# the MSRV job, which pins Rust 1.82.
+#
+name: CI
 
 on:
   push:
-    branches: [ main ]
+    branches: [main]
   pull_request:
-    branches: [ main ]
+    branches: [main]
+
+env:
+  CARGO_TERM_COLOR: always
+  CARGO_INCREMENTAL: 0
+  RUST_BACKTRACE: 1
 
 jobs:
-  check-style:
+  fmt:
+    name: cargo fmt
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          components: rustfmt
+      - run: cargo fmt --all -- --check
+
+  clippy:
+    name: cargo clippy
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-    - name: Report cargo version
-      run: cargo --version
-    - name: Report rustfmt version
-      run: cargo fmt -- --version
-    - name: Check style
-      run: cargo fmt -- --check
-
-  build-and-test:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          components: clippy
+      - uses: Swatinem/rust-cache@v2
+      # typify-test only exists to compile typify's generated output; the
+      # warnings it surfaces (clippy::derivable_impls, redundant_closure)
+      # belong to the codegen, not source code, and are tracked separately.
+      - run: cargo clippy --workspace --all-targets --locked --exclude typify-test -- -D warnings
+
+  test:
+    name: test (${{ matrix.os }})
     runs-on: ${{ matrix.os }}
     strategy:
+      fail-fast: false
       matrix:
-        os: [ ubuntu-latest, windows-latest, macos-latest ]
+        os: [ubuntu-latest, windows-latest, macos-latest]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+      - uses: Swatinem/rust-cache@v2
+      - name: Build
+        run: cargo build --workspace --locked --tests --verbose
+      - name: Test
+        run: cargo test --workspace --locked --verbose
+
+  doc:
+    name: cargo doc
+    runs-on: ubuntu-latest
+    env:
+      RUSTDOCFLAGS: "-D warnings"
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+      - uses: Swatinem/rust-cache@v2
+      - run: cargo doc --workspace --no-deps --locked
+
+  deny:
+    name: cargo deny (advisories)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: EmbarkStudios/cargo-deny-action@v2
+        with:
+          command: check advisories
+
+  msrv:
+    name: MSRV build (1.82)
+    runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-    - name: Build
-      run: cargo build --locked --tests --verbose
-    - name: Run tests
-      run: cargo test --locked --verbose
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@1.82
+      - uses: Swatinem/rust-cache@v2
+      - run: cargo build --workspace --locked
diff --git a/deny.toml b/deny.toml
new file mode 100644
index 00000000..81028884
--- /dev/null
+++ b/deny.toml
@@ -0,0 +1,30 @@
+# cargo-deny configuration.
+#
+# CI runs `cargo deny check advisories`. The ignore list below covers
+# unmaintained-crate advisories and one CVE that all enter the tree
+# transitively through dev-dependencies; none affect published crate
+# code paths. Re-evaluate when bumping or removing the cited dep.
+
+[advisories]
+ignore = [
+    # adler 1.0.2 — unmaintained, superseded by adler2.
+    # Pulled in transitively by miniz_oxide. Wait for the ecosystem to
+    # migrate (mostly through flate2/png updates).
+    "RUSTSEC-2025-0056",
+
+    # paste 1.0.15 — unmaintained, see pastey / with_builtin_macros.
+    # Used by both typify's generated code (paste in workspace deps)
+    # and several transitive deps. Worth replacing in generated output.
+    "RUSTSEC-2024-0436",
+
+    # tempdir 0.3.7 — deprecated in favour of tempfile.
+    # Dev-dependency of cargo-typify only (integration tests). TODO:
+    # swap to tempfile and drop both this and RUSTSEC-2023-0018.
+    "RUSTSEC-2018-0017",
+
+    # remove_dir_all 0.5.3 — race-condition CVE.
+    # Reaches the tree only via tempdir (above) in cargo-typify dev
+    # tests. No production code path. Cleared automatically once the
+    # tempdir → tempfile swap above lands.
+    "RUSTSEC-2023-0018",
+]
diff --git a/typify-impl/src/util.rs b/typify-impl/src/util.rs
index 51ee7618..106dcf3a 100644
--- a/typify-impl/src/util.rs
+++ b/typify-impl/src/util.rs
@@ -51,6 +51,7 @@ pub(crate) fn metadata_title_and_description(metadata: &Option<Box<Metadata>>) -
 /// conceptually identical to the logic below that validates **if** the schemas
 /// **could** be merged (i.e. if they're compatible).
 #[cfg(test)]
+#[allow(dead_code)]
 pub(crate) fn all_mutually_exclusive(
     subschemas: &[Schema],
     definitions: &BTreeMap<RefKey, Schema>,
@@ -573,6 +574,7 @@ pub(crate) fn ref_key(ref_name: &str) -> RefKey {
 }
 
 #[cfg(test)]
+#[allow(dead_code)]
 fn resolve<'a>(
     schema: &'a Schema,
     definitions: &'a std::collections::BTreeMap<RefKey, Schema>,