Conversation
There was a problem hiding this comment.
Pull request overview
This PR bootstraps cargo-vet across the repository’s three independent platform crates by adding a per-platform supply-chain/ store, plus CI automation and documentation to enforce and guide dependency vetting.
Changes:
- Add
cargo-vetsupply-chain stores (config.toml,audits.toml,imports.lock) fordev-imxrt,dev-npcx, anddev-qemu. - Add a PR CI workflow that runs
cargo vet --lockedin a platform matrix. - Add docs describing the local workflow and an automated PR-comment workflow for
cargo vetfailures/success.
Reviewed changes
Copilot reviewed 9 out of 12 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| platform/dev-imxrt/supply-chain/imports.lock | Imported third-party audit entries used to satisfy vetting for dev-imxrt’s dependency graph. |
| platform/dev-imxrt/supply-chain/config.toml | cargo-vet config + exemptions/policy for dev-imxrt. |
| platform/dev-imxrt/supply-chain/audits.toml | Local audits store initialized for dev-imxrt (currently empty). |
| platform/dev-npcx/supply-chain/imports.lock | Imported third-party audit entries used to satisfy vetting for dev-npcx’s dependency graph. |
| platform/dev-npcx/supply-chain/config.toml | cargo-vet config + exemptions/policy for dev-npcx. |
| platform/dev-npcx/supply-chain/audits.toml | Local audits store initialized for dev-npcx (currently empty). |
| platform/dev-qemu/supply-chain/imports.lock | Imported third-party audit entries used to satisfy vetting for dev-qemu’s dependency graph. |
| platform/dev-qemu/supply-chain/config.toml | cargo-vet config + exemptions/policy for dev-qemu. |
| platform/dev-qemu/supply-chain/audits.toml | Local audits store initialized for dev-qemu (currently empty). |
| docs/supply-chain.md | Process documentation for developers/auditors working with cargo vet. |
| .github/workflows/cargo-vet.yml | CI workflow to run cargo vet --locked for each platform crate on PRs. |
| .github/workflows/cargo-vet-pr-comment.yml | Follow-up workflow to comment on PRs with cargo vet results and guidance. |
Initialize cargo-vet for each of the 3 platform crates (dev-imxrt, dev-npcx, dev-qemu). Each platform has its own supply-chain/ store with audits.toml, config.toml, and imports.lock — matching cargo-vet's per-workspace design (each platform has its own Cargo.lock and dep graph, so a shared store would not satisfy cargo-vet's policy validation). Process documentation lives at docs/supply-chain.md (single shared copy at repo root rather than duplicated into each store). Imports the OpenDevicePartnership, bytecode-alliance, google, and mozilla audit sources, mirroring the embedded-services pattern. Adds two CI workflows: - cargo-vet.yml: matrix per platform, runs 'cargo vet --locked' from each platform/<dev-*>/ directory. - cargo-vet-pr-comment.yml: workflow_run-triggered, downloads the per-platform pr-* artifacts via merge-multiple, posts the audit questionnaire on failure and updates to a success message on pass. All 3 platforms pass 'cargo vet --locked'.
- pin rust toolchain via dtolnay/rust-toolchain - pass --locked to cargo install cargo-vet - skip pr-comment job on cancelled upstream runs - link docs/supply-chain.md at workflow_run head_sha (works on open PRs) - 'Github' -> 'GitHub'
dymk
force-pushed
the
chore/cargo-vet-init
branch
from
8ce40c6 to
6ab1b14
Compare
kurtjd
approved these changes
Apr 21, 2026
jerrysxie
approved these changes
Apr 21, 2026
jerrysxie
approved these changes
Apr 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Initialize cargo-vet for each of the 3 platform crates (dev-imxrt, dev-npcx, dev-qemu). Each platform has its own
supply-chain/store — cargo-vet validates[policy.X]entries against the current workspace's dep graph, so a single shared store would not satisfy all three workspaces.Process documentation lives at
docs/supply-chain.md(single shared copy, not duplicated into each store).Mirrors the embedded-services pattern: imports the OpenDevicePartnership, bytecode-alliance, google, and mozilla audit sources; adds a matrix
cargo-vetworkflow + aworkflow_run-triggered PR comment workflow.All 3 platforms pass
cargo vet --lockedlocally.