Added cargo audit and deny to test github action and action to push published releases to crates.io

[haydonryan]

Related to #285, added to your tests to check for security vulnerabilities and packages that have advisories on. This should pass for the current master branch.

[haydonryan]

I also added a crates.io publisher for you as well. Just need to add your crates.io token to secrets (and you might want to run it initially with --dry-run to check that everything is good

[haydonryan]

I refactored the cargo deny into action as you recommended and reverted the cargo publish workflow. Would you consider this as a change or did you want to just close this PR?

Regardless of the outcome would you be able to cut a new release from main if it's ready please? This would unblock my build (and resolve #285).

[adamreichold]

I think the deny action is useful, but I want to give the other maintainers a change to express their opinions before merging anything.

This would unblock my build (and resolve #285).

When using scanning in a CI pipeline, I think one should always be prepared to just acknowledge issues to unblock builds.

Again, this is about producing software with known properties, not green checkmarks. And the lack of maintenance of fxhash for now, is something its downstream users should be aware of and to move towards rustc-hash (which they are already doing), not something that should block a build.

So in this case, I would argue that using unmaintained = 'workspace' is a sensible approach.

[haydonryan]

No problem - thanks!

Added the unmaintained = workspace to my project.

[adamreichold]

Since no opinions were expressed so far, let's merge this and revert/amend/modify if something comes up later on.

[adamreichold]

@cfvescovo I tagged a v0.25.0 release which most importantly bumps the Servo deps. Since I do not have access to crates.io, could you please publish the tag? Thanks!

[cfvescovo]

Sure, I am publishing it now