From 08434c24267d2fa89bfdd0db71cd98813c4b7711 Mon Sep 17 00:00:00 2001
From: Dan Nixon <dan@dan-nixon.com>
Date: Tue, 21 Jan 2025 15:13:03 +0000
Subject: [PATCH 1/2] Ignore GH templates in formatting

---
 treefmt.toml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/treefmt.toml b/treefmt.toml
index a715d299e..d2aa316e5 100644
--- a/treefmt.toml
+++ b/treefmt.toml
@@ -1,6 +1,10 @@
 [formatter.markdown]
 command = "mdl"
 includes = [ "*.md" ]
+excludes = [
+  ".github/pull_request_template.md",
+  ".github/ISSUE_TEMPLATE/*.md",
+]
 
 [formatter.nix]
 command = "alejandra"

From c894fd832d4cd0a44791c3c5f18ac25e0a3d16d0 Mon Sep 17 00:00:00 2001
From: Dan Nixon <dan@dan-nixon.com>
Date: Tue, 21 Jan 2025 15:02:33 +0000
Subject: [PATCH 2/2] Add cargo-deny

---
 .github/workflows/ci.yml |  3 +++
 Cargo.toml               |  2 +-
 deny.toml                | 40 ++++++++++++++++++++++++++++++++++++++++
 flake.nix                |  3 +++
 4 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 deny.toml

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f495820d3..8fa255e11 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -40,6 +40,9 @@ jobs:
       - name: Format
         run: nix develop --command treefmt --fail-on-change
 
+      - name: cargo-deny
+        run: nix develop --command cargo deny check
+
       - name: Clippy
         if: steps.filter.outputs.flake == 'true' || steps.filter.outputs.rust == 'true'
         run: nix develop --command cargo clippy --all-targets -- -D warnings
diff --git a/Cargo.toml b/Cargo.toml
index 356cbfec5..9467f4e99 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -43,7 +43,7 @@ rand = "0.8.5"
 rand_distr = "0.4.3"
 ratatui = "0.22.0"
 rayon = "1.10.0"
-rdkafka = { version = "0.31.0", features = [ "cmake-build", "ssl", "gssapi", "sasl", ] }
+rdkafka = { version = "0.31.0", features = ["cmake-build", "ssl", "gssapi", "sasl"] }
 serde = { version = "1", features = ["derive"] }
 serde_json = { version = "1.0.134" }
 supermusr-common = { path = "./common" }
diff --git a/deny.toml b/deny.toml
new file mode 100644
index 000000000..fb5208233
--- /dev/null
+++ b/deny.toml
@@ -0,0 +1,40 @@
+[advisories]
+version = 2
+db-path = "~/.cargo/advisory-db"
+db-urls = [ "https://github.com/rustsec/advisory-db" ]
+ignore = [
+  "RUSTSEC-2024-0421",
+  "RUSTSEC-2021-0041",
+  "RUSTSEC-2024-0402",
+]
+
+[licenses]
+version = 2
+allow = [
+  "MIT",
+  "GPL-3.0",
+  "Apache-2.0",
+  "BSD-3-Clause",
+  "BSD-2-Clause",
+  "OpenSSL",
+  "Unicode-DFS-2016",
+  "ISC",
+  "LicenseRef-hdf5",
+]
+
+[[licenses.clarify]]
+name = "ring"
+expression = "MIT AND ISC AND OpenSSL"
+license-files = [
+  { path = "LICENSE", hash = 0xbd0eed23 },
+]
+
+[[licenses.clarify]]
+name = "hdf5-metno-src"
+expression = "LicenseRef-hdf5"
+license-files = [
+  { path = "ext/hdf5/COPYING", hash = 0xf13e3591 },
+]
+
+[bans]
+multiple-versions = "allow"
diff --git a/flake.nix b/flake.nix
index f51308406..95b39dbc4 100644
--- a/flake.nix
+++ b/flake.nix
@@ -62,6 +62,9 @@
             treefmt
             mdl
 
+            # Dependency auditing
+            cargo-deny
+
             # Container image management
             skopeo