chore: Add license and audit checks

.github/workflows/audit.yml

@@ -0,0 +1,36 @@
+name: Audit
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+  schedule:
+    # * is a special character in YAML so you have to quote this string
+    - cron: "0 14 * * *"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  # When getting Rust dependencies, retry on network error:
+  CARGO_NET_RETRY: 10
+  # Use the local .curlrc
+  CURL_HOME: .
+  # Disable DFX telemetry
+  DFX_TELEMETRY: 'off'
+  # Use the stable toolchain for the audit
+  RUSTUP_TOOLCHAIN: stable
+
+jobs:
+  test:
+    name: audit:required
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions-rust-lang/audit@v1

.github/workflows/deny.yml

@@ -0,0 +1,30 @@
+name: License Check
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  # When getting Rust dependencies, retry on network error:
+  CARGO_NET_RETRY: 10
+  # Use the local .curlrc
+  CURL_HOME: .
+  # Disable DFX telemetry
+  DFX_TELEMETRY: 'off'
+
+jobs:
+  cargo-deny:
+    name: license-check:required
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: rm rust-toolchain.toml
+      - uses: EmbarkStudios/cargo-deny-action@v2
+        with:
+          command: check bans licenses sources # skip advisories, which are handled by audit.yml

Cargo.toml

@@ -5,6 +5,13 @@ default-members = ["crates/icp-cli"]
 exclude = ["examples/icp-rust", "examples/icp-rust-recipe"]
 resolver = "3"
 
+[workspace.package]
+authors = ["DFINITY Stiftung <sdk@dfinity.org>"]
+edition = "2024"
+repository = "https://github.com/dfinity/icp-cli"
+rust-version = "1.88.0"
+license = "Apache-2.0"
+
 [workspace.dependencies]
 anyhow = "1.0.100"
 async-trait = "0.1.88"

LICENSE

@@ -174,28 +174,3 @@
       of your accepting any such warranty or additional liability.
 
    END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright [yyyy] [name of copyright owner]
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.

crates/icp-canister-interfaces/Cargo.toml

@@ -2,6 +2,7 @@
 name = "icp-canister-interfaces"
 version = "0.1.0"
 edition = "2024"
+license = "Apache-2.0"
 
 [dependencies]
 bigdecimal = { workspace = true }

crates/icp-cli/Cargo.toml

@@ -3,6 +3,7 @@ name = "icp-cli"
 version = "0.1.0"
 edition = "2024"
 publish = false
+license = "Apache-2.0"
 
 [[bin]]
 name = "icp"

crates/icp/Cargo.toml

@@ -2,6 +2,7 @@
 name = "icp"
 version = "0.1.0"
 edition = "2024"
+license = "Apache-2.0"
 
 [dependencies]
 anyhow = { workspace = true }

crates/schema-gen/Cargo.toml

@@ -1,7 +1,8 @@
 [package]
 name = "schema-gen"
 version = "0.1.0"
-edition = "2021"
+edition = "2024"
+license = "Apache-2.0"
 
 [[bin]]
 name = "schema-gen"

deny.toml

@@ -0,0 +1,25 @@
+# adapted from https://github.com/dfinity-lab/common/blob/master/pkgs/overlays/packages/cargo-deny/buildtime.toml
+# for context, see https://github.com/dfinity-lab/common/blob/master/pkgs/overlays/packages/cargo-deny/runtime.toml
+# we allow more licenses in the build-time check. all rust dependencies are statically linked,
+# so copyleft licenses like MPL which allow static linking are A-OK
+[licenses]
+allow = [
+    "Apache-2.0",
+    "Apache-2.0 WITH LLVM-exception",
+    "BlueOak-1.0.0",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "CC0-1.0",
+    "CDLA-Permissive-2.0",
+    "ISC",
+    "MIT",
+    "MPL-2.0",
+    "Zlib",
+    "Unicode-DFS-2016",
+    "Unicode-3.0",
+]
+
+unused-allowed-license = "allow"
+
+[sources]
+allow-git = ["https://github.com/dfinity/agent-rs.git"]

rust-toolchain.toml

@@ -1,3 +1,3 @@
 [toolchain]
-channel = "1.86.0"
+channel = "1.88.0"
 components = ["rustfmt", "clippy"]