Skip to content

fix(ci): use SPDX string for Cargo.toml license field#727

Merged
imran-siddique merged 1 commit intomicrosoft:mainfrom
imran-siddique:fix/cargo-license-format
Apr 2, 2026
Merged

fix(ci): use SPDX string for Cargo.toml license field#727
imran-siddique merged 1 commit intomicrosoft:mainfrom
imran-siddique:fix/cargo-license-format

Conversation

@imran-siddique
Copy link
Copy Markdown
Member

@imran-siddique imran-siddique commented Apr 2, 2026

Cargo.toml requires license = MIT (SPDX string), not license = {text = MIT} (pyproject.toml table format).

@imran-siddique
fix(ci): use SPDX string for Cargo.toml license field
e387806 
Cargo.toml requires license = "MIT" (SPDX string), not
license = {text = "MIT"} (table format used by pyproject.toml).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@imran-siddique imran-siddique merged commit 1b367b7 into microsoft:main Apr 2, 2026
19 of 21 checks passed
@github-actions github-actions bot added the size/XS Extra small PR (< 10 lines) label Apr 2, 2026
github-actions[bot]
github-actions bot reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 AI Agent: code-reviewer

Review Summary

This pull request addresses a correction in the Cargo.toml file for the Rust SDK (agentmesh) by replacing an invalid license field format with the correct SPDX string format. The change ensures compliance with Cargo's expectations for the license field.

The change is straightforward and does not introduce any new functionality or modify existing logic. However, I will evaluate it in the context of the repository's focus areas.

Feedback

🔴 CRITICAL

No critical issues identified in this pull request.

🟡 WARNING

No backward compatibility issues identified in this pull request. The change is limited to metadata and does not affect the public API or runtime behavior.

💡 SUGGESTION

  1. Validation of Cargo.toml Compliance:

    • 💡 Consider adding a CI step to validate the Cargo.toml file for compliance with Cargo's schema. This would help catch similar issues in the future before they are merged. Tools like cargo check or cargo metadata can be used for this purpose.

  2. Repository-Wide Audit:

    • 💡 Since this issue was identified in one Cargo.toml file, it may be worth auditing other Cargo.toml files in the repository (if any) to ensure they also use the correct SPDX string format for the license field.

  3. Documentation Update:

    • 💡 If there is internal documentation or contribution guidelines for this repository, consider adding a note about using SPDX license strings in Cargo.toml files to prevent similar issues in the future.

Conclusion

This pull request is a minor metadata fix and does not introduce any risks or breaking changes. It is safe to merge. However, implementing the suggestions above could help improve the robustness of the repository's CI/CD pipeline and prevent similar issues in the future.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 2, 2026

🤖 AI Agent: security-scanner — Security Review of Pull Request

Security Review of Pull Request

This pull request modifies the Cargo.toml file for the Rust SDK of the AgentMesh governance framework, specifically updating the license field to use the correct SPDX string format (license = "MIT") instead of the incorrect table format (license = {text = "MIT"}).

Security Impact Assessment

This change is related to metadata formatting and does not directly impact the runtime behavior, security, or functionality of the AgentMesh SDK. However, as this repository is a critical security-focused library, a thorough review is warranted to ensure no indirect security implications arise.

1. Prompt Injection Defense Bypass

Assessment: No impact. This change does not involve prompt handling or input sanitization.
Rating: 🔵 LOW

2. Policy Engine Circumvention

Assessment: No impact. This change does not modify any policy-related logic or enforcement mechanisms.
Rating: 🔵 LOW

3. Trust Chain Weaknesses

Assessment: No impact. This change does not involve trust chain validation, SPIFFE/SVID, or certificate handling.
Rating: 🔵 LOW

4. Credential Exposure

Assessment: No impact. This change does not introduce or expose any credentials, secrets, or sensitive information.
Rating: 🔵 LOW

5. Sandbox Escape

Assessment: No impact. This change does not involve containerization, process isolation, or sandboxing mechanisms.
Rating: 🔵 LOW

6. Deserialization Attacks

Assessment: No impact. This change does not involve deserialization or data parsing logic.
Rating: 🔵 LOW

7. Race Conditions

Assessment: No impact. This change does not involve concurrency, locking, or time-of-check-to-time-of-use (TOCTOU) vulnerabilities.
Rating: 🔵 LOW

8. Supply Chain

Assessment: Potential indirect impact. The license field in Cargo.toml is used by package managers and tools to identify the licensing terms of the package. Using an incorrect format could lead to misinterpretation of the license, potentially causing issues in downstream projects that rely on this metadata for compliance checks. However, this change fixes the issue by aligning the format with the expected SPDX standard.
Rating: 🔵 LOW

Recommendations

  1. Approve the Change: This pull request corrects a metadata issue and aligns the Cargo.toml file with the expected SPDX license format. It does not introduce any security vulnerabilities or functional changes.
  2. Verify Compliance: Ensure that all other metadata fields in Cargo.toml are accurate and comply with the expected standards.
  3. Automated Checks: Consider adding a CI step to validate Cargo.toml files for compliance with Rust's metadata standards to prevent similar issues in the future.

Final Rating: 🔵 LOW

This change is safe to merge from a security perspective. No further action is required.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees

No one assigned

Labels

size/XS Extra small PR (< 10 lines)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@imran-siddique