topgrade-rs · niStee · Nov 15, 2025 · Nov 15, 2025 · Nov 15, 2025 · Nov 15, 2025
diff --git a/.github/workflows/cargo-deny.yml b/.github/workflows/cargo-deny.yml
@@ -0,0 +1,43 @@
+name: cargo-deny
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - name: Checkout repository
+        # action pin via: git ls-remote https://github.com/actions/checkout refs/tags/v5.0.0 | head -1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+          fetch-depth: 1
+
+      - name: Install cargo-deny
+        # action pin via: git ls-remote https://github.com/taiki-e/install-action refs/tags/v2.60.0 | head -1
+        uses: taiki-e/install-action@0c5db7f7f897c03b771660e91d065338615679f4 # v2.60.0
+        with:
+          tool: [email protected]
+
+      - name: Run cargo deny (advisories)
+        run: cargo deny check advisories --all-features
+        continue-on-error: true
+
+      - name: Run cargo deny (licenses)
+        run: cargo deny check licenses --all-features
+        continue-on-error: true
+
+      - name: Run cargo deny (bans)
+        run: cargo deny check bans --all-features
+        continue-on-error: true
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -7,7 +7,7 @@ on:
 name: CI
 
 env:
-  CROSS_VER: '0.2.5'
+  CROSS_VER: "0.2.5"
   CARGO_NET_RETRY: 3
 
 permissions:
@@ -21,11 +21,14 @@ jobs:
   fmt:
     name: Rustfmt
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - name: Checkout code
+        # action pin via: git ls-remote https://github.com/actions/checkout refs/tags/v5.0.0 | head -1
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
+          fetch-depth: 1
 
       - name: Run cargo fmt
         env:
@@ -37,11 +40,13 @@ jobs:
   custom-checks:
     name: Custom checks
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - name: Checkout code
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
+          fetch-depth: 1
 
       - name: Check if `Step` enum is sorted
         run: |
@@ -93,7 +98,7 @@ jobs:
           fi
 
   main:
-    needs: [ fmt, custom-checks ]
+    needs: [fmt, custom-checks]
     name: ${{ matrix.target_name }} (check, clippy)
     runs-on: ${{ matrix.os }}
     strategy:
@@ -138,16 +143,20 @@ jobs:
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
+          fetch-depth: 1
 
       - name: Setup Rust Cache
+        # action pin via: git ls-remote https://github.com/Swatinem/rust-cache refs/tags/v2.8.1 | head -1
         uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
         with:
           prefix-key: ${{ matrix.target }}
 
-      - name: Setup cross
+      - name: Install cross
         if: matrix.use_cross == true
-        run: |
-          curl -fL --retry 3 "https://github.com/cross-rs/cross/releases/download/v${CROSS_VER}/cross-x86_64-unknown-linux-musl.tar.gz" | tar vxz -C /usr/local/bin
+        # action pin via: git ls-remote https://github.com/taiki-e/install-action refs/tags/v2.60.0 | head -1
+        uses: taiki-e/install-action@0c5db7f7f897c03b771660e91d065338615679f4 # v2.60.0
+        with:
+          tool: cross@${{ env.CROSS_VER }}
 
       - name: Run cargo/cross check
         run: |

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,45 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+  schedule:
+    - cron: "0 3 * * 1"
+
+permissions:
+  contents: read
+  security-events: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  analyze:
+    name: Analyze (Rust)
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - name: Checkout repository
+        # action pin via: git ls-remote https://github.com/actions/checkout refs/tags/v5.0.0 | head -1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+          fetch-depth: 1
+
+      - name: Initialize CodeQL
+        # action pin via: git ls-remote https://github.com/github/codeql-action refs/tags/v4.31.3 | head -1
+        uses: github/codeql-action/init@014f16e7ab1402f30e7c3329d33797e7948572db # v4.31.3
+        with:
+          languages: rust
+
+      - name: Autobuild
+        # action pin via: git ls-remote https://github.com/github/codeql-action refs/tags/v4.31.3 | head -1
+        uses: github/codeql-action/autobuild@014f16e7ab1402f30e7c3329d33797e7948572db # v4.31.3
+
+      - name: Perform CodeQL Analysis
+        # action pin via: git ls-remote https://github.com/github/codeql-action refs/tags/v4.31.3 | head -1
+        uses: github/codeql-action/analyze@014f16e7ab1402f30e7c3329d33797e7948572db # v4.31.3
+        with:
+          category: "/language:rust"
diff --git a/.github/workflows/create_release_assets.yml b/.github/workflows/create_release_assets.yml
@@ -2,7 +2,7 @@ name: Publish release files for CD native and non-cd-native environments
 
 on:
   repository_dispatch:
-    types: [ release-created ]
+    types: [release-created]
 
 permissions:
   # Write permissions to call the repository dispatch
@@ -28,14 +28,16 @@ jobs:
         # Use the Ubuntu 22.04 image to link with a low version of glibc
         #
         # https://github.com/topgrade-rs/topgrade/issues/1095
-        platform: [ ubuntu-22.04, macos-latest, macos-15-intel, windows-latest ]
+        platform: [ubuntu-22.04, macos-latest, macos-15-intel, windows-latest]
     runs-on: ${{ matrix.platform }}
+    timeout-minutes: 90
     env:
       tag: ${{ github.event.client_payload.tag }}
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
+          fetch-depth: 1
 
       - name: Install needed components
         run: |
@@ -165,13 +167,15 @@ jobs:
     # Even though this is cross-compiled, it links to the libc6-<arch>-cross installed on the host
     # (see the apt-get install calls below)
     runs-on: ubuntu-22.04
+    timeout-minutes: 120
     env:
       matrix_target: ${{ matrix.target }}
       tag: ${{ github.event.client_payload.tag }}
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
+          fetch-depth: 1
 
       - name: Install needed components
         run: |
@@ -276,10 +280,8 @@ jobs:
         if: ${{ matrix.target == 'aarch64-unknown-linux-gnu' || matrix.target == 'armv7-unknown-linux-gnueabihf' }}
         shell: bash
 
-
       - name: Upload assets
-        run:
-          gh release upload "${tag}" assets/*
+        run: gh release upload "${tag}" assets/*
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -290,7 +292,7 @@ jobs:
 
   triggers:
     runs-on: ubuntu-latest
-    needs: [ native_build, cross_build ]
+    needs: [native_build, cross_build]
     env:
       tag: ${{ github.event.client_payload.tag }}
     steps:

diff --git a/.github/workflows/release_to_homebrew.yml b/.github/workflows/release_to_homebrew.yml
@@ -7,9 +7,14 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   homebrew-publish:
     runs-on: ubuntu-latest
+    timeout-minutes: 30
     steps:
     - name: Bump formulae
       uses: dawidd6/action-homebrew-bump-formula@3428a0601bba3173ec0bdcc945be23fa27aa4c31 # v5

diff --git a/.github/workflows/release_to_pypi.yml b/.github/workflows/release_to_pypi.yml
@@ -7,10 +7,15 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   # TODO: make linux/windows/macos/sdist a matrix. See how other workflows do it.
   linux:
     runs-on: ubuntu-latest
+    timeout-minutes: 60
     strategy:
       matrix:
         target: [x86_64, x86, aarch64]
@@ -33,13 +38,15 @@ jobs:
 
   windows:
     runs-on: windows-latest
+    timeout-minutes: 60
     strategy:
       matrix:
         target: [x64, x86]
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
+          fetch-depth: 1
 
       - name: Build wheels
         uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4
@@ -54,13 +61,15 @@ jobs:
 
   macos:
     runs-on: macos-latest
+    timeout-minutes: 60
     strategy:
       matrix:
         target: [x86_64, aarch64]
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
+          fetch-depth: 1
 
       - name: Build wheels
         uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4
@@ -75,10 +84,12 @@ jobs:
 
   sdist:
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
+          fetch-depth: 1
 
       - name: Build sdist
         uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4

diff --git a/.github/workflows/release_to_winget.yml b/.github/workflows/release_to_winget.yml
@@ -7,9 +7,14 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   publish:
     runs-on: windows-latest
+    timeout-minutes: 30
     steps:
       - uses: vedantmgoyal2009/winget-releaser@19e706d4c9121098010096f9c495a70a7518b30f # main
         with:

diff --git a/README.md b/README.md
@@ -8,6 +8,8 @@
   <a href="https://aur.archlinux.org/packages/topgrade"><img alt="AUR" src="https://img.shields.io/aur/version/topgrade.svg"></a>
   <a href="https://formulae.brew.sh/formula/topgrade"><img alt="Homebrew" src="https://img.shields.io/homebrew/v/topgrade.svg"></a>
 
+  <a href="https://github.com/topgrade-rs/topgrade/actions/workflows/codeql.yml"><img alt="CodeQL" src="https://github.com/topgrade-rs/topgrade/actions/workflows/codeql.yml/badge.svg?branch=main"></a>
+
   <img alt="Demo" src="doc/topgrade_demo.gif">
 </div>
 

diff --git a/deny.toml b/deny.toml
@@ -0,0 +1,27 @@
+[advisories]
+vulnerability = "deny"
+unmaintained = "warn"
+unsound = "deny"
+yanked = "warn"
+ignore = [
+  # Add RUSTSEC IDs here with expiry and reason once triaged
+]
+
+[licenses]
+unlicensed = "deny"
+allow = ["MIT", "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "ISC", "Zlib"]
+exceptions = [
+  # { name = "some-crate", version = "=1.2.3", allow = ["License-Ref-..."], rationale = "..." }
+]
+confidence-threshold = 0.8
+
+[bans]
+multiple-versions = "warn"
+wildcards = "deny"
+deny = [
+  # { name = "old-crate", version = "<1.0.0", note = "Use maintained fork" }
+]
+
+[sources]
+unknown-registry = "deny"
+unknown-git = "warn"