From 016ff2e37aa201ba75feee6bf19421a0b4ab6c6d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Kijewski?= <rene.kijewski@fu-berlin.de>
Date: Mon, 23 Sep 2024 23:50:25 +0200
Subject: [PATCH 1/4] ci: audit with `cargo-deny`

---
 .github/workflows/rust.yml | 5 +----
 deny.toml                  | 4 ++++
 2 files changed, 5 insertions(+), 4 deletions(-)
 create mode 100644 deny.toml

diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index 58a373b..ffd4803 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -265,10 +265,7 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-      - name: Audit
-        uses: rustsec/audit-check@v1.4.1
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+      - uses: EmbarkStudios/cargo-deny-action@v2
 
   fallback:
     runs-on: ubuntu-latest
diff --git a/deny.toml b/deny.toml
new file mode 100644
index 0000000..c554f8b
--- /dev/null
+++ b/deny.toml
@@ -0,0 +1,4 @@
+[licenses]
+version = 2
+allow = ["Apache-2.0", "MIT", "Unicode-DFS-2016"]
+private = { ignore = true }

From c248d1be65eeba671162f4518b271f176c78b7bf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Kijewski?= <rene.kijewski@fu-berlin.de>
Date: Mon, 23 Sep 2024 23:50:56 +0200
Subject: [PATCH 2/4] ci: add typo check

---
 .github/workflows/rust.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index ffd4803..bcb9233 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -383,3 +383,9 @@ jobs:
         run: cargo r --manifest-path=api_gen/Cargo.toml
       - name: Diff generated Rust code
         run: test -z "$(git status --porcelain)" || (echo "::error::Generated files are different, please regenerate with cargo run --manifest-path=api_gen/Cargo.toml!"; git status; false)
+
+  typos:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: crate-ci/typos@master

From baf35b4bfd85e40cecf5ee3ef1ab20c591e9bbfe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Kijewski?= <rene.kijewski@fu-berlin.de>
Date: Mon, 23 Sep 2024 23:53:01 +0200
Subject: [PATCH 3/4] ci: add DevSkim security and BCP scanning

---
 .github/workflows/rust.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index bcb9233..9025852 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -389,3 +389,18 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: crate-ci/typos@master
+
+  devskim:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run DevSkim scanner
+        uses: microsoft/DevSkim-Action@v1
+      - name: Upload DevSkim scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: devskim-results.sarif

From 355c7af17d2170ef433b5cc215c4f0f356a5ed9e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Kijewski?= <rene.kijewski@fu-berlin.de>
Date: Mon, 23 Sep 2024 23:54:15 +0200
Subject: [PATCH 4/4] ci: remove `-Zminimal-versions` check for WASM

---
 .github/workflows/rust.yml | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index 9025852..f58865e 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -80,9 +80,6 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        versions:
-          - ""
-          - "-Zminimal-versions"
         toolchain:
           - stable
           - nightly
@@ -102,10 +99,6 @@ jobs:
         uses: taiki-e/install-action@v2
         with:
           tool: wasm-pack
-      - name: Update lockfile
-        run: cargo generate-lockfile ${{ matrix.versions }}
-        env:
-          RUSTC_BOOTSTRAP: 1
       - run: wasm-pack test --node
 
   build-cross: