ci: Fix test workflow, add cargo deny

.github/workflows/build.yml

@@ -281,7 +281,7 @@ jobs:
         run: cargo install wasm-pack || true
 
       - name: Setup NodeJS
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: 20
           registry-url: 'https://registry.npmjs.org'

.github/workflows/test.yml

@@ -47,6 +47,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.12
       - run: |
           rustup update
           venv .venv
@@ -70,6 +74,7 @@ jobs:
           fail_ci_if_error: true
           token: ${{secrets.CODECOV_TOKEN}}
 
+  # https://github.com/actions/starter-workflows/blob/main/pages/mdbook.yml
   docs:
     name: 📖 Update docs
     runs-on: ubuntu-latest
@@ -87,15 +92,10 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - run: bash ./scripts/docs-install.sh
-
-      # - name: Setup mdBook
-      #   uses: peaceiris/actions-mdbook@v1
-      #   with:
-      #     mdbook-version: 'latest'
-
       - run: bash ./scripts/docs-build.sh
 
       - name: Setup Pages
+        id: pages
         uses: actions/configure-pages@v4
 
       - name: Upload artifact

.pre-commit-config.yaml

@@ -16,6 +16,12 @@ repos:
         name: 🪚 Fix end of files
     -   id: trailing-whitespace
         name: ✂️  Trim trailing whitespaces
+-   repo: https://github.com/crate-ci/typos
+    rev: v1.19.0
+    hooks:
+    -   id: typos
+        name: ✒️  Check typos
+        # exclude: ^CHANGELOG.md$
 -   repo: local
     hooks:
       - id: rustfmt
@@ -24,6 +30,11 @@ repos:
         entry: cargo fmt
         language: system
         pass_filenames: false
+      - id: deny
+        name: ❌ Check licenses
+        entry: cargo deny check licenses
+        language: system
+        pass_filenames: false
 ci:
     autofix_commit_msg: 🎨 [pre-commit.ci] Auto format from pre-commit.com hooks
     autoupdate_commit_msg: ⬆ [pre-commit.ci] pre-commit autoupdate

Makefile.toml

@@ -10,7 +10,7 @@ default_to_workspace = false
 script="""
 rustup update
 rustup component add rustfmt clippy
-cargo install wasm-pack cargo-tarpaulin mdbook mdbook-admonish mdbook-pagetoc
+cargo install wasm-pack cargo-tarpaulin cargo-deny mdbook mdbook-admonish mdbook-pagetoc
 pipx install "maturin[patchelf]"
 pipx install pre-commit
 pre-commit install

deny.toml

@@ -0,0 +1,109 @@
+# https://embarkstudios.github.io/cargo-deny
+
+targets = []
+#exclude = []
+all-features = false
+no-default-features = false
+#features = []
+feature-depth = 1
+
+# https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html
+[advisories]
+db-path = "~/.cargo/advisory-db"
+db-urls = ["https://github.com/rustsec/advisory-db"]
+vulnerability = "deny"
+unmaintained = "warn"
+yanked = "warn"
+notice = "warn"
+ignore = [
+    #"RUSTSEC-0000-0000",
+]
+# Threshold for security vulnerabilities:
+# * None - CVSS Score 0.0
+# * Low - CVSS Score 0.1 - 3.9
+# * Medium - CVSS Score 4.0 - 6.9
+# * High - CVSS Score 7.0 - 8.9
+# * Critical - CVSS Score 9.0 - 10.0
+#severity-threshold =
+
+# https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html
+[licenses]
+unlicensed = "deny"
+# See https://spdx.org/licenses/ for list of possible licenses
+allow = [
+    #"MIT",
+    #"Apache-2.0 WITH LLVM-exception",
+]
+deny = [
+    #"Nokia",
+]
+copyleft = "warn"
+# Blanket approval or denial for OSI-approved or FSF Free/Libre licenses
+# * both - The license will be approved if it is both OSI-approved *AND* FSF
+# * either - The license will be approved if it is either OSI-approved *OR* FSF
+allow-osi-fsf-free = "either"
+# Lint level used when no other predicates are matched
+# 1. License isn't in the allow or deny lists
+# 2. License isn't copyleft
+# 3. License isn't OSI/FSF, or allow-osi-fsf-free = "neither"
+default = "deny"
+# The confidence threshold for detecting a license from license text.
+# [possible values: any between 0.0 and 1.0].
+confidence-threshold = 0.6
+exceptions = [
+    { allow = ["OpenSSL"], name = "ring", version = "*" },
+    # Each entry is the crate and version constraint, and its specific allow list
+]
+
+[licenses.private]
+# If true, ignores workspace crates that aren't published https://doc.rust-lang.org/cargo/reference/manifest.html#the-publish-field.
+ignore = false
+registries = [
+    #"https://sekretz.com/registry
+]
+
+# https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html
+[bans]
+multiple-versions = "warn"
+wildcards = "allow"
+# The graph highlighting used when creating dotgraphs for crates with multiple versions
+# * lowest-version - The path to the lowest versioned duplicate is highlighted
+# * simplest-path - The path to the version with the fewest edges is highlighted
+# * all - Both lowest-version and simplest-path are used
+highlight = "all"
+workspace-default-features = "allow"
+external-default-features = "allow"
+allow = [
+    #{ name = "ansi_term", version = "=0.11.0" },
+]
+deny = [
+    # Each entry the name of a crate and a version range. If version is
+    # not specified, all versions will be matched.
+    #{ name = "ansi_term", version = "=0.11.0" },
+]
+
+# Certain crates/versions that will be skipped when doing duplicate detection.
+skip = [
+    #{ name = "ansi_term", version = "=0.11.0" },
+]
+# Similarly to `skip` allows you to skip certain crates during duplicate
+# detection. Also includes the entire tree of transitive dependencies
+skip-tree = [
+    #{ name = "ansi_term", version = "=0.11.0", depth = 20 },
+]
+
+# https://embarkstudios.github.io/cargo-deny/checks/sources/cfg.html
+[sources]
+unknown-registry = "warn"
+unknown-git = "warn"
+allow-registry = ["https://github.com/rust-lang/crates.io-index"]
+# List of URLs for allowed Git repositories
+allow-git = []
+
+# [sources.allow-org]
+# # 1 or more github.com organizations to allow git sources for
+# github = [""]
+# # 1 or more gitlab.com organizations to allow git sources for
+# gitlab = [""]
+# # 1 or more bitbucket.org organizations to allow git sources for
+# bitbucket = [""]

lib/docs/contributing.md

@@ -61,17 +61,20 @@ nanopub-rs/
 Install development dependencies:
 
 ```bash
-# Activate python virtual env
+# Create and activate python virtual env
 python3 -m venv .venv
 source .venv/bin/activate
+
 # Install python dependencies
 pip install maturin pre-commit
+
 # Install pre-commit hooks
 pre-commit install
+
 # Install rust dev tools
 rustup update
 rustup component add rustfmt clippy
-cargo install wasm-pack cargo-tarpaulin mdbook mdbook-admonish cargo-make
+cargo install wasm-pack cargo-tarpaulin cargo-deny mdbook mdbook-admonish cargo-make
 ```
 
 ### 📥️ Clone the repository
@@ -127,11 +130,12 @@ Build the pip package and run `pytest` tests:
 ./scripts/test-python.sh
 ```
 
-Or just run the script:
+Or just run the tests:
 
 ```bash
 source .venv/bin/activate
-python python/try.py
+cd python
+pytest
 ```
 
 ### 🟨 Test JavaScript package
@@ -202,6 +206,14 @@ cargo build --all
 cargo run --all-features
 ```
 
+### ️⛓️ Check supply chain
+
+Check the dependency supply chain, only accept dependencies with OSI or FSF approved licenses.
+
+```bash
+cargo deny check
+```
+
 ### 🏷️ New release
 
 Publishing artifacts will be done by the `build.yml` workflow, make sure you have set the following tokens as secrets for this repository: `PYPI_TOKEN`, `NPM_TOKEN`, `CRATES_IO_TOKEN`, `CODECOV_TOKEN`

python/README.md

@@ -18,10 +18,10 @@ Start in dev:
 maturin develop
 ```
 
-Try the python lib:
+Test the python lib:
 
 ```bash
-python try.py
+pytest
 ```
 
 ## Build

scripts/docs-build.sh

@@ -5,9 +5,9 @@ rm -rf target/doc
 
 mdbook build
 
-cargo doc --workspace --no-deps --exclude nanopub-cli --exclude nanopub-js --exclude nanopub-sign --target-dir target/doc
+# NOTE: we can also add the docstrings to the generated docs under /doc/nanopub, but it is already available at https://docs.rs/nanopub
+# cargo doc --workspace --no-deps --exclude nanopub-cli --exclude nanopub-js --exclude nanopub-sign --target-dir target/doc
 
-# cp js/index.html target/doc/demo.html
 
 echo "Docs generated in the target/doc folder"
 

scripts/install-dev.sh

@@ -10,7 +10,7 @@ pip install maturin pre-commit
 rustup update
 rustup component add rustfmt clippy
 
-cargo install wasm-pack cargo-tarpaulin cargo-make
+cargo install wasm-pack cargo-tarpaulin cargo-deny cargo-make
 
 source scripts/docs-install.sh