V0.2.0 mergeback: 05-19-2026#854
Merged
Merged
Conversation
…evicePartnership#803) This pull request introduces several important improvements to the cargo-vet audit process documentation and configuration, focusing on stricter exemption policies, duplicate audit entry prevention, and the addition of new audit records. The main themes are: enhanced documentation for reviewers, stricter exemption and deduplication workflows, and updates to the audit registry. **Documentation and Workflow Improvements:** * Added explicit instructions to always run `cargo vet` commands non-interactively to prevent blocking on terminal input, and clarified how to set the pager and use `--accept-all` for certification. (.github/agents/cargo-vet-auditor.agent.md) * Strengthened the policy that exemptions (`[[exemptions]]`) should only be used as a last resort, requiring explicit user confirmation and justification, and that every exemption must include a `notes` field explaining its necessity and removal conditions. (.github/agents/cargo-vet-auditor.agent.md, .github/skills/cargo-vet-audit/SKILL.md) [[1]](diffhunk://#diff-34643b14215fa0cbb482e40432146ebcf329c13cd61ef7b7fed20e112b8e19e6R89-R127) [[2]](diffhunk://#diff-c18d588b43b8f757894f63618ccb4e6f2d9a5adb55452ac09267853410462f77R63-R85) * Introduced a duplicate-audit guardrail: before certifying, the workflow now checks for identical existing audit entries and instructs reviewers to deduplicate them, preventing redundant audit records. (.github/agents/cargo-vet-auditor.agent.md, .github/skills/cargo-vet-audit/SKILL.md) [[1]](diffhunk://#diff-34643b14215fa0cbb482e40432146ebcf329c13cd61ef7b7fed20e112b8e19e6R89-R127) [[2]](diffhunk://#diff-c18d588b43b8f757894f63618ccb4e6f2d9a5adb55452ac09267853410462f77L107-R155) **Audit Registry Updates:** * Added new or updated audit entries for the following crates: `autocfg`, `crunchy`, `serde_spanned`, `tap`, `thread_local`, and `valuable`, all with detailed notes and criteria. (supply-chain/audits.toml) [[1]](diffhunk://#diff-eb494298b7630e575978d77f3bdd3178163bb7f5dbbf7e24316abe77210549f6R49-R54) [[2]](diffhunk://#diff-eb494298b7630e575978d77f3bdd3178163bb7f5dbbf7e24316abe77210549f6R81-R86) [[3]](diffhunk://#diff-eb494298b7630e575978d77f3bdd3178163bb7f5dbbf7e24316abe77210549f6R475-R480) [[4]](diffhunk://#diff-eb494298b7630e575978d77f3bdd3178163bb7f5dbbf7e24316abe77210549f6R501-R512) [[5]](diffhunk://#diff-eb494298b7630e575978d77f3bdd3178163bb7f5dbbf7e24316abe77210549f6R568-R573) * Added a new trusted entry for `rustc-demangle` with `safe-to-deploy` criteria. (supply-chain/audits.toml) **Configuration Clean-up:** * Removed unused or unnecessary import sources from `supply-chain/config.toml` (specifically `embark-studios` and `zcash`). (supply-chain/config.toml)
…ePartnership#813) This lock was being held for the duration of the conditional branch, causing a deadlock in `update_current_consumer`.
This pull request significantly reduces the number of explicit exemptions listed in the `supply-chain/config.toml` file. Many crates that were previously exempted from certain audit criteria have been removed from the exemptions list, leaving only a single exemption for the `generator` crate. Dependency audit policy updates: * Removed numerous crate exemptions from the `[exemptions]` section, which previously allowed specific versions of various dependencies to bypass the default audit criteria. Now, only the `generator` crate remains explicitly exempted.
This bumps the workspace `heapless` dependency from `0.8.*` to a pinned
`0.9.2` (heapless 0.9.0/0.9.1 were yanked). Because every public type
that exposes heapless containers is now backed by a different major
version, this is a breaking change for every downstream consumer of any
`embedded-services` workspace crate (`embedded-service`, `cfu-service`,
`thermal-service`, `type-c-service`, `power-policy-service`,
`battery-service`, etc.).
Downstream consumers MUST also bump their own `heapless` dependency to
`0.9` or accept multi-major heapless in their lockfile. Direct users of
the affected APIs will need to update calls/types per the heapless 0.9
migration notes (see below).
Heapless 0.9 source migration applied here:
- `heapless::FnvIndexSet` moved to `heapless::index_set::FnvIndexSet`.
Fixed in `power-policy-service/src/lib.rs` (`connected_providers`) and
`type-c-service/src/service/ucsi.rs`
(`valid_battery_charging_capability`).
- No use of `heapless::HistoryBuffer` / `MpMcQueue` / `Q*` aliases /
`histbuf` module / `defmt-03` feature in this workspace, so no further
source/feature edits were required.
- `Vec::extend_from_slice`/`from_slice`/`resize` and
`String::push`/`push_str` now return `CapacityError` instead of `()`;
the workspace doesn't pattern-match these as `Err(())`, so no callsite
updates were needed.
Opportunistic version bumps applied alongside (kept embassy-time stack
in sync so heapless 0.9 actually reaches the active workspace):
- `embassy-time`: `0.5.0` -> `0.5.1`
- `embassy-time-driver`: `0.2.1` -> `0.2.2`
- `embassy-time-queue-utils` lockfile pin: `0.3.0` -> `0.3.2` (0.3.0
still pinned heapless 0.8 transitively)
Also bumps `embassy-time` patch in the three example workspaces
(`examples/rt633`, `examples/rt685s-evk`, `examples/std`).
Final per-workspace heapless lockfile states (tracked for the org-wide
audit):
- root, examples/{rt633, rt685s-evk, std}: `0.8.0` + `0.9.2`
- `embedded-service/Cargo.lock`, `power-policy-service/Cargo.lock`:
unchanged (these subdir lockfiles are not part of any workspace --
`cargo locate-project --workspace` from those directories returns the
root manifest, so cargo never touches them. They are stale orphans and
retain `0.7.17` + `0.8.0`. Not deleted in this commit because they are
still being touched by unrelated PRs; flag for separate cleanup.)
Remaining heapless 0.8.0 in active lockfiles is held there by upstream
deps that haven't bumped yet:
- `tps6699x` (git, pins `heapless = "0.8.0"`)
- `keyberon` (git master, pins heapless 0.8 -- via `keyboard-service`)
- `usb-device 0.3.2` (latest crates.io -- via `keyberon`)
cargo-deny: also adds `RUSTSEC-2026-0110` (bare-metal, unmaintained) to
`deny.toml`'s `advisories.ignore` list, matching the precedent set for
`RUSTSEC-2024-0370`. Local `cargo deny --all-features --locked check
bans licenses sources` is green; the `advisories` sub-check is skipped
locally only because cargo-deny 0.18.2 trips on the CVSS 4.0 advisory
`RUSTSEC-2026-0066` (astral-tokio-tar) -- CI's `cargo-deny-action`
wrapper uses a newer cargo-deny that handles it.
cargo-vet: certifies `embassy-time-queue-utils 0.3.0 -> 0.3.2` as
`safe-to-deploy` (only audit needed; other delta versions were already
covered or matched existing audits).
Local CI replicated and green:
- `cargo fmt --all --check`
- `cargo machete`
- `cargo doc --no-deps -F log --locked` and `-F defmt --locked`
- `cargo hack --feature-powerset
--mutually-exclusive-features=log,defmt,defmt-timestamp-uptime clippy
--locked --target x86_64-pc-windows-msvc`
- `cargo +1.90 check -F log --locked` and `-F defmt --locked`
- `cargo clippy --target thumbv8m.main-none-eabihf --locked` for both
ARM examples; `cargo clippy --locked` for the std example
- `cargo deny --all-features --locked check bans licenses sources`
- `cargo vet`
(`cargo test` skipped locally: the workspace's test build pulls
defmt/cortex-m via `debug-service` and links unconditionally, which does
not work on the Windows MSVC host even on `main`. CI runs it on Ubuntu
where it does work.)
Assisted-by: Claude:claude-opus-4.7
Co-authored-by: Felipe Balbi <febalbi@microsoft.com>
…rtnership#822) Every commit with AI-assisted work must include an Assisted-by trailer. AI agents must verify their own identity before composing the trailer and must not add Signed-off-by tags. Assisted-by: GitHub Copilot:claude-opus-4.6
…icePartnership#834) This PR applies two org-wide standardisation changes (ref: OpenDevicePartnership/embedded-rust-template#20): 1. **LICENSE** – normalise the copyright line to: `Copyright (c) Open Device Partnership and Contributors`
tullom
requested review from
asasine,
chchongmsft,
felipebalbi,
gjpmsft,
jerrysxie,
kurtjd,
makubacki,
seanbrns,
thdesil and
williampMSFT
Cargo Vet Audit Passed
|
Contributor
There was a problem hiding this comment.
Pull request overview
Merge-back from the v0.2.0 line that primarily updates dependency versions (notably heapless and embassy-time), adjusts code to match updated APIs, and refreshes cargo-vet supply-chain metadata and contributor guidance.
Changes:
- Bump workspace dependencies (e.g.,
heaplessto0.9.2,embassy-timeto0.5.1,embassy-time-driverto0.2.2) and propagate updates to example workspaces/locks. - Update code to the
heapless 0.9.xmodule path forFnvIndexSet. - Add/refresh cargo-vet audits/imports metadata and extend internal docs/agent guidance (AI attribution, exemptions, dedup).
Reviewed changes
Copilot reviewed 10 out of 15 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| type-c-service/src/service/ucsi.rs | Updates FnvIndexSet path for heapless 0.9.x compatibility. |
| power-policy-service/src/service/mod.rs | Updates FnvIndexSet path and constructor for heapless 0.9.x. |
| supply-chain/imports.lock | Updates imported publisher/audit metadata and normalizes TOML quoting. |
| supply-chain/audits.toml | Adds many new cargo-vet audit entries and trusted publisher info. |
| LICENSE | Updates copyright notice to include contributors. |
| examples/std/Cargo.toml | Updates example dependency versions/ranges for Embassy crates. |
| examples/std/Cargo.lock | Refreshes example lockfile to newer dependency graph (incl. heapless). |
| examples/rt685s-evk/Cargo.toml | Updates embassy-time version in embedded example. |
| examples/rt685s-evk/Cargo.lock | Refreshes embedded example lockfile (incl. heapless). |
| examples/pico-de-gallo/Cargo.lock | Refreshes lockfile entries for embassy-time / embassy-time-driver. |
| Cargo.toml | Updates workspace dependency versions (heapless + embassy-time*). |
| Cargo.lock | Refreshes lockfile for updated dependency versions (incl. heapless). |
| .github/skills/cargo-vet-audit/SKILL.md | Adds guidance on exemptions and duplicate-audit cleanup. |
| .github/copilot-instructions.md | Adds commit-message AI attribution requirements. |
| .github/agents/cargo-vet-auditor.agent.md | Adds non-interactive/duplicate-audit guardrails and updates pager guidance. |
Comments suppressed due to low confidence (2)
.github/agents/cargo-vet-auditor.agent.md:132
- This command example still recommends
$env:PAGER='more.com', which is a pager that can pause and block. Please switch the PowerShell example to a truly non-interactive passthrough pager to match the “Non-Interactive Execution” requirement.
### For Delta Audits
Use `PAGER=cat cargo vet diff CRATE FROM TO` (POSIX) or
`$env:PAGER='more.com'; cargo vet diff CRATE FROM TO` (PowerShell) to view the diff.
.github/agents/cargo-vet-auditor.agent.md:144
- Same issue here:
$env:PAGER='more.com'may block waiting for input. To keepcargo vet inspectnon-interactive in PowerShell, use a pager that never pauses (or omit the pager entirely if possible).
### For Full Version Audits
Use `PAGER=cat cargo vet inspect CRATE VERSION` (POSIX) or
`$env:PAGER='more.com'; cargo vet inspect CRATE VERSION` (PowerShell) to view source.
RobertZ2011
approved these changes
May 19, 2026
felipebalbi
approved these changes
May 19, 2026
Contributor
felipebalbi
left a comment
felipebalbi
left a comment
There was a problem hiding this comment.
mostly straightforward merge.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.