ci: add cargo-check-external-types, config

This commit adds configuration and a CI task for checking that no types from dependencies are accidentally leaked through the Rcgen public API unintentionally. The previous commits in this branch fixed the `*ring*` type leaks, so our configuration only has two white-listed types as of this branch: 1. `time::offset_date_time::OffsetDateTime` It's unclear whether usage of that type should be adjusted, so for now we explicitly allow-list it in the cargo-check-external-types config. We can deal with this type (or not) in the future. 2. `zeroize::Zeroize` We could probably avoid leaking this type by implementing `Drop` and calling `zeroize` on fields directly from the `drop` impl. In the meantime we add this type to the allow list.
rustls · Oct 27, 2023 · 405827f · 405827f
1 parent 64fc928
commit 405827f
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 0 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -61,6 +61,24 @@ jobs:
         env:
           RUSTDOCFLAGS: ${{ matrix.rust_channel == 'nightly' && '-Dwarnings --cfg=docsrs' || '-Dwarnings' }}
 
+  check-external-types:
+    name: Validate external types appearing in public API
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Install rust toolchain
+        uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: nightly-2023-10-10
+          # ^ sync with https://github.com/awslabs/cargo-check-external-types/blob/main/rust-toolchain.toml
+      - run: cargo install --locked cargo-check-external-types
+      - name: run cargo-check-external-types for rcgen/
+        working-directory: rcgen/
+        run: cargo check-external-types --all-features
+
   build-windows:
     runs-on: windows-latest
     env:

diff --git a/rcgen/Cargo.toml b/rcgen/Cargo.toml
@@ -35,6 +35,12 @@ default = ["pem"]
 [package.metadata.docs.rs]
 features = ["x509-parser"]
 
+[package.metadata.cargo_check_external_types]
+allowed_external_types = [
+    "time::offset_date_time::OffsetDateTime",
+    "zeroize::Zeroize"
+]
+
 [dev-dependencies]
 openssl = "0.10"
 x509-parser = { version = "0.15", features = ["verify"] }