ci: Prevent dependencies issue

[kazuk]

Issue number and link

Fixes: #138

Describe your changes

add deny.toml for cargo-deny
add cargo-deny install for Github Actions
add check-dependencies task for makefile
add CI job for runs it.

Checklist before requesting a review

• I follow the Semantic Pull Requests rules (bugfix/feature)
• I specified links to related issues (must: bugfix, want: feature)
• I have performed a self-review of my code (bugfix/feature)
• I have added thorough tests (bugfix/feature)
• I have edited ## [Unreleased] section in CHANGELOG.md following keep a changelog syntax (bugfix/feature)
• I {made/will make} a related pull request for documentation repo (feature)

[codecov]

Codecov Report

Merging #142 (15adc1c) into main (19e2230) will increase coverage by 0.03%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main     #142      +/-   ##
==========================================
+ Coverage   87.81%   87.84%   +0.03%     
==========================================
  Files         203      203              
  Lines       12620    12620              
==========================================
+ Hits        11082    11086       +4     
+ Misses       1538     1534       -4     

Impacted Files	Coverage Δ
...omous_executor/row/value/sql_value/nn_sql_value.rs	66.48% <0.00%> (-0.55%)	⬇️
springql-core/src/pipeline.rs	92.30% <0.00%> (ø)
springql-core/src/stream_engine.rs	95.65% <0.00%> (ø)
...ngql-core/tests/feat_performance_metrics_report.rs	99.37% <0.00%> (ø)
...e/src/sql_processor/sql_parser/pest_parser_impl.rs	88.00% <0.00%> (+0.28%)	⬆️
springql-core/src/expression.rs	75.44% <0.00%> (+1.19%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 19e2230...15adc1c. Read the comment docs.

[kazuk]

cargo deny check runs here!

https://github.com/SpringQL/SpringQL/runs/6432517672?check_suite_focus=true#step:13:65

[kazuk]

I skip CHANGELOG update, because this is CI job changes.
no change to CODE & Documents.

[laysakura]

Thanks.
I need deeper look at deny.toml but (done) already have some change requests.

[laysakura]

This seems too severe.

build should run even with bad dependencies.

[kazuk]

The build process executes the crate build scripts and procedural macros that came in from the dependencies.

For this reason, we need to verify that the dependencies are safe before building, which is represented by dependencies.

[laysakura]

The build process executes the crate build scripts and procedural macros

Yes. They can be malicious.

But I don't think putting this dependency saves developers (they might use cargo build).

I think it's OK to run malicious codes in CI's containers at build time.

IMO, running check-dependencies as a required job on pull-request should be enough.
(Maybe better to run it also on creating release artifacts)

[kazuk]

But I don't think putting this dependency saves developers (they might use cargo build).

The problem is certainly not solved this way.

I'm looking for a solution, but I haven't found a solution at the moment.

[laysakura]

ref: #148

[laysakura]

📝 Will review again after #148 closed.

-> Merge #142 and then #148 to cover wider cases.

[laysakura]

ref: #148

[laysakura]

👍
https://github.com/SpringQL/SpringQL/runs/6479942252?check_suite_focus=true fails for #140