From a52a2a12c789f04b025694948d32754bd347de76 Mon Sep 17 00:00:00 2001
From: Eliah Kagan <degeneracypressure@gmail.com>
Date: Tue, 12 Nov 2024 01:29:50 -0500
Subject: [PATCH] Split `cargo-deny` job into two non-matrix jobs

Instead of conditionally applying `continue-on-error: true` at the
job level to the `advisories` job, this splits `cargo-deny` into
two job definitions, `cargo-deny-advisories` and `cargo-deny`,
where *neither* has `continue-on-error` but `cargo-deny-advisories`
is omitted as a dependency of the `tests-pass` job that makes jobs
effectively required for PR auto-merge. This way, when there is an
unaddressed advisory, the `cargo-deny-advisories` job unambiguously
fails, even failing the workflow, but PRs can still auto-merge.

One implication of this is that, on Dependabot security update PRs,
`@dependabot merge` and `@dependabot squash and merge` commands
will only perform a merge if `cargo deny check advisories` reports
no other outstanding advisories. This is because, when Dependabot
is told to merge a PR, it only goes ahead with the merge if all
checks pass (i.e. report a successful conclusion). This would be
convenient for cases where, if the fix is not complete, further
manual review is desired. It would otherwise be inconvenient, but
then a usual PR auto-merge could be done instead (which is the more
common practice here anyway).
---
 .github/workflows/ci.yml | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1f9b115f33f..fd0a82649f0 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -192,23 +192,25 @@ jobs:
         # than allows is no problem either if it comes to that.
         continue-on-error: true
 
-  cargo-deny:
+  # This job is not required for PR auto-merge, so that sudden announcement of a
+  # new advisory does not keep otherwise OK pull requests from being integrated.
+  cargo-deny-advisories:
     runs-on: ubuntu-latest
 
-    strategy:
-      matrix:
-        checks:
-          - advisories
-          - bans licenses sources
+    steps:
+      - uses: actions/checkout@v4
+      - uses: EmbarkStudios/cargo-deny-action@v2
+        with:
+          command: check advisories
 
-    # Prevent sudden announcement of a new advisory from failing ci:
-    continue-on-error: ${{ matrix.checks == 'advisories' }}
+  cargo-deny:
+    runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@v4
       - uses: EmbarkStudios/cargo-deny-action@v2
         with:
-          command: check ${{ matrix.checks }}
+          command: check bans licenses sources
 
   wasm:
     name: WebAssembly
@@ -300,6 +302,7 @@ jobs:
       # List all jobs that are intended NOT to block PR auto-merge here.
       EXPECTED_NONBLOCKING_JOBS: |-
         test-fixtures-windows
+        cargo-deny-advisories
         wasm
         tests-pass