make rust cargo deny depdency auditing disabled by default in Jenkins CICD

gerardcl · gerardcl · commit d45cfe82f1bf · 2025-08-14T13:01:00.000+02:00
diff --git a/.github/workflows/continuous-integration-workflow.yml b/.github/workflows/continuous-integration-workflow.yml
@@ -108,7 +108,7 @@ jobs:
         working-directory: common/jenkins-agents/rust/docker
         run: |
           docker build --tag agent-rust-test-ubi8 --file Dockerfile.ubi8 \
-            --build-arg rustVersion=1.86.0 \
+            --build-arg rustVersion=1.88.0 \
             --build-arg rustToolchain=x86_64-unknown-linux-gnu \
             --build-arg cargoNextestVersion=0.9.94 \
             --build-arg cargoLlvmCovVersion=0.6.16 \
diff --git a/be-rust-axum/Jenkinsfile.template b/be-rust-axum/Jenkinsfile.template
@@ -10,7 +10,7 @@ odsComponentPipeline(
   ]
 ) { context ->
   odsComponentFindOpenShiftImageOrElse(context) {
-    stageCI(context, true)  // set `lintDependencies` to false if cargo-deny is not needed
+    stageCI(context, false)  // set `auditDependencies` to true if using cargo-deny
     odsComponentStageScanWithSonar(context)
     stageBuild(context)
     odsComponentStageBuildOpenShiftImage(context)
@@ -27,7 +27,7 @@ def stageBuild(def context) {
   }
 }
 
-def stageCI(def context, def lintDependencies) {
+def stageCI(def context, def auditDependencies) {
   stage('Cargo Check') {
     sh """
         cargo --version
@@ -51,7 +51,7 @@ def stageCI(def context, def lintDependencies) {
         cargo clippy --message-format=json &> build/test-results/clippy/report.json
       """
   }
-  if (lintDependencies) {
+  if (auditDependencies) {
     stage('Cargo Deny') {
       sh """
           mkdir -p build/test-results/deny
diff --git a/be-rust-axum/rust-template/README.md b/be-rust-axum/rust-template/README.md
@@ -13,6 +13,14 @@ This project uses [pre-commit](https://pre-commit.com).
 pre-commit install
 ```
 
+The provided pre-commit hooks are:
+- gitleaks (check for secrets)
+- cargo-deny (dependency auditing, see/update `deny.toml` config file)
+- cargo-fmt (formatter, see/update `rustfmt.toml` config file)
+- cargo-clippy (linter)
+
+**NOTE**: the cargo hooks also run in Jenkins CICD, but cargo deny is disabled by default, see Jenkinsfile.
+
 ## Adding caching in your CICD
 
 One can improve the build pipeline time by implementing a caching mechanism as shown next:
diff --git a/be-rust-axum/testdata/golden/jenkins-build-stages.json b/be-rust-axum/testdata/golden/jenkins-build-stages.json
@@ -15,10 +15,6 @@
     "stage": "Cargo Clippy",
     "status": "SUCCESS"
   },
-  {
-    "stage": "Cargo Deny",
-    "status": "SUCCESS"
-  },
   {
     "stage": "Cargo Test",
     "status": "SUCCESS"

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@ odsComponentPipeline(`
`10`	`10`	`]`
`11`	`11`	`) { context ->`
`12`	`12`	`odsComponentFindOpenShiftImageOrElse(context) {`
`13`		- stageCI(context, true) // set `lintDependencies` to false if cargo-deny is not needed
	`13`	+ stageCI(context, false) // set `auditDependencies` to true if using cargo-deny
`14`	`14`	`odsComponentStageScanWithSonar(context)`
`15`	`15`	`stageBuild(context)`
`16`	`16`	`odsComponentStageBuildOpenShiftImage(context)`
`@@ -27,7 +27,7 @@ def stageBuild(def context) {`
`27`	`27`	`}`
`28`	`28`	`}`
`29`	`29`
`30`		`-def stageCI(def context, def lintDependencies) {`
	`30`	`+def stageCI(def context, def auditDependencies) {`
`31`	`31`	`stage('Cargo Check') {`
`32`	`32`	`sh """`
`33`	`33`	`cargo --version`
`@@ -51,7 +51,7 @@ def stageCI(def context, def lintDependencies) {`
`51`	`51`	`cargo clippy --message-format=json &> build/test-results/clippy/report.json`
`52`	`52`	`"""`
`53`	`53`	`}`
`54`		`- if (lintDependencies) {`
	`54`	`+ if (auditDependencies) {`
`55`	`55`	`stage('Cargo Deny') {`
`56`	`56`	`sh """`
`57`	`57`	`mkdir -p build/test-results/deny`