Add more to flake checks

Author: TymanWasTaken

.github/workflows/push.yaml

@@ -30,10 +30,10 @@ jobs:
                   purge-primary-key: never
 
             - name: Check nix flake
-              run: nix flake check
+              run: nix -L flake check
 
             - name: Build backend with nix
-              run: nix build .#backend
+              run: nix -L build .#backend
 
             - name: Upload built nix package
               uses: actions/upload-artifact@v4

Cargo.lock

@@ -11,9 +11,8 @@ anyhow = "1.0.98"
 base16ct = { version = "0.2.0", features = ["std"] }
 clap = { version = "4.5.41", features = ["derive", "env"] }
 env_logger = "0.11.8"
-itertools = "0.14.0"
 moka = { version = "0.12.10", features = ["future"] }
-prometheus-client = "0.23.1"
+# prometheus-client = "0.23.1"
 quick-xml = { version = "0.38.0", features = ["serde", "serialize"] }
 reqwest = { version = "0.12.22", default-features = false, features = ["charset", "http2", "system-proxy", "json", "rustls-tls"] }
 semver = "1.0.26"

Cargo.toml

@@ -7,6 +7,10 @@
             inputs.nixpkgs.follows = "nixpkgs";
         };
         crane.url = "github:ipetkov/crane";
+        advisory-db = {
+            url = "github:rustsec/advisory-db";
+            flake = false;
+        };
         treefmt-nix = {
             url = "github:numtide/treefmt-nix";
             inputs.nixpkgs.follows = "nixpkgs";
@@ -20,6 +24,7 @@
             flake-utils,
             rust-overlay,
             crane,
+            advisory-db,
             treefmt-nix,
             ...
         }:
@@ -41,10 +46,13 @@
                     buildInputs = with pkgs; [ openssl ];
                     nativeBuildInputs = with pkgs; [ pkg-config ];
                 };
+                cargoArtifacts = craneLib.buildDepsOnly commonArgs;
+                commonArgsWithDeps = commonArgs // {
+                    inherit cargoArtifacts;
+                };
                 cranePackage = craneLib.buildPackage (
-                    commonArgs
+                    commonArgsWithDeps
                     // {
-                        cargoArtifacts = craneLib.buildDepsOnly commonArgs;
                         meta = {
                             mainProgram = "backend";
                             license = lib.licenses.gpl3Plus;
@@ -61,14 +69,68 @@
                     backend = cranePackage;
                 };
                 formatter = treefmtEval.config.build.wrapper;
-                checks.formatting = treefmtEval.config.build.check self;
+                checks = {
+                    formatting = treefmtEval.config.build.check self;
+                    clippy = craneLib.cargoClippy (
+                        commonArgsWithDeps // { cargoClippyExtraArgs = "--all-targets -- --deny warnings"; }
+                    );
+                    deny =
+                        let
+                            git = ''HOME="$GIT_HOME" git'';
+                            gitInit = ''
+                                ${git} config --global init.defaultBranch "main"
+                                ${git} config --global user.email "example@example.com"
+                                ${git} config --global user.name "John Doe"
+                                ${git} init
+                                ${git} add -A
+                                ${git} commit -m "init"
+                            '';
+                        in
+                        craneLib.cargoDeny (
+                            commonArgs
+                            // {
+                                cargoDenyChecks = "--disable-fetch all";
+                                nativeBuildInputs = [ pkgs.git ];
+                                configurePhase = ''
+                                    runHook preConfigure
+
+                                    DB_PATH="$CARGO_HOME"/advisory-dbs/advisory-db-3157b0e258782691
+                                    mkdir -p "$DB_PATH"
+
+                                    pushd "$DB_PATH"
+
+                                    ln -s ${advisory-db}/{*,.*} .
+                                    GIT_HOME="$(mktemp -d)"
+                                    ${gitInit} # Cargo-deny complains if it isn't a real repo
+
+                                    popd
+
+                                    runHook postConfigure
+                                '';
+                            }
+                        );
+                    udeps = craneLib.mkCargoDerivation (
+                        commonArgsWithDeps
+                        // {
+                            nativeBuildInputs = [ pkgs.cargo-udeps ];
+                            pnameSuffix = "-udeps";
+                            buildPhaseCargoCommand = ''
+                                cargo --offline \
+                                    udeps \
+                                    --all-targets \
+                                    --all-features
+                            '';
+                        }
+                    );
+                };
                 devShells.default = craneLib.devShell {
                     # Add all build-time dependencies to the environment
                     packages =
                         cranePackage.buildInputs
                         ++ cranePackage.nativeBuildInputs
                         ++ (with pkgs; [
                             cargo-deny
+                            cargo-udeps
                             evcxr
                             lldb
                             self.formatter.${system}