From f83d74a1797022d9e1d0bf7b8bbe574a9d6144f7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Christian=20Gr=C3=BCnhage?= <jc@neon.tech>
Date: Tue, 7 Jan 2025 11:32:14 +0100
Subject: [PATCH] Move cargo-deny into a separate workflow on a schedule

---
 .github/workflows/build_and_test.yml |  5 -----
 .github/workflows/cargo-deny.yml     | 33 ++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+), 5 deletions(-)
 create mode 100644 .github/workflows/cargo-deny.yml

diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml
index 12b1ac98ac87..985fc05c91ce 100644
--- a/.github/workflows/build_and_test.yml
+++ b/.github/workflows/build_and_test.yml
@@ -231,11 +231,6 @@ jobs:
           cargo hakari generate --diff  # workspace-hack Cargo.toml is up-to-date
           cargo hakari manage-deps --dry-run  # all workspace crates depend on workspace-hack
 
-      # https://github.com/EmbarkStudios/cargo-deny
-      - name: Check rust licenses/bans/advisories/sources
-        if: ${{ !cancelled() }}
-        run: cargo deny check --hide-inclusion-graph
-
   build-and-test-locally:
     needs: [ tag, build-build-tools-image ]
     strategy:
diff --git a/.github/workflows/cargo-deny.yml b/.github/workflows/cargo-deny.yml
new file mode 100644
index 000000000000..c210fdf3514b
--- /dev/null
+++ b/.github/workflows/cargo-deny.yml
@@ -0,0 +1,33 @@
+name: cargo deny checks
+
+on:
+  pull_request:
+    paths:
+      - 'Cargo.lock'
+  schedule:
+    - cron: '0 0 * * *'
+
+jobs:
+  cargo-deny:
+    strategy:
+      matrix: ${{ fromJSON(github.event_name == 'schedule' && '{"ref":["main","release","release-proxy"]}' || format('{{"ref":["{0}"]}}', github.sha)) }}
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ matrix.ref }}
+
+      # https://github.com/EmbarkStudios/cargo-deny
+      - name: Check rust licenses/bans/advisories/sources
+        if: ${{ !cancelled() }}
+        run: cargo deny check --hide-inclusion-graph
+
+      - name: Post to a Slack channel
+        if: ${{ github.event_name == 'schedule' && failure() }}
+        uses: slackapi/slack-github-action@v1
+        with:
+          channel-id: ${{ vars.CARGO_DENY_SCHEDULE_FAILURE_CHANNEL }}
+          slack-message: |
+            Periodic cargo-deny on ${{ matrix.ref }}: ${{ job.status }}
+            <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|GitHub Run>