chore(ci): remove redundant SARIF workaround for cargo-deny#655
Merged
chore(ci): remove redundant SARIF workaround for cargo-deny#655
Conversation
cargo-deny 0.19.0 now includes a fix for empty locations in SARIF output (EmbarkStudios/cargo-deny#819). The jq workaround that added Cargo.lock as a fallback location is no longer needed.
gilescope
approved these changes
Jan 8, 2026
cosmir17
added a commit
that referenced
this pull request
Feb 4, 2026
cargo-deny 0.19.0 now includes a fix for empty locations in SARIF output (EmbarkStudios/cargo-deny#819). The jq workaround that added Cargo.lock as a fallback location is no longer needed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Remove the jq workaround that added
Cargo.lockas a fallback location for cargo-deny SARIF results with empty locations. This workaround is no longer needed as cargo-deny 0.19.0 now handles this natively.Changes
Context
GitHub Code Scanning requires at least one location per SARIF result. Previously, cargo-deny produced results with empty
locations: []arrays for dependency advisories (because Cargo.lock locations are filtered out). This caused GitHub to reject the SARIF upload.The upstream fix (EmbarkStudios/cargo-deny#819) adds
{workspace_root}/Cargo.tomlas a fallback location when no other locations exist. This was released in cargo-deny 0.19.0.Since we use
cargo install cargo-deny(which gets the latest version), we now automatically get this fix.Testing
CI
rust-security-scanjob passed:/home/runner/work/midnight-indexer/midnight-indexer/Cargo.toml)