chore(ci): Enforce cargo-deny in CI
With #11448, we are pulling in a wide and deep dependency tree which makes it harder for us to track what we are pulling in over time.
I've been trying out [`cargo-deny`](https://github.com/EmbarkStudios/cargo-deny) on my projects and wanted to explore how useful it might be for cargo. atm I only have it configured to fail for unexpected licenses. We can also use its warnings to hunt down and remove duplicated dependencies to speed up our builds.
I did also enable advisories. We ignore the failure in a way to not block PRs or even show up as failure in PRs as PR authors are not responsible for dealing with these (unless its a new dep) and it can be intimidating as a contributor to see a failure and have no idea how to resolve it (as authors generally assume CI is green and failures are there fault)
I did not go too much further into what all `cargo-deny` can do; there might be more we can leverage.
This allows to use `gitoxide` for all fetch operations, boosting performance
for fetching the `crates.io` index by a factor of 2.2x, while being consistent
on all platforms.
For trying it, nightly builds of `cargo` can specify `-Zgitoxide=fetch`.
It's also possible to set the `__CARGO_USE_GITOXIDE_INSTEAD_OF_GIT2=1` environment
variable (value matters), which is when `-Zgitoxide=none` can be used
to use `git2` instead.
Limitations
-----------
Note that what follows are current shortcomings that will be addressed in future PRs.
- it's likely that authentication around the `ssh` protocol will work differently in practice
as it uses the `ssh` program.
- clones from `file://` based crates indices will need the `git` binary to serve the locatl repository.
- the progress bar shown when fetching doesn't work like the orgiinal, but should already feel 'faster'.
We skip failure for advisories on the step, rather than the job, to not
distract contributors in thinking they broke something as that bubbles
up into the PR job summary.
Previously mdbook was bumped in #11646 for contrib.yml worflow
but main.yaml workflow. This makes the two in sync and also
upgrades to the latest 0.4.27. (Though there is nothing really
changed for application users as us)
The v2 implementation uses Node 12, which is end-of-life on April 30, 2022.
See https://nodejs.org/en/about/releases/. Update to v3, which is based on
Node 16 whose support lasts until April 30, 2024.
I don't think this has ever actually sent a meaningful version bump PR
we weren't already aware of, so unless someone else wants to be in
charge of these I'm going to go ahead and disable dependabot.
Add the start of a basic benchmarking suite.
This adds the start of a basic benchmarking suite for cargo. This is fairly rough, but I figure it will change and evolve over time based on what we decide to add and how we use it.
There is some documentation in the `benches/README.md` file which gives an overview of what is here and how to use it.
Closes#9935
