rosetta-rs
diff --git a/.github/renovate.json5 b/.github/renovate.json5
@@ -1,26 +1,35 @@
 {
-  "schedule": [
-    "before 3am on the first day of the month"
+  schedule: [
+    'before 5am on the first day of the month',
   ],
-  "semanticCommits": "enabled",
-  "configMigration": true,
-  "packageRules": [
+  semanticCommits: 'enabled',
+  configMigration: true,
+  dependencyDashboard: true,
+  packageRules: [
     // Goals:
     // - Rollup safe upgrades to reduce CI runner load
     // - Have lockfile and manifest in-sync
     {
-      "matchManagers": ["cargo"],
-      "matchCurrentVersion": ">=0.1.0",
-      "matchUpdateTypes": ["patch"],
-      "automerge": true,
-      "groupName": "compatible",
+      matchManagers: [
+        'cargo',
+      ],
+      matchCurrentVersion: '>=0.1.0',
+      matchUpdateTypes: [
+        'patch',
+      ],
+      automerge: true,
+      groupName: 'compatible',
     },
     {
-      "matchManagers": ["cargo"],
-      "matchCurrentVersion": ">=1.0.0",
-      "matchUpdateTypes": ["minor"],
-      "automerge": true,
-      "groupName": "compatible",
+      matchManagers: [
+        'cargo',
+      ],
+      matchCurrentVersion: '>=1.0.0',
+      matchUpdateTypes: [
+        'minor',
+      ],
+      automerge: true,
+      groupName: 'compatible',
     },
   ],
 }
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
@@ -1,21 +1,49 @@
 name: Security audit
+
+permissions:
+  contents: read
+
 on:
   pull_request:
     paths:
       - '**/Cargo.toml'
       - '**/Cargo.lock'
   push:
-    paths:
-      - '**/Cargo.toml'
-      - '**/Cargo.lock'
-  schedule:
-  - cron: '3 3 3 * *'
+    branches:
+    - main
+
+env:
+  RUST_BACKTRACE: 1
+  CARGO_TERM_COLOR: always
+  CLICOLOR: 1
+
 jobs:
   security_audit:
+    permissions:
+      issues: write # to create issues (actions-rs/audit-check)
+      checks: write # to create check (actions-rs/audit-check)
     runs-on: ubuntu-latest
+    # Prevent sudden announcement of a new advisory from failing ci:
+    continue-on-error: true
     steps:
     - name: Checkout repository
       uses: actions/checkout@v3
     - uses: actions-rs/audit-check@v1
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
+
+  cargo_deny:
+    permissions:
+      issues: write # to create issues (actions-rs/audit-check)
+      checks: write # to create check (actions-rs/audit-check)
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        checks:
+          - bans sources
+    steps:
+    - uses: actions/checkout@v3
+    - uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        command: check ${{ matrix.checks }}
+        rust-version: stable
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,19 +1,19 @@
-name: ci
+name: CI
+
+permissions:
+  contents: read
+
 on:
   pull_request:
-    paths:
-    - '**'
-    - '!/*.md'
-    - '!/docs/**'
-    - "!/LICENSE-*"
   push:
     branches:
     - main
-    paths:
-    - '**'
-    - '!/*.md'
-    - '!/docs/**'
-    - "!/LICENSE-*"
+
+env:
+  RUST_BACKTRACE: 1
+  CARGO_TERM_COLOR: always
+  CLICOLOR: 1
+
 jobs:
   smoke:
     name: Quick Check
@@ -22,11 +22,9 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@v3
     - name: Install Rust
-      uses: actions-rs/toolchain@v1
+      uses: dtolnay/rust-toolchain@stable
       with:
         toolchain: stable
-        profile: minimal
-        override: true
     - uses: Swatinem/rust-cache@v2
     - name: Default features
       run: cargo check --workspace --all-targets
@@ -37,30 +35,40 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@v3
     - name: Install Rust
-      uses: actions-rs/toolchain@v1
+      uses: dtolnay/rust-toolchain@stable
       with:
         toolchain: stable
-        profile: minimal
-        override: true
         components: rustfmt
     - uses: Swatinem/rust-cache@v2
     - name: Check formatting
       run: cargo fmt --all -- --check
   clippy:
     name: clippy
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write # to upload sarif results
     steps:
     - name: Checkout repository
       uses: actions/checkout@v3
     - name: Install Rust
-      uses: actions-rs/toolchain@v1
+      uses: dtolnay/rust-toolchain@stable
       with:
-        toolchain: 1.57.0  # MSRV
-        profile: minimal
-        override: true
+        toolchain: stable
         components: clippy
     - uses: Swatinem/rust-cache@v2
-    - uses: actions-rs/clippy-check@v1
+    - name: Install SARIF tools
+      run: cargo install clippy-sarif sarif-fmt
+    - name: Check
+      run: >
+        cargo clippy --workspace --all-features --all-targets --message-format=json -- -D warnings --allow deprecated
+        | clippy-sarif
+        | tee clippy-results.sarif
+        | sarif-fmt
+      continue-on-error: true
+    - name: Upload
+      uses: github/codeql-action/upload-sarif@v2
       with:
-        token: ${{ secrets.GITHUB_TOKEN }}
-        args: --workspace --all-features --all-targets -- -D warnings
+        sarif_file: clippy-results.sarif
+        wait-for-processing: true
+    - name: Report status
+      run: cargo clippy --workspace --all-features --all-targets -- -D warnings --allow deprecated
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,4 +1,5 @@
 [workspace]
+resolver = "2"
 members = [
     "examples/*",
 ]