Add automated dependency license checking with cargo-deny

[tillrohrmann]

Context

As part of an OSS license due diligence review, we found that this repository has no automated mechanism to verify that dependency licenses are acceptable. The restate server repo already uses cargo-deny successfully — this issue tracks adding the same for sdk-rust.

Note: The justfile comment on the lint target currently says "Runs all lints (fmt, clippy, deny)" but no deny target actually exists — the comment is stale/aspirational.

Recommended approach

1. Add deny.toml

Use the restate server's deny.toml as a starting template. The SDK's allowlist can likely be more restrictive since there are no weak-copyleft deps currently:

[licenses]
allow = [
    # Permissive
    "MIT",
    "Apache-2.0",
    "Apache-2.0 WITH LLVM-exception",
    "BSD-2-Clause",
    "BSD-3-Clause",
    "ISC",
    "BSL-1.0",
    "CC0-1.0",
    "Zlib",
    "Unicode-3.0",
    "Unicode-DFS-2016",
    "OpenSSL",
    "0BSD",
]
confidence-threshold = 0.8

2. Add CI workflow

Either add a dedicated deps.yml workflow or integrate into the existing CI:

- uses: EmbarkStudios/cargo-deny-action@v2
  with:
    command: check licenses

3. Update justfile

Add a deny target and wire it into lint:

deny:
    cargo deny check
    
lint: check-fmt clippy deny

Why this matters

This repository is MIT-licensed and published as a crate on crates.io. Users pull in its transitive dependencies. An automated license gate ensures no strong copyleft (GPL, AGPL, SSPL) dependencies accidentally enter the dependency tree through routine updates.

Current state (as of 2026-03-16)

All current dependencies are permissively licensed — this is purely a preventive measure.