From 595ecd5a74b9e4cf9a888eb7c2ee7b000b4987d3 Mon Sep 17 00:00:00 2001
From: Daniel McCarney <daniel@binaryparadox.net>
Date: Tue, 17 Oct 2023 12:44:23 -0400
Subject: [PATCH] ci: run cargo-check-external-types

This commit adds a CI task to run cargo-check-external-types[0] with the
goal of ensuring we don't unintentionally leak types from deps (e.g.
`untrusted`) in our public API.

[0]: https://github.com/awslabs/cargo-check-external-types
---
 .github/workflows/ci.yml | 20 ++++++++++++++++++++
 Cargo.toml               |  6 ++++++
 2 files changed, 26 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 18c1a433..2f5f4e21 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -268,6 +268,26 @@ jobs:
       - name: Check semver
         uses: obi1kenobi/cargo-semver-checks-action@v2
 
+  check-external-types:
+    name: Validate external types appearing in public API
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Install rust toolchain
+        uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: nightly-2023-10-10
+          # ^ sync with https://github.com/awslabs/cargo-check-external-types/blob/main/rust-toolchain.toml
+
+      - run: cargo install --locked cargo-check-external-types
+
+      - name: run cargo-check-external-types
+        run: cargo check-external-types
+
   coverage:
     name: Measure coverage
     runs-on: ubuntu-20.04
diff --git a/Cargo.toml b/Cargo.toml
index ddcd44c6..c1d434fe 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -62,6 +62,12 @@ include = [
 all-features = true
 rustdoc-args = ["--cfg", "docsrs"]
 
+[package.metadata.cargo_check_external_types]
+allowed_external_types = [
+    "rustls_pki_types::*",
+    "rustls_pki_types", # To allow re-export.
+]
+
 [lib]
 name = "webpki"