Add cargo-vet supply-chain security

[jerrysxie]

This PR adds supply-chain security tooling based on the
embedded-rust-template:

• cargo-vet (supply-chain/) – dependency audit tracking with imports
  from ODP shared audits, Google, and Mozilla.
• CI workflows – cargo-vet.yml + PR comment workflow

[Copilot]

Pull request overview

This PR introduces supply-chain security tooling for the crate, adding cargo-vet (with upstream audit imports) and cargo-deny (policy checks) plus CI automation to enforce them.

Changes:

• Add cargo-vet configuration under supply-chain/ (local audits file, import config, imports lock).
• Add GitHub Actions workflows to run cargo vet on PRs and (on failure/success transitions) comment on the PR.
• Add cargo-deny configuration (deny.toml) and run cargo deny check in the main CI workflow.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
supply-chain/imports.lock	Initializes cargo-vet imports lock for external audit sources.
supply-chain/config.toml	Declares cargo-vet version and audit import URLs (ODP/Google/Mozilla).
supply-chain/audits.toml	Adds local cargo-vet audits file scaffold.
.github/workflows/cargo-vet.yml	Runs cargo vet in CI for pull requests.
.github/workflows/cargo-vet-pr-comment.yml	Posts/updates PR comments based on cargo-vet results via workflow_run.
.github/workflows/check.yml	Adds a cargo-deny job to CI checks.
deny.toml	Defines cargo-deny policy for advisories/licenses/bans/sources.

Comments suppressed due to low confidence (1)

.github/workflows/cargo-vet-pr-comment.yml:44

• echo "pr_number=$(cat ./pr/NR)" >> $GITHUB_OUTPUT writes attacker-controlled file contents into the GITHUB_OUTPUT command file (newlines can inject additional outputs). If you keep reading from a file, sanitize/validate it as a numeric PR number and use the multiline-safe output format; ideally remove this entirely by using the PR number from the workflow_run event payload.

      - name: 'Get PR number'
        id: get-pr-number
        run: echo "pr_number=$(cat ./pr/NR)" >> $GITHUB_OUTPUT
      

[Copilot]

Pull request overview

Copilot reviewed 5 out of 6 changed files in this pull request and generated 5 comments.

Comments suppressed due to low confidence (1)

.github/workflows/cargo-vet.yml:50

• Same issue here: if: ${{ failure() }} || ${{ success() }} is invalid; use always() so the artifact uploads regardless of the vet result.

    # Need to upload the artifact in both success and failure cases so comment can be updated in either case
      if: ${{ failure() }} || ${{ success() }}
      with:

[Copilot]

Pull request overview

Copilot reviewed 5 out of 6 changed files in this pull request and generated 10 comments.