diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index aa275061088d6..778bd5c1f3113 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -323,7 +323,17 @@ test-prometheus-alerting-rules:
 cargo-deny:
   stage:                           test
   <<:                              *docker-env
-  <<:                              *nightly-pipeline
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "pipeline"
+      when: never
+    - if: $CI_PIPELINE_SOURCE == "web"
+    - if: $CI_PIPELINE_SOURCE == "schedule"
+    - if: $CI_COMMIT_REF_NAME == "master"
+    - if: $CI_COMMIT_REF_NAME =~ /^[0-9]+$/                         # PRs
+      changes:
+        - "Cargo.lock"
+        - "**/Cargo.toml"
+    - if: $CI_COMMIT_REF_NAME =~ /^v[0-9]+\.[0-9]+.*$/              # i.e. v1.0, v2.1rc1
   script:
     - cargo deny check --hide-inclusion-graph -c .maintain/deny.toml
   after_script:
@@ -335,8 +345,6 @@ cargo-deny:
     when:                          always
     paths:
       - deny.log
-  # FIXME: Temporarily allow to fail.
-  allow_failure:                   true
 
 cargo-fmt:
   stage:                           test
@@ -377,7 +385,7 @@ node-bench-regression-guard:
     # this is a DAG
     - job:                         cargo-check-benches
       artifacts:                   true
-    # this does not like a DAG, just polls the artifact
+    # this does not work like a DAG, just polls the artifact
     - project:                     $CI_PROJECT_PATH
       job:                         cargo-check-benches
       ref:                         master
@@ -390,7 +398,7 @@ node-bench-regression-guard:
     - echo "node-bench-regression-guard depends on the results of a cargo-check-benches job"
     - echo "In case of this job failure, check your pipeline's cargo-check-benches"
     - 'node-bench-regression-guard --reference artifacts/benches/master-*
-       --compare-with artifacts/benches/$CI_COMMIT_REF_NAME-$CI_COMMIT_SHORT_SHA'
+        --compare-with artifacts/benches/$CI_COMMIT_REF_NAME-$CI_COMMIT_SHORT_SHA'
 
 cargo-check-subkey:
   stage:                           test
diff --git a/.maintain/deny.toml b/.maintain/deny.toml
index 8cc7635d5049b..9f13f58bf3323 100644
--- a/.maintain/deny.toml
+++ b/.maintain/deny.toml
@@ -34,9 +34,9 @@ targets = [
 # The path where the advisory database is cloned/fetched into
 db-path = "~/.cargo/advisory-db"
 # The url of the advisory database to use
-db-url = "https://github.com/rustsec/advisory-db"
+db-urls = ["https://github.com/rustsec/advisory-db"]
 # The lint level for security vulnerabilities
-vulnerability = "deny"
+vulnerability = "warn"
 # The lint level for unmaintained crates
 unmaintained = "warn"
 # The lint level for crates that have been yanked from their source registry
diff --git a/Cargo.toml b/Cargo.toml
index f30b223a9b205..9e103c87609c0 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -230,6 +230,7 @@ members = [
 # probably concerns this list.
 #
 # This list is ordered alphabetically.
+# FIXME:
 [profile.dev.package]
 blake2 = { opt-level = 3 }
 blake2-rfc = { opt-level = 3 }