From 0dbdf3092470413a1247ec4460ff46735cba2197 Mon Sep 17 00:00:00 2001 From: Jonas Bostoen Date: Thu, 28 Nov 2024 09:54:53 +0100 Subject: [PATCH 01/14] feat(ci): add security audit, rename files --- .github/workflows/audit.yml | 36 +++++++++++++++++++ .../{bolt_boost_ci.yml => boost-ci.yml} | 3 ++ .../workflows/{bolt_cli_ci.yml => cli-ci.yml} | 0 ...t_cli_release_bins.yml => cli-release.yml} | 0 .../{contracts_ci.yml => contracts-ci.yml} | 7 ++-- .../{bolt_sidecar_ci.yml => sidecar-ci.yml} | 0 6 files changed, 43 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/audit.yml rename .github/workflows/{bolt_boost_ci.yml => boost-ci.yml} (97%) rename .github/workflows/{bolt_cli_ci.yml => cli-ci.yml} (100%) rename .github/workflows/{bolt_cli_release_bins.yml => cli-release.yml} (100%) rename .github/workflows/{contracts_ci.yml => contracts-ci.yml} (95%) rename .github/workflows/{bolt_sidecar_ci.yml => sidecar-ci.yml} (100%) diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml new file mode 100644 index 00000000..736575d0 --- /dev/null +++ b/.github/workflows/audit.yml @@ -0,0 +1,36 @@ +name: Security Audit + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +on: + pull_request: + paths: + - "**/Cargo.toml" + - "**/Cargo.lock" + push: + branches: + - main + - unstable + paths: + - "**/Cargo.toml" + - "**/Cargo.lock" + schedule: + # Run daily at midnight + - cron: '0 0 * * *' + +permissions: + issues: write + checks: write + pull-requests: read + contents: read + +jobs: + security-audit: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions-rs/audit-check@v1.2.0 + with: + token: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/bolt_boost_ci.yml b/.github/workflows/boost-ci.yml similarity index 97% rename from .github/workflows/bolt_boost_ci.yml rename to .github/workflows/boost-ci.yml index 3917ec64..b1859110 100644 --- a/.github/workflows/bolt_boost_ci.yml +++ b/.github/workflows/boost-ci.yml @@ -2,6 +2,9 @@ name: Bolt Boost CI on: push: + branches: + - unstable + - main paths: - "bolt-boost/**" pull_request: diff --git a/.github/workflows/bolt_cli_ci.yml b/.github/workflows/cli-ci.yml similarity index 100% rename from .github/workflows/bolt_cli_ci.yml rename to .github/workflows/cli-ci.yml diff --git a/.github/workflows/bolt_cli_release_bins.yml b/.github/workflows/cli-release.yml similarity index 100% rename from .github/workflows/bolt_cli_release_bins.yml rename to .github/workflows/cli-release.yml diff --git a/.github/workflows/contracts_ci.yml b/.github/workflows/contracts-ci.yml similarity index 95% rename from .github/workflows/contracts_ci.yml rename to .github/workflows/contracts-ci.yml index 97190cef..ee0e7505 100644 --- a/.github/workflows/contracts_ci.yml +++ b/.github/workflows/contracts-ci.yml @@ -1,11 +1,12 @@ -name: Bolt-contracts CI +name: Bolt Contracts CI on: push: - paths: - - "bolt-contracts/**" branches: - unstable + - main + paths: + - "bolt-contracts/**" pull_request: paths: - "bolt-contracts/**" diff --git a/.github/workflows/bolt_sidecar_ci.yml b/.github/workflows/sidecar-ci.yml similarity index 100% rename from .github/workflows/bolt_sidecar_ci.yml rename to .github/workflows/sidecar-ci.yml From 55bd6c403b0e7767e42d625b4e9a3afd3528da12 Mon Sep 17 00:00:00 2001 From: Jonas Bostoen Date: Thu, 28 Nov 2024 09:56:22 +0100 Subject: [PATCH 02/14] chore(deps): update clap --- bolt-sidecar/Cargo.lock | 8 ++++---- bolt-sidecar/Cargo.toml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/bolt-sidecar/Cargo.lock b/bolt-sidecar/Cargo.lock index 55680741..5e49e361 100644 --- a/bolt-sidecar/Cargo.lock +++ b/bolt-sidecar/Cargo.lock @@ -2275,9 +2275,9 @@ dependencies = [ [[package]] name = "clap" -version = "4.5.20" +version = "4.5.21" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b97f376d85a664d5837dbae44bf546e6477a679ff6610010f17276f686d867e8" +checksum = "fb3b4b9e5a7c7514dfa52869339ee98b3156b0bfb4e8a77c4ff4babb64b1604f" dependencies = [ "clap_builder", "clap_derive", @@ -2285,9 +2285,9 @@ dependencies = [ [[package]] name = "clap_builder" -version = "4.5.20" +version = "4.5.21" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "19bc80abd44e4bed93ca373a0704ccbd1b710dc5749406201bb018272808dc54" +checksum = "b17a95aa67cc7b5ebd32aa5370189aa0d79069ef1c64ce893bd30fb24bff20ec" dependencies = [ "anstream", "anstyle", diff --git a/bolt-sidecar/Cargo.toml b/bolt-sidecar/Cargo.toml index 575bcef4..9660bad6 100644 --- a/bolt-sidecar/Cargo.toml +++ b/bolt-sidecar/Cargo.toml @@ -10,7 +10,7 @@ debug = true [dependencies] # core -clap = { version = "4.5.20", features = ["derive", "env"] } +clap = { version = "4.5.21", features = ["derive", "env"] } tokio = { version = "1", features = ["full"] } axum = { version = "0.7", features = ["macros"] } tower-http = { version = "0.5.2", features = ["timeout"] } From 09e84e218b2c02e97f054c1983346b5bb7db2bf4 Mon Sep 17 00:00:00 2001 From: Jonas Bostoen Date: Thu, 28 Nov 2024 10:04:34 +0100 Subject: [PATCH 03/14] ci: fix audit check --- .github/workflows/audit.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index 736575d0..2db1fa25 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -29,8 +29,13 @@ permissions: jobs: security-audit: runs-on: ubuntu-latest + strategy: + matrix: + project: [bolt-sidecar, bolt-cli, bolt-boost] + name: Security Audit for ${{ matrix.project }} steps: - uses: actions/checkout@v4 - uses: actions-rs/audit-check@v1.2.0 + working-directory: ${{ matrix.project }} with: token: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From 68dc6bb097c11f6670c4a10a17b0dee17931f2ce Mon Sep 17 00:00:00 2001 From: Jonas Bostoen Date: Thu, 28 Nov 2024 10:09:36 +0100 Subject: [PATCH 04/14] ci: fix audit check attempt 2 --- .github/workflows/audit.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index 2db1fa25..5ae7fc8b 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -32,10 +32,13 @@ jobs: strategy: matrix: project: [bolt-sidecar, bolt-cli, bolt-boost] + defaults: + run: + working-directory: ${{ matrix.project }} name: Security Audit for ${{ matrix.project }} steps: - uses: actions/checkout@v4 - - uses: actions-rs/audit-check@v1.2.0 + - uses: actions-rs/audit-check@v1 working-directory: ${{ matrix.project }} with: token: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From d825599c34b776cac9822f15b2e7bf2d857f13ae Mon Sep 17 00:00:00 2001 From: Jonas Bostoen Date: Thu, 28 Nov 2024 10:11:31 +0100 Subject: [PATCH 05/14] ci: fix audit check attempt 3 --- .github/workflows/audit.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index 5ae7fc8b..1440afbf 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -39,6 +39,5 @@ jobs: steps: - uses: actions/checkout@v4 - uses: actions-rs/audit-check@v1 - working-directory: ${{ matrix.project }} with: token: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From 4c1e8be470892f0ae6cf3e86b4d6109e572eb368 Mon Sep 17 00:00:00 2001 From: Jonas Bostoen Date: Thu, 28 Nov 2024 10:24:49 +0100 Subject: [PATCH 06/14] ci: fix audit check attempt 4 --- .github/workflows/audit.yml | 31 ++++++++++++++++++++++++------- 1 file changed, 24 insertions(+), 7 deletions(-) diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index 1440afbf..0d72337c 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -27,17 +27,34 @@ permissions: contents: read jobs: - security-audit: + # security-audit: + # runs-on: ubuntu-latest + # strategy: + # matrix: + # project: [bolt-sidecar, bolt-cli, bolt-boost] + # defaults: + # run: + # working-directory: ${{ matrix.project }} + # name: Security Audit for ${{ matrix.project }} + # steps: + # - uses: actions/checkout@v4 + # - name: Run cargo audit + # run: | + # cargo generate-lockfile + # cargo audit + + # with: + # token: ${{ secrets.GITHUB_TOKEN }} + + audit-sidecar: runs-on: ubuntu-latest - strategy: - matrix: - project: [bolt-sidecar, bolt-cli, bolt-boost] defaults: run: - working-directory: ${{ matrix.project }} - name: Security Audit for ${{ matrix.project }} + working-directory: bolt-sidecar + name: Security Audit for bolt-sidecar steps: - uses: actions/checkout@v4 - - uses: actions-rs/audit-check@v1 + - name: Run cargo audit + uses: actions-rs/audit-check@v1 with: token: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From 0c190575eff486a50a69b5431d450dcc4abda71d Mon Sep 17 00:00:00 2001 From: Jonas Bostoen Date: Thu, 28 Nov 2024 10:26:30 +0100 Subject: [PATCH 07/14] ci: fix audit check attempt 5 --- .github/workflows/audit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index 0d72337c..98c016f5 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -50,7 +50,7 @@ jobs: runs-on: ubuntu-latest defaults: run: - working-directory: bolt-sidecar + working-directory: ${{ github.workspace }}/bolt-sidecar name: Security Audit for bolt-sidecar steps: - uses: actions/checkout@v4 From 5a29e535433a95b73a2bc819f0083368ded55c21 Mon Sep 17 00:00:00 2001 From: Jonas Bostoen Date: Thu, 28 Nov 2024 10:35:19 +0100 Subject: [PATCH 08/14] ci: fix audit check attempt 6 (new action) --- .github/workflows/audit.yml | 37 +++++++++++-------------------------- 1 file changed, 11 insertions(+), 26 deletions(-) diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index 98c016f5..8a069158 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -7,6 +7,7 @@ concurrency: on: pull_request: paths: + - ".github/workflows/audit.yml" - "**/Cargo.toml" - "**/Cargo.lock" push: @@ -14,6 +15,7 @@ on: - main - unstable paths: + - ".github/workflows/audit.yml" - "**/Cargo.toml" - "**/Cargo.lock" schedule: @@ -27,34 +29,17 @@ permissions: contents: read jobs: - # security-audit: - # runs-on: ubuntu-latest - # strategy: - # matrix: - # project: [bolt-sidecar, bolt-cli, bolt-boost] - # defaults: - # run: - # working-directory: ${{ matrix.project }} - # name: Security Audit for ${{ matrix.project }} - # steps: - # - uses: actions/checkout@v4 - # - name: Run cargo audit - # run: | - # cargo generate-lockfile - # cargo audit - - # with: - # token: ${{ secrets.GITHUB_TOKEN }} - - audit-sidecar: + security-audit: runs-on: ubuntu-latest - defaults: - run: - working-directory: ${{ github.workspace }}/bolt-sidecar - name: Security Audit for bolt-sidecar + strategy: + matrix: + project: [bolt-sidecar, bolt-cli, bolt-boost] + name: Security Audit for ${{ matrix.project }} steps: - uses: actions/checkout@v4 - name: Run cargo audit - uses: actions-rs/audit-check@v1 + uses: actions-rust-lang/audit@v1 with: - token: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file + TOKEN: ${{ secrets.GITHUB_TOKEN }} + workingDirectory: ${{ matrix.project }} + createIssues: "${{ github.ref == 'refs/heads/unstable' || github.ref == 'refs/heads/main' }}" From beeae89dcdb1b083239ecfcc8d603b59ec6ce7a7 Mon Sep 17 00:00:00 2001 From: Jonas Bostoen Date: Thu, 28 Nov 2024 10:37:12 +0100 Subject: [PATCH 09/14] ci: fix audit check attempt 6 (new action) --- .github/workflows/audit.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index 8a069158..4b4ac1d3 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -7,7 +7,7 @@ concurrency: on: pull_request: paths: - - ".github/workflows/audit.yml" + - ".github/workflows/audit.yml" - "**/Cargo.toml" - "**/Cargo.lock" push: @@ -15,7 +15,7 @@ on: - main - unstable paths: - - ".github/workflows/audit.yml" + - ".github/workflows/audit.yml" - "**/Cargo.toml" - "**/Cargo.lock" schedule: From ee0dcb95dc77f63e0b58e6061ef4432326e84cae Mon Sep 17 00:00:00 2001 From: Jonas Bostoen Date: Fri, 29 Nov 2024 10:06:15 +0100 Subject: [PATCH 10/14] ci: fix audit check attempt 7 (rustsec/audit-check) --- .github/workflows/audit.yml | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index 4b4ac1d3..3032a46b 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -1,9 +1,5 @@ name: Security Audit -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} - cancel-in-progress: true - on: pull_request: paths: @@ -38,8 +34,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Run cargo audit - uses: actions-rust-lang/audit@v1 + uses: rustsec/adit-check@v2 with: - TOKEN: ${{ secrets.GITHUB_TOKEN }} - workingDirectory: ${{ matrix.project }} - createIssues: "${{ github.ref == 'refs/heads/unstable' || github.ref == 'refs/heads/main' }}" + token: ${{ secrets.GITHUB_TOKEN }} + working-directory: ${{ matrix.project }} \ No newline at end of file From 4f587541e09115f1743dd60a7b42b0a7032aa0ed Mon Sep 17 00:00:00 2001 From: Jonas Bostoen Date: Fri, 29 Nov 2024 10:06:59 +0100 Subject: [PATCH 11/14] ci: fix audit check attempt 7 (rustsec/audit-check) --- .github/workflows/audit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index 3032a46b..46ee422f 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -34,7 +34,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Run cargo audit - uses: rustsec/adit-check@v2 + uses: rustsec/audit-check@v2 with: token: ${{ secrets.GITHUB_TOKEN }} working-directory: ${{ matrix.project }} \ No newline at end of file From 2b4c1e38be4cc0de13e2a329b0215728d7c79917 Mon Sep 17 00:00:00 2001 From: Jonas Bostoen Date: Fri, 29 Nov 2024 10:11:06 +0100 Subject: [PATCH 12/14] ci: restore audit action concurrency group --- .github/workflows/audit.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index 46ee422f..e28a3e2f 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -1,5 +1,9 @@ name: Security Audit +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + on: pull_request: paths: @@ -37,4 +41,5 @@ jobs: uses: rustsec/audit-check@v2 with: token: ${{ secrets.GITHUB_TOKEN }} - working-directory: ${{ matrix.project }} \ No newline at end of file + working-directory: ${{ matrix.project }} + createIssues: "${{ github.ref == 'refs/heads/unstable' || github.ref == 'refs/heads/main' }}" \ No newline at end of file From bf169f1a3f9af8b35cf65b871307f5904650cf63 Mon Sep 17 00:00:00 2001 From: Jonas Bostoen Date: Fri, 29 Nov 2024 10:28:05 +0100 Subject: [PATCH 13/14] ci(audit): rm unsupported option --- .github/workflows/audit.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index e28a3e2f..d46a3fed 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -41,5 +41,4 @@ jobs: uses: rustsec/audit-check@v2 with: token: ${{ secrets.GITHUB_TOKEN }} - working-directory: ${{ matrix.project }} - createIssues: "${{ github.ref == 'refs/heads/unstable' || github.ref == 'refs/heads/main' }}" \ No newline at end of file + working-directory: ${{ matrix.project }} \ No newline at end of file From 5bc70785d8141512e585ef91b86a45bee95537a1 Mon Sep 17 00:00:00 2001 From: Jonas Bostoen Date: Fri, 29 Nov 2024 17:57:29 +0100 Subject: [PATCH 14/14] ci(audit): don't fail fast --- .github/workflows/audit.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index d46a3fed..95aea49a 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -32,6 +32,7 @@ jobs: security-audit: runs-on: ubuntu-latest strategy: + fail-fast: false matrix: project: [bolt-sidecar, bolt-cli, bolt-boost] name: Security Audit for ${{ matrix.project }}