Merge pull request #6493 from str4d/ci-update-workflows
Update CI workflows
This commit is contained in:
commit
a37c1b06ec
|
@ -11,20 +11,8 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
|
||||
- uses: actions-rs/toolchain@v1
|
||||
with:
|
||||
toolchain: stable
|
||||
override: true
|
||||
|
||||
- name: Install cargo-vet
|
||||
uses: actions-rs/cargo@v1
|
||||
with:
|
||||
command: install
|
||||
args: cargo-vet
|
||||
|
||||
- name: Run cargo vet --locked
|
||||
uses: actions-rs/cargo@v1
|
||||
with:
|
||||
command: vet
|
||||
args: --locked
|
||||
- uses: dtolnay/rust-toolchain@stable
|
||||
id: toolchain
|
||||
- run: rustup override set ${{steps.toolchain.outputs.name}}
|
||||
- run: cargo install cargo-vet
|
||||
- run: cargo vet --locked
|
||||
|
|
|
@ -21,10 +21,7 @@ jobs:
|
|||
mdbook-version: 'latest'
|
||||
|
||||
- name: Install mdbook-katex
|
||||
uses: actions-rs/cargo@v1
|
||||
with:
|
||||
command: install
|
||||
args: mdbook-katex
|
||||
run: cargo install mdbook-katex
|
||||
|
||||
- name: Build zcashd book
|
||||
run: mdbook build doc/book/
|
||||
|
|
|
@ -5,16 +5,24 @@ on: pull_request_target
|
|||
permissions:
|
||||
contents: read
|
||||
issues: write
|
||||
pull-requests: write
|
||||
|
||||
jobs:
|
||||
recent-base:
|
||||
name: Branch base is sufficiently recent
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Check out the base branch
|
||||
uses: actions/checkout@v3
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Check out the PR branch
|
||||
uses: actions/checkout@v3
|
||||
with:
|
||||
ref: ${{ github.head_ref }}
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Ensure branch contains necessary commits for Tekton CI
|
||||
id: tekton
|
||||
# https://github.com/zcash/zcash/pull/6358
|
||||
|
|
|
@ -75,19 +75,14 @@ jobs:
|
|||
if: always()
|
||||
|
||||
rust-clippy:
|
||||
name: Clippy (1.68.0)
|
||||
name: Clippy (MSRV)
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- uses: actions-rs/toolchain@v1
|
||||
with:
|
||||
toolchain: 1.68.0
|
||||
components: clippy
|
||||
override: true
|
||||
- name: Run clippy
|
||||
uses: actions-rs/clippy-check@v1
|
||||
with:
|
||||
name: Clippy (1.68.0)
|
||||
name: Clippy (MSRV)
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
args: --all-features --all-targets -- -D warnings
|
||||
|
||||
|
@ -96,12 +91,4 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- uses: actions-rs/toolchain@v1
|
||||
with:
|
||||
toolchain: 1.68.0
|
||||
override: true
|
||||
- run: rustup component add rustfmt
|
||||
- uses: actions-rs/cargo@v1
|
||||
with:
|
||||
command: fmt
|
||||
args: -- --check
|
||||
- run: cargo fmt -- --check
|
||||
|
|
|
@ -1,6 +1,9 @@
|
|||
|
||||
# cargo-vet config file
|
||||
|
||||
[cargo-vet]
|
||||
version = "0.5"
|
||||
|
||||
[imports.bytecode-alliance]
|
||||
url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml"
|
||||
|
||||
|
@ -700,10 +703,6 @@ criteria = "safe-to-deploy"
|
|||
version = "0.1.0"
|
||||
criteria = "safe-to-deploy"
|
||||
|
||||
[[exemptions.version_check]]
|
||||
version = "0.9.4"
|
||||
criteria = "safe-to-deploy"
|
||||
|
||||
[[exemptions.want]]
|
||||
version = "0.3.0"
|
||||
criteria = "safe-to-deploy"
|
||||
|
|
|
@ -150,56 +150,10 @@ criteria = "safe-to-deploy"
|
|||
version = "0.42.0"
|
||||
notes = "This is a Windows API bindings library maintained by Microsoft themselves."
|
||||
|
||||
[audits.chromeos.criteria.crypto-safe]
|
||||
description = """
|
||||
All crypto algorithms in this crate have been reviewed by a relevant expert.
|
||||
|
||||
**Note**: If a crate does not implement crypto, use `does-not-implement-crypto`,
|
||||
which implies `crypto-safe`, but does not require expert review in order to
|
||||
audit for."""
|
||||
|
||||
[audits.chromeos.criteria.does-not-implement-crypto]
|
||||
description = """
|
||||
Inspection reveals that the crate in question does not attempt to implement any
|
||||
cryptographic algorithms on its own.
|
||||
|
||||
Note that certification of this does not require an expert on all forms of
|
||||
cryptography: it's expected for crates we import to be \"good enough\" citizens,
|
||||
so they'll at least be forthcoming if they try to implement something
|
||||
cryptographic. When in doubt, please ask an expert."""
|
||||
implies = "crypto-safe"
|
||||
|
||||
[audits.chromeos.criteria.rule-of-two-safe-to-deploy]
|
||||
description = """
|
||||
This is a stronger requirement than the built-in safe-to-deploy criteria,
|
||||
motivated by Chromium's rule-of-two related requirements:
|
||||
https://chromium.googlesource.com/chromium/src/+/master/docs/security/rule-of-2.md#unsafe-code-in-safe-languages
|
||||
|
||||
This crate will not introduce a serious security vulnerability to production
|
||||
software exposed to untrusted input.
|
||||
|
||||
Auditors are not required to perform a full logic review of the entire crate.
|
||||
Rather, they must review enough to fully reason about the behavior of all unsafe
|
||||
blocks and usage of powerful imports. For any reasonable usage of the crate in
|
||||
real-world software, an attacker must not be able to manipulate the runtime
|
||||
behavior of these sections in an exploitable or surprising way.
|
||||
|
||||
Ideally, ambient capabilities (e.g. filesystem access) are hardened against
|
||||
manipulation and consistent with the advertised behavior of the crate. However,
|
||||
some discretion is permitted. In such cases, the nature of the discretion should
|
||||
be recorded in the `notes` field of the audit record.
|
||||
|
||||
Any unsafe code in this crate must, in general, be kept well-contained, and
|
||||
documentation must exist to describe how Rust's invariants are being upheld
|
||||
despite the unsafe block(s). Nontrivial uses of unsafe must be reviewed by an
|
||||
expert in Rust's unsafety guarantees/non-guarantees.
|
||||
|
||||
For crates which generate deployed code (e.g. build dependencies or procedural
|
||||
macros), reasonable usage of the crate should output code which meets the above
|
||||
criteria."""
|
||||
implies = "safe-to-deploy"
|
||||
|
||||
[audits.chromeos.audits]
|
||||
[[audits.chromeos.audits.version_check]]
|
||||
who = "George Burgess IV <gbiv@google.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
version = "0.9.4"
|
||||
|
||||
[[audits.embark-studios.audits.anyhow]]
|
||||
who = "Johan Andersson <opensource@embark-studios.com>"
|
||||
|
|
|
@ -1,2 +1,3 @@
|
|||
[toolchain]
|
||||
channel = "1.68.0"
|
||||
components = ["clippy", "rustfmt"]
|
||||
|
|
Loading…
Reference in New Issue