zecfoundation
/
zcashd
mirror of https://github.com/ZcashFoundation/zcashd.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #6493 from str4d/ci-update-workflows 

Update CI workflows
This commit is contained in:
str4d 2023-03-16 17:33:25 +00:00 committed by GitHub
parent b177eeb89e feb1f41ce6
commit a37c1b06ec
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 26 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
.github/workflows/audits.yml vendored
View File

@ -11,20 +11,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions-rs/toolchain@v1
with:
toolchain: stable
override: true
- name: Install cargo-vet
uses: actions-rs/cargo@v1
with:
command: install
args: cargo-vet
- name: Run cargo vet --locked
uses: actions-rs/cargo@v1
with:
command: vet
args: --locked
- uses: dtolnay/rust-toolchain@stable
id: toolchain
- run: rustup override set ${{steps.toolchain.outputs.name}}
- run: cargo install cargo-vet
- run: cargo vet --locked

5
.github/workflows/book.yml vendored
View File

@ -21,10 +21,7 @@ jobs:
mdbook-version: 'latest'
- name: Install mdbook-katex
uses: actions-rs/cargo@v1
with:
command: install
args: mdbook-katex
run: cargo install mdbook-katex
- name: Build zcashd book
run: mdbook build doc/book/

10
.github/workflows/checks.yml vendored
View File

@ -5,16 +5,24 @@ on: pull_request_target
permissions:
contents: read
issues: write
pull-requests: write
jobs:
recent-base:
name: Branch base is sufficiently recent
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Check out the base branch
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Check out the PR branch
uses: actions/checkout@v3
with:
ref: ${{ github.head_ref }}
fetch-depth: 0
- name: Ensure branch contains necessary commits for Tekton CI
id: tekton
# https://github.com/zcash/zcash/pull/6358

19
.github/workflows/lints.yml vendored
View File

@ -75,19 +75,14 @@ jobs:
if: always()
rust-clippy:
name: Clippy (1.68.0)
name: Clippy (MSRV)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions-rs/toolchain@v1
with:
toolchain: 1.68.0
components: clippy
override: true
- name: Run clippy
uses: actions-rs/clippy-check@v1
with:
name: Clippy (1.68.0)
name: Clippy (MSRV)
token: ${{ secrets.GITHUB_TOKEN }}
args: --all-features --all-targets -- -D warnings
@ -96,12 +91,4 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions-rs/toolchain@v1
with:
toolchain: 1.68.0
override: true
- run: rustup component add rustfmt
- uses: actions-rs/cargo@v1
with:
command: fmt
args: -- --check
- run: cargo fmt -- --check

7
qa/supply-chain/config.toml
View File

@ -1,6 +1,9 @@
# cargo-vet config file
[cargo-vet]
version = "0.5"
[imports.bytecode-alliance]
url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml"
@ -700,10 +703,6 @@ criteria = "safe-to-deploy"
version = "0.1.0"
criteria = "safe-to-deploy"
[[exemptions.version_check]]
version = "0.9.4"
criteria = "safe-to-deploy"
[[exemptions.want]]
version = "0.3.0"
criteria = "safe-to-deploy"

54
qa/supply-chain/imports.lock
View File

@ -150,56 +150,10 @@ criteria = "safe-to-deploy"
version = "0.42.0"
notes = "This is a Windows API bindings library maintained by Microsoft themselves."
[audits.chromeos.criteria.crypto-safe]
description = """
All crypto algorithms in this crate have been reviewed by a relevant expert.
**Note**: If a crate does not implement crypto, use `does-not-implement-crypto`,
which implies `crypto-safe`, but does not require expert review in order to
audit for."""
[audits.chromeos.criteria.does-not-implement-crypto]
description = """
Inspection reveals that the crate in question does not attempt to implement any
cryptographic algorithms on its own.
Note that certification of this does not require an expert on all forms of
cryptography: it's expected for crates we import to be \"good enough\" citizens,
so they'll at least be forthcoming if they try to implement something
cryptographic. When in doubt, please ask an expert."""
implies = "crypto-safe"
[audits.chromeos.criteria.rule-of-two-safe-to-deploy]
description = """
This is a stronger requirement than the built-in safe-to-deploy criteria,
motivated by Chromium's rule-of-two related requirements:
https://chromium.googlesource.com/chromium/src/+/master/docs/security/rule-of-2.md#unsafe-code-in-safe-languages
This crate will not introduce a serious security vulnerability to production
software exposed to untrusted input.
Auditors are not required to perform a full logic review of the entire crate.
Rather, they must review enough to fully reason about the behavior of all unsafe
blocks and usage of powerful imports. For any reasonable usage of the crate in
real-world software, an attacker must not be able to manipulate the runtime
behavior of these sections in an exploitable or surprising way.
Ideally, ambient capabilities (e.g. filesystem access) are hardened against
manipulation and consistent with the advertised behavior of the crate. However,
some discretion is permitted. In such cases, the nature of the discretion should
be recorded in the `notes` field of the audit record.
Any unsafe code in this crate must, in general, be kept well-contained, and
documentation must exist to describe how Rust's invariants are being upheld
despite the unsafe block(s). Nontrivial uses of unsafe must be reviewed by an
expert in Rust's unsafety guarantees/non-guarantees.
For crates which generate deployed code (e.g. build dependencies or procedural
macros), reasonable usage of the crate should output code which meets the above
criteria."""
implies = "safe-to-deploy"
[audits.chromeos.audits]
[[audits.chromeos.audits.version_check]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-deploy"
version = "0.9.4"
[[audits.embark-studios.audits.anyhow]]
who = "Johan Andersson <opensource@embark-studios.com>"

1
rust-toolchain.toml
View File

@ -1,2 +1,3 @@
[toolchain]
channel = "1.68.0"
components = ["clippy", "rustfmt"]