From 5c316e8d505a556fbbe804935cf0f567177b4757 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Thu, 16 Mar 2023 15:38:15 +0000 Subject: [PATCH 1/5] CI: Remove most usages of `actions-rs` actions These actions are unmaintained. The only one we continue to use is `actions-rs/clippy-check` because there is no suitable alternative. --- .github/workflows/audits.yml | 22 +++++----------------- .github/workflows/book.yml | 5 +---- .github/workflows/lints.yml | 19 +++---------------- rust-toolchain.toml | 1 + 4 files changed, 10 insertions(+), 37 deletions(-) diff --git a/.github/workflows/audits.yml b/.github/workflows/audits.yml index db1d6fc8f..374d70ae5 100644 --- a/.github/workflows/audits.yml +++ b/.github/workflows/audits.yml @@ -11,20 +11,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - override: true - - - name: Install cargo-vet - uses: actions-rs/cargo@v1 - with: - command: install - args: cargo-vet - - - name: Run cargo vet --locked - uses: actions-rs/cargo@v1 - with: - command: vet - args: --locked + - uses: dtolnay/rust-toolchain@stable + id: toolchain + - run: rustup override set ${{steps.toolchain.outputs.name}} + - run: cargo install cargo-vet + - run: cargo vet --locked diff --git a/.github/workflows/book.yml b/.github/workflows/book.yml index 86d3d076c..fac308c59 100644 --- a/.github/workflows/book.yml +++ b/.github/workflows/book.yml @@ -21,10 +21,7 @@ jobs: mdbook-version: 'latest' - name: Install mdbook-katex - uses: actions-rs/cargo@v1 - with: - command: install - args: mdbook-katex + run: cargo install mdbook-katex - name: Build zcashd book run: mdbook build doc/book/ diff --git a/.github/workflows/lints.yml b/.github/workflows/lints.yml index a53a84054..71ca24dc6 100644 --- a/.github/workflows/lints.yml +++ b/.github/workflows/lints.yml @@ -75,19 +75,14 @@ jobs: if: always() rust-clippy: - name: Clippy (1.68.0) + name: Clippy (MSRV) runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - uses: actions-rs/toolchain@v1 - with: - toolchain: 1.68.0 - components: clippy - override: true - name: Run clippy uses: actions-rs/clippy-check@v1 with: - name: Clippy (1.68.0) + name: Clippy (MSRV) token: ${{ secrets.GITHUB_TOKEN }} args: --all-features --all-targets -- -D warnings @@ -96,12 +91,4 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - uses: actions-rs/toolchain@v1 - with: - toolchain: 1.68.0 - override: true - - run: rustup component add rustfmt - - uses: actions-rs/cargo@v1 - with: - command: fmt - args: -- --check + - run: cargo fmt -- --check diff --git a/rust-toolchain.toml b/rust-toolchain.toml index 421bf0f8b..0cf440a7e 100644 --- a/rust-toolchain.toml +++ b/rust-toolchain.toml @@ -1,2 +1,3 @@ [toolchain] channel = "1.68.0" +components = ["clippy", "rustfmt"] From d54f7d001e495e27c65e39a4a0f27b5e538d03ba Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Thu, 16 Mar 2023 15:44:31 +0000 Subject: [PATCH 2/5] CI: Migrate to `cargo-vet 0.5` --- qa/supply-chain/config.toml | 3 +++ qa/supply-chain/imports.lock | 49 ------------------------------------ 2 files changed, 3 insertions(+), 49 deletions(-) diff --git a/qa/supply-chain/config.toml b/qa/supply-chain/config.toml index 717307cb9..8041a9459 100644 --- a/qa/supply-chain/config.toml +++ b/qa/supply-chain/config.toml @@ -1,6 +1,9 @@ # cargo-vet config file +[cargo-vet] +version = "0.5" + [imports.bytecode-alliance] url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" diff --git a/qa/supply-chain/imports.lock b/qa/supply-chain/imports.lock index 96b073201..39add1c0f 100644 --- a/qa/supply-chain/imports.lock +++ b/qa/supply-chain/imports.lock @@ -150,55 +150,6 @@ criteria = "safe-to-deploy" version = "0.42.0" notes = "This is a Windows API bindings library maintained by Microsoft themselves." -[audits.chromeos.criteria.crypto-safe] -description = """ -All crypto algorithms in this crate have been reviewed by a relevant expert. - -**Note**: If a crate does not implement crypto, use `does-not-implement-crypto`, -which implies `crypto-safe`, but does not require expert review in order to -audit for.""" - -[audits.chromeos.criteria.does-not-implement-crypto] -description = """ -Inspection reveals that the crate in question does not attempt to implement any -cryptographic algorithms on its own. - -Note that certification of this does not require an expert on all forms of -cryptography: it's expected for crates we import to be \"good enough\" citizens, -so they'll at least be forthcoming if they try to implement something -cryptographic. When in doubt, please ask an expert.""" -implies = "crypto-safe" - -[audits.chromeos.criteria.rule-of-two-safe-to-deploy] -description = """ -This is a stronger requirement than the built-in safe-to-deploy criteria, -motivated by Chromium's rule-of-two related requirements: -https://chromium.googlesource.com/chromium/src/+/master/docs/security/rule-of-2.md#unsafe-code-in-safe-languages - -This crate will not introduce a serious security vulnerability to production -software exposed to untrusted input. - -Auditors are not required to perform a full logic review of the entire crate. -Rather, they must review enough to fully reason about the behavior of all unsafe -blocks and usage of powerful imports. For any reasonable usage of the crate in -real-world software, an attacker must not be able to manipulate the runtime -behavior of these sections in an exploitable or surprising way. - -Ideally, ambient capabilities (e.g. filesystem access) are hardened against -manipulation and consistent with the advertised behavior of the crate. However, -some discretion is permitted. In such cases, the nature of the discretion should -be recorded in the `notes` field of the audit record. - -Any unsafe code in this crate must, in general, be kept well-contained, and -documentation must exist to describe how Rust's invariants are being upheld -despite the unsafe block(s). Nontrivial uses of unsafe must be reviewed by an -expert in Rust's unsafety guarantees/non-guarantees. - -For crates which generate deployed code (e.g. build dependencies or procedural -macros), reasonable usage of the crate should output code which meets the above -criteria.""" -implies = "safe-to-deploy" - [audits.chromeos.audits] [[audits.embark-studios.audits.anyhow]] From 41bd54c8aefc7bd9fe6121530952b65bdd27b1b0 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Thu, 16 Mar 2023 15:45:04 +0000 Subject: [PATCH 3/5] cargo vet prune --- qa/supply-chain/config.toml | 4 ---- qa/supply-chain/imports.lock | 5 ++++- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/qa/supply-chain/config.toml b/qa/supply-chain/config.toml index 8041a9459..ee86cf420 100644 --- a/qa/supply-chain/config.toml +++ b/qa/supply-chain/config.toml @@ -703,10 +703,6 @@ criteria = "safe-to-deploy" version = "0.1.0" criteria = "safe-to-deploy" -[[exemptions.version_check]] -version = "0.9.4" -criteria = "safe-to-deploy" - [[exemptions.want]] version = "0.3.0" criteria = "safe-to-deploy" diff --git a/qa/supply-chain/imports.lock b/qa/supply-chain/imports.lock index 39add1c0f..87e999605 100644 --- a/qa/supply-chain/imports.lock +++ b/qa/supply-chain/imports.lock @@ -150,7 +150,10 @@ criteria = "safe-to-deploy" version = "0.42.0" notes = "This is a Windows API bindings library maintained by Microsoft themselves." -[audits.chromeos.audits] +[[audits.chromeos.audits.version_check]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "0.9.4" [[audits.embark-studios.audits.anyhow]] who = "Johan Andersson " From ac3568a55781c8b161ad3a55797ad0df7d074f89 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Thu, 16 Mar 2023 15:47:40 +0000 Subject: [PATCH 4/5] CI: Provide `write` permission for `pull-requests` The "recent base" check attempts to remove a label from the PR being checked, which uses the `issues` API. But a `write` permission for the `issues` API appears to be insufficient. --- .github/workflows/checks.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 73d057bfe..9d4977dd1 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -5,6 +5,7 @@ on: pull_request_target permissions: contents: read issues: write + pull-requests: write jobs: recent-base: From feb1f41ce6b5b6784c7b7b5c413c8ecd2abaae20 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Thu, 16 Mar 2023 16:22:28 +0000 Subject: [PATCH 5/5] CI: Check out both the base and PR branches for "recent base" check This should hopefully ensure that we end up with a single Git repository that has both branches in it, enabling `git merge-base --is-ancestor` to work correctly. --- .github/workflows/checks.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 9d4977dd1..a39d54a59 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -12,10 +12,17 @@ jobs: name: Branch base is sufficiently recent runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - name: Check out the base branch + uses: actions/checkout@v3 with: fetch-depth: 0 + - name: Check out the PR branch + uses: actions/checkout@v3 + with: + ref: ${{ github.head_ref }} + fetch-depth: 0 + - name: Ensure branch contains necessary commits for Tekton CI id: tekton # https://github.com/zcash/zcash/pull/6358