diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index cb1e2979d..20eb4706d 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -26,6 +26,13 @@ jobs: uses: ./.github/actions/install-capnp # See https://github.com/rustsec/audit-check for docs - - uses: rustsec/audit-check@v1 - with: - token: ${{ secrets.GITHUB_TOKEN }} + # TODO: re-enable if https://github.com/rustsec/audit-check/pull/20 is merged + # - uses: rustsec/audit-check@v1 + # with: + # token: ${{ secrets.GITHUB_TOKEN }} + + # Currently the rustsec/audit-check action regenerates the Cargo.lock + # file. Our binaries are built using the committed lock file. + # Re-generating the lock file can hide vulnerabilities. We therefore run + # cargo audit directly which respects our lock file. + - run: cargo audit diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 24031d841..42d6666e7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -53,7 +53,7 @@ jobs: - name: Build # Build in release without `testing` feature, this should work without `hotshot_example` config. run: | - cargo build --release --workspace + cargo build --locked --release --workspace - name: Upload artifacts uses: actions/upload-artifact@v3 @@ -98,7 +98,7 @@ jobs: - name: Build run: | - cargo build --release --workspace + cargo build --locked --release --workspace - name: Upload artifacts uses: actions/upload-artifact@v3 diff --git a/.github/workflows/build_static.yml b/.github/workflows/build_static.yml index 32ba387e0..edc0a941c 100644 --- a/.github/workflows/build_static.yml +++ b/.github/workflows/build_static.yml @@ -68,7 +68,7 @@ jobs: - name: Compile all executables # timeout-minutes: 120 run: | - nix develop $DEVSHELL --accept-flake-config --option sandbox relaxed -c cargo build --release + nix develop $DEVSHELL --accept-flake-config --option sandbox relaxed -c cargo build --locked --release - name: Upload artifacts uses: actions/upload-artifact@v3 diff --git a/.github/workflows/contracts.yml b/.github/workflows/contracts.yml index 4127b8962..db0b825bd 100644 --- a/.github/workflows/contracts.yml +++ b/.github/workflows/contracts.yml @@ -73,7 +73,7 @@ jobs: - name: Build diff-test run: | - nix develop --accept-flake-config -c cargo build --bin diff-test --release + nix develop --accept-flake-config -c cargo build --locked --bin diff-test --release - name: Run tests (quick version for PR) if: ${{ github.event_name == 'pull_request' }} @@ -85,4 +85,3 @@ jobs: if: ${{ github.event_name != 'pull_request' }} run: | nix develop --accept-flake-config -c forge test -vvv - \ No newline at end of file diff --git a/.github/workflows/test-demo-native.yml b/.github/workflows/test-demo-native.yml index 3e8d56456..dd8acbcc0 100644 --- a/.github/workflows/test-demo-native.yml +++ b/.github/workflows/test-demo-native.yml @@ -47,7 +47,7 @@ jobs: uses: ./.github/actions/install-capnp - name: Build - run: cargo build --release + run: cargo build --locked --release - name: Test Demo run: | diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 129818907..9cbc171d7 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -32,7 +32,7 @@ jobs: - name: Install Foundry uses: foundry-rs/foundry-toolchain@v1 with: - version: nightly-2cb875799419c907cc3709e586ece2559e6b340e # Not using the default version because likely of this bug https://github.com/foundry-rs/foundry/issues/7120 + version: nightly-2cb875799419c907cc3709e586ece2559e6b340e # Not using the default version because likely of this bug https://github.com/foundry-rs/foundry/issues/7120 - name: Install just command runner run: | @@ -55,7 +55,7 @@ jobs: run: | export RUSTFLAGS="$RUSTFLAGS --cfg hotshot_example" export PATH="$PWD/target/release:$PATH" - cargo build --bin diff-test --release + cargo build --locked --bin diff-test --release cargo test --release --workspace --all-features --no-run cargo test --release --workspace --all-features --verbose -- --test-threads 1 --nocapture timeout-minutes: 30