ci: Migrate audit steps from Buildkite to GitHub Actions

.buildkite/code.pipeline.yml

@@ -86,20 +86,6 @@ steps:
     plugins:
       <<: *docker_plugin
 
-  - label: Audit Rust dependencies for vulnerabilities
-    command: .buildkite/rust/cargo_audit.sh
-    retry:
-      <<: *retry_agent_failure
-    plugins:
-      <<: *docker_plugin
-
-  - label: Audit Go dependencies for vulnerabilities
-    command: .buildkite/go/nancy_audit.sh
-    retry:
-      <<: *retry_agent_failure
-    plugins:
-      <<: *docker_plugin
-
   ############
   # Build jobs
   ############

.changelog/3517.internal.md

@@ -0,0 +1,8 @@
+Make: Add audit targets
+
+Add a general `audit` target that depends on the following audit targets:
+
+- `audit-go`: Audit Go dependencies for vulnerabilities,
+- `audit-rust`: Audit Rust dependencies for vulnerabilities.
+
+Add `audit` target to `Makefile` in `go/`.

.github/workflows/ci-audit-rust.yml

@@ -0,0 +1,48 @@
+# NOTE: This name appears in GitHub's Checks API and in workflow's status badge.
+name: ci-audit-rust
+
+# Trigger the workflow when:
+on:
+  # A push occurs to one of the matched branches.
+  push:
+    # XXX: Ideally, on the master branch we would only run this workflow if
+    # there are changes to the Cargo.toml or Cargo.local files (like for pull
+    # requests).
+    # However, this doesn't work when pushing a new 'stable/*' branch. The build
+    # on a new branch does not trigger unless there are changes compared to
+    # master on the filtered path.
+    # If this is ever fixed, or per branch filters are possible, bring back the
+    # path filter to only run this workflow if there are changes to the
+    # Cargo.toml or Cargo.local files.
+    branches:
+      - master
+      - stable/*
+  # Or when a pull request event occurs for a pull request against one of the
+  # matched branches and at least one modified file matches the configured
+  # paths.
+  pull_request:
+    branches:
+      - master
+      - stable/*
+    paths:
+      - '**/Cargo.toml'
+      - '**/Cargo.lock'
+  # Or every day at 04:00 UTC (for the default/master branch).
+  schedule:
+    - cron: "0 4 * * *"
+
+jobs:
+
+  audit-rust:
+    # NOTE: This name appears in GitHub's Checks API.
+    name: audit-rust
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      # NOTE: To run this step locally, make sure you have cargo-audit installed
+      # and run 'make audit-rust'.
+      - name: Audit Rust dependencies for vulnerabilities
+        uses: actions-rs/audit-check@v1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/ci-lint.yml

@@ -48,6 +48,22 @@ jobs:
           python -m pip install \
             https://github.com/oasislabs/towncrier/archive/oasis-master.tar.gz \
             gitlint
+      - name: Install Nancy
+        run: |
+          set -eux
+          cd $(mktemp --directory /tmp/nancy.XXXXX)
+          NANCY_TARBALL=nancy-linux.amd64-v${NANCY_VERSION}.tar.gz
+          ${CURL_CMD} ${NANCY_URL_PREFIX}/v${NANCY_VERSION}/${NANCY_TARBALL} \
+            --output ${NANCY_TARBALL}
+          ${CURL_CMD} ${NANCY_URL_PREFIX}/v${NANCY_VERSION}/nancychecksums.txt \
+            --output CHECKSUMS
+          sha256sum --check --ignore-missing CHECKSUMS
+          tar -xf ${NANCY_TARBALL}
+          sudo mv nancy /usr/local/bin
+        env:
+          NANCY_URL_PREFIX: https://github.com/sonatype-nexus-community/nancy/releases/download/
+          NANCY_VERSION: 1.0.1
+          CURL_CMD: curl --proto =https --tlsv1.2 -sSL --fail
       - name: Check for presence of a Change Log fragment (only pull requests)
         run: |
           # Fetch the pull request' base branch so towncrier will be able to
@@ -81,6 +97,11 @@ jobs:
           make lint-docs
         # Always run this step so that all linting errors can be seen at once.
         if: always()
+      - name: Audit Go dependencies for vulnerabilities
+        run: |
+          make audit-go
+        # Always run this step so that all linting errors can be seen at once.
+        if: always()
       - name: Check go mod tidy
         # NOTE: go mod tidy doesn't implement a check mode yet.
         # For more details, see: https://github.com/golang/go/issues/27005.

Makefile

@@ -87,6 +87,18 @@ lint-docs:
 
 lint: $(lint-targets)
 
+# Audit dependencies for vulnerabilities.
+audit-targets := audit-go audit-rust
+
+audit-go:
+	@$(MAKE) -C go audit
+
+audit-rust:
+	@$(ECHO) "$(CYAN)*** Running cargo audit...$(OFF)"
+	@cargo audit
+
+audit: $(audit-targets)
+
 # Test.
 test-unit-targets := test-unit-rust test-unit-go
 test-targets := test-unit test-e2e
@@ -214,6 +226,7 @@ docker-shell:
 	update-docs \
 	$(fmt-targets) fmt \
 	$(lint-targets) lint \
+	$(audit-targets) audit \
 	$(test-unit-targets) $(test-targets) test \
 	$(clean-targets) clean \
 	fetch-git \

README.md

@@ -2,6 +2,7 @@
 
 [![Build status][buildkite-badge]][buildkite-link]
 [![CI lint status][github-ci-lint-badge]][github-ci-lint-link]
+[![CI audit Rust status][github-ci-audit-rust-badge]][github-ci-audit-rust-link]
 [![CI reproducibility status][github-ci-repr-badge]][github-ci-repr-link]
 [![Docker status][github-docker-badge]][github-docker-link]
 [![Release status][github-release-badge]][github-release-link]
@@ -19,6 +20,8 @@ work around that and make the second (non-header) row also bold. -->
 [buildkite-link]: https://buildkite.com/oasisprotocol/oasis-core-ci
 [github-ci-lint-badge]: https://github.com/oasisprotocol/oasis-core/workflows/ci-lint/badge.svg
 [github-ci-lint-link]: https://github.com/oasisprotocol/oasis-core/actions?query=workflow:ci-lint+branch:master
+[github-ci-audit-rust-badge]: https://github.com/oasisprotocol/oasis-core/workflows/ci-audit-rust/badge.svg
+[github-ci-audit-rust-link]: https://github.com/oasisprotocol/oasis-core/actions?query=workflow:ci-audit-rust+branch:master
 [github-ci-repr-badge]: https://github.com/oasisprotocol/oasis-core/workflows/ci-reproducibility/badge.svg
 [github-ci-repr-link]: https://github.com/oasisprotocol/oasis-core/actions?query=workflow:ci-reproducibility
 [github-docker-badge]: https://github.com/oasisprotocol/oasis-core/workflows/docker/badge.svg

go/Makefile

@@ -59,6 +59,11 @@ lint:
 	@$(ECHO) "$(CYAN)*** Running Go linters...$(OFF)"
 	@env -u GOPATH golangci-lint run --timeout 4m
 
+# Audit dependencies for vulnerabilities.
+audit:
+	@$(ECHO) "$(CYAN)*** Running Nancy...$(OFF)"
+	@$(GO) list -json -m all | nancy sleuth
+
 # Test.
 test-targets := test-unit test-node
 
@@ -138,7 +143,7 @@ clean:
 	generate $(go-binaries) $(go-plugins) build \
 	$(test-helpers) build-helpers \
 	$(test-vectors-targets) \
-	fmt lint \
+	fmt lint audit \
 	$(test-targets) test force-test \
 	$(fuzz-targets) build-fuzz \
 	clean all