Run cargo audit on committed Cargo.lock (#1315)

* Run cargo audit on committed Cargo.lock The current audit action regenerates the lock file which may hide vulnerabilities in our binaries. Ensure binaries are built with committed lock file by adding the `--locked` flag. Note the `--locked` flag is currently documented in a confusing way in `cargo --help`. A fix for that has been merged into cargo recently: rust-lang/cargo#13665 * Add --locked to cargo test invocations
EspressoSystems · Apr 18, 2024 · 752608b · 752608b
1 parent aef9cae
commit 752608b
Show file tree

Hide file tree

Showing 7 changed files with 19 additions and 12 deletions.
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
@@ -23,6 +23,13 @@ jobs:
       - uses: actions/checkout@v4
 
       # See https://github.com/rustsec/audit-check for docs
-      - uses: rustsec/audit-check@v1
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+      # TODO: re-enable if https://github.com/rustsec/audit-check/pull/20 is merged
+      # - uses: rustsec/audit-check@v1
+      #   with:
+      #     token: ${{ secrets.GITHUB_TOKEN }}
+
+      # Currently the rustsec/audit-check action regenerates the Cargo.lock
+      # file. Our binaries are built using the committed lock file.
+      # Re-generating the lock file can hide vulnerabilities. We therefore run
+      # cargo audit directly which respects our lock file.
+      - run: cargo audit
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -50,7 +50,7 @@ jobs:
       - name: Build
         # Build in release without `testing` feature, this should work without `hotshot_example` config.
         run: |
-          cargo build --release --workspace
+          cargo build --locked --release --workspace
 
       - name: Upload artifacts
         uses: actions/upload-artifact@v3
@@ -92,7 +92,7 @@ jobs:
 
       - name: Build
         run: |
-          cargo build --release --workspace
+          cargo build --locked --release --workspace
 
       - name: Upload artifacts
         uses: actions/upload-artifact@v3

diff --git a/.github/workflows/build_static.yml b/.github/workflows/build_static.yml
@@ -68,7 +68,7 @@ jobs:
       - name: Compile all executables
         # timeout-minutes: 120
         run: |
-          nix develop $DEVSHELL --accept-flake-config --option sandbox relaxed -c cargo build --release
+          nix develop $DEVSHELL --accept-flake-config --option sandbox relaxed -c cargo build --locked --release
 
       - name: Upload artifacts
         uses: actions/upload-artifact@v3

diff --git a/.github/workflows/contracts.yml b/.github/workflows/contracts.yml
@@ -73,7 +73,7 @@ jobs:
 
       - name: Build diff-test
         run: |
-          nix develop --accept-flake-config -c cargo build --bin diff-test --release
+          nix develop --accept-flake-config -c cargo build --locked --bin diff-test --release
 
       - name: Run tests (quick version for PR)
         if: ${{ github.event_name == 'pull_request' }}

diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -30,7 +30,7 @@ jobs:
       - name: Enable Rust Caching
         uses: Swatinem/rust-cache@v2
 
-      - run: cargo +nightly test --all-features --no-fail-fast --release --workspace --exclude contract-bindings --exclude gen-vk-contract --exclude hotshot-contract-adapter --exclude diff-test-hotshot -- --skip service::test::test_
+      - run: cargo +nightly test --locked --all-features --no-fail-fast --release --workspace --exclude contract-bindings --exclude gen-vk-contract --exclude hotshot-contract-adapter --exclude diff-test-hotshot -- --skip service::test::test_
         env:
           CARGO_INCREMENTAL: '0'
           RUSTFLAGS: '-Zprofile -Ccodegen-units=1 -Cinline-threshold=0 -Clink-dead-code -Coverflow-checks=off -Cpanic=abort -Zpanic_abort_tests -Cdebuginfo=2 --cfg async_executor_impl="async-std" --cfg async_channel_impl="async-std" --cfg hotshot_example'

diff --git a/.github/workflows/test-demo-native.yml b/.github/workflows/test-demo-native.yml
@@ -44,7 +44,7 @@ jobs:
         uses: Swatinem/rust-cache@v2
 
       - name: Build
-        run: cargo build --release
+        run: cargo build --locked --release
 
       - name: Test Demo
         run: |

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -54,7 +54,7 @@ jobs:
           export PATH="$PWD/target/release:$PATH"
           export AZTEC_SRS_PATH="$PWD/data/aztec20/kzg10-aztec20-srs-65544.bin"
           ./scripts/download_srs_aztec.sh
-          cargo build --bin diff-test --release
-          cargo test --release --workspace --all-features --no-run
-          cargo test --release --workspace --all-features --verbose -- --test-threads 1 --nocapture
+          cargo build --locked --bin diff-test --release
+          cargo test --locked --release --workspace --all-features --no-run
+          cargo test --locked --release --workspace --all-features --verbose -- --test-threads 1 --nocapture
         timeout-minutes: 30