ci: add the dfinity-sdk.packages.cargo-security-audit job

ci/ci-pr.nix

@@ -1,4 +1,4 @@
 # This file is used to govern CI jobs for GitHub PRs
 
 args@{supportedSystems ? [ "x86_64-linux" ], ...}:
-import ./ci.nix (args // { inherit supportedSystems; })
+import ./ci.nix (args // { inherit supportedSystems; isMaster = false; })

ci/ci.nix

@@ -1,9 +1,14 @@
 { supportedSystems ? [ "x86_64-linux" "x86_64-darwin" ]
 , scrubJobs ? true
+, RustSec-advisory-db ? null
+, isMaster ? true
 }:
 let pkgs = import ../nix {};
 in
 pkgs.ci ../jobset.nix
-  { inherit supportedSystems scrubJobs; isMaster = true;
+  { inherit supportedSystems scrubJobs isMaster;
     rev = pkgs.lib.commitIdFromGitRepo (pkgs.lib.gitDir ../.);
+    packageSetArgs = {
+      inherit RustSec-advisory-db;
+    };
   }

jobset.nix

@@ -3,6 +3,9 @@
 , config ? {}
 , overlays ? []
 , src ? null
+, RustSec-advisory-db ? null
 }: {
-  inherit (import ./nix { inherit system crossSystem config overlays; }) dfinity-sdk;
+  inherit (import ./nix {
+    inherit system crossSystem config overlays RustSec-advisory-db;
+  }) dfinity-sdk;
 }

nix/default.nix

@@ -5,6 +5,7 @@
 , config ? {}
 , overlays ? []
 , releaseVersion ? "latest"
+, RustSec-advisory-db ? null
 }:
 let
   # The `common` repo provides code (mostly Nix) that is used in the
@@ -21,9 +22,18 @@ let
     else builtins.fetchGit {
       name = "common-sources";
       url = "ssh://git@github.com/dfinity-lab/common";
-      rev = "8872018a48260010599e945526fe0dcf28022444";
+      rev = "a066833f9ce8fac453f736639d46021a714682b2";
     };
 in import commonSrc {
   inherit system crossSystem config;
-  overlays = import ./overlays ++ [ (_self: _super: { inherit releaseVersion; }) ] ++ overlays;
+  overlays = import ./overlays ++ [
+    (_self: _super: {
+      inherit
+        releaseVersion
+        # The dfinity-sdk.packages.cargo-security-audit job has this RustSec
+        # advisory-db as a dependency so we add it here to the package set so
+        # that job has access to it.
+        RustSec-advisory-db;
+    })
+  ] ++ overlays;
  }

nix/overlays/dfinity-sdk.nix

@@ -27,6 +27,22 @@ in {
         e2e-tests = super.callPackage ../e2e-tests.nix {};
 
         public-folder = super.callPackage ../public.nix {};
+    } //
+    # We only run `cargo audit` on the `master` branch so to not let PRs
+    # fail because of an updated RustSec advisory-db. Also we only add the
+    # job if the RustSec advisory-db is defined. Note that by default
+    # RustSec-advisory-db is undefined (null). However, on Hydra the
+    # `sdk` master jobset has RustSec-advisory-db defined as an
+    # input. This means that whenever a new security vulnerability is
+    # published or when Cargo.lock has been changed `cargo audit` will
+    # run.
+    self.lib.optionalAttrs (self.isMaster && self.RustSec-advisory-db != null) {
+      cargo-security-audit = self.lib.cargo-security-audit {
+        name = "dfinity-sdk";
+        cargoLock = ../../Cargo.lock;
+        db = self.RustSec-advisory-db;
+        ignores = [];
+      };
     };
 
     dfx-release = mkRelease "dfx" self.releaseVersion packages.rust-workspace-standalone "dfx";