Move cargo-audit to separate action (#1192)

* Move cargo-audit to separate action - For PRs only run on dependency changes. - Run once a day on main. - Add audit.toml file - Update mio and whoami to avoid CVEs. * Use port 44010 instead of 50010 for tx generator
EspressoSystems · Mar 7, 2024 · c40ea43 · c40ea43
1 parent 9eea013
commit c40ea43
Show file tree

Hide file tree

Showing 8 changed files with 45 additions and 11 deletions.
diff --git a/.cargo/audit.toml b/.cargo/audit.toml
@@ -0,0 +1,10 @@
+[advisories]
+ignore = [
+    # remove_dir_all (used by deprecated tempdir crate)
+    "RUSTSEC-2023-0018",
+    # DoS in WebPKI that comes with tide_disco
+    "RUSTSEC-2023-0052",
+    # Tungstenite allows remote attackers to cause a denial of service
+    # Dependency of async-tungstenite -> tide-websockets / surf-disco
+    "RUSTSEC-2023-0065",
+]
diff --git a/.env b/.env
@@ -84,4 +84,4 @@ ESPRESSO_SEQUENCER_DEPLOY_LIGHTCLIENT_CONTRACT=yes
 
 # Load generator
 ESPRESSO_SUBMIT_TRANSACTIONS_DELAY=1s
-ESPRESSO_SUBMIT_TRANSACTIONS_PORT=50010
+ESPRESSO_SUBMIT_TRANSACTIONS_PORT=44010
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
@@ -0,0 +1,19 @@
+name: Security audit
+on:
+  push:
+    # For PR we only want to fail if dependencies were changed.
+    paths:
+      - "**/Cargo.toml"
+      - "**/Cargo.lock"
+  # Run the audit job once a day on main.
+  schedule:
+    - cron: "0 0 * * *"
+jobs:
+  security_audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      # See https://github.com/marketplace/actions/rust-audit-check for docs
+      - uses: actions-rs/audit-check@v1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -35,6 +35,3 @@ jobs:
 
       - name: Check
         run: cargo clippy --workspace --all-features --all-targets -- -D warnings
-
-      - name: Audit
-        run: cargo audit --ignore RUSTSEC-2023-0018 --ignore RUSTSEC-2023-0052 --ignore RUSTSEC-2023-0065
diff --git a/.github/workflows/test-demo-native.yml b/.github/workflows/test-demo-native.yml
@@ -50,4 +50,4 @@ jobs:
         run: |
           export PATH="$PWD/target/release:$PATH"
           scripts/demo-native --tui=false &
-          scripts/smoke-test-demo
+          timeout -v 600 scripts/smoke-test-demo
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/README.md b/README.md
@@ -3,6 +3,7 @@
 [![Build](https://github.com/EspressoSystems/espresso-sequencer/actions/workflows/build.yml/badge.svg)](https://github.com/EspressoSystems/espresso-sequencer/actions/workflows/build.yml)
 [![Contracts](https://github.com/EspressoSystems/espresso-sequencer/actions/workflows/contracts.yml/badge.svg)](https://github.com/EspressoSystems/espresso-sequencer/actions/workflows/contracts.yml)
 [![Lint](https://github.com/EspressoSystems/espresso-sequencer/actions/workflows/lint.yml/badge.svg)](https://github.com/EspressoSystems/espresso-sequencer/actions/workflows/lint.yml)
+[![Audit](https://github.com/EspressoSystems/espresso-sequencer/actions/workflows/audit.yml/badge.svg)](https://github.com/EspressoSystems/espresso-sequencer/actions/workflows/audit.yml)
 
 The Espresso Sequencer offers rollups credible neutrality and enhanced interoperability, without compromising on scale.
 Consisting of a data availability solution and a decentralized network of nodes that sequences transactions, layer-2

diff --git a/scripts/smoke-test-demo b/scripts/smoke-test-demo
@@ -3,7 +3,7 @@
 set -e
 
 SERVER=http://localhost:50000
-LOAD_GENERATOR=http://localhost:50010
+LOAD_GENERATOR=http://localhost:44010
 
 
 # Wait for the load generator to start.