add cargo audit check #624
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| on: | |
| pull_request: | |
| merge_group: | |
| jobs: | |
| build_binary: | |
| name: "Build neard" | |
| runs-on: ubuntu-22.04-16core | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: Swatinem/rust-cache@a95ba195448af2da9b00fb742d14ffaaf3c21f43 | |
| with: | |
| prefix-key: "0" # change this to invalidate CI cache | |
| shared-key: "cargo_nextest-linux" | |
| save-if: "false" # use the cache from nextest, but don’t double-save | |
| - run: cargo build --locked --profile quick-release -p neard --bin neard | |
| - uses: actions/upload-artifact@v3 | |
| with: | |
| name: neard | |
| path: target/quick-release/neard | |
| if-no-files-found: error | |
| retention-days: 1 | |
| cargo_nextest: | |
| name: "Cargo Nextest (${{matrix.name}})" | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - name: Linux | |
| cache_id: linux | |
| os: ubuntu-22.04-16core | |
| flags: "" | |
| - name: Linux Nightly | |
| cache_id: linux | |
| os: ubuntu-22.04-16core | |
| flags: "--features nightly,test_features" | |
| - name: MacOS | |
| cache_id: macos | |
| os: macos-latest-xlarge | |
| # FIXME: some of these tests don't work very well on MacOS at the moment. Should fix | |
| # them at earliest convenience :) | |
| flags: "--exclude integration-tests --exclude node-runtime --exclude runtime-params-estimator --exclude near-network --exclude estimator-warehouse" | |
| timeout-minutes: 90 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: baptiste0928/cargo-install@21a18ba3bf4a184d1804e8b759930d3471b1c941 | |
| with: | |
| crate: cargo-nextest | |
| - uses: baptiste0928/cargo-install@21a18ba3bf4a184d1804e8b759930d3471b1c941 | |
| with: | |
| crate: cargo-deny | |
| - uses: Swatinem/rust-cache@a95ba195448af2da9b00fb742d14ffaaf3c21f43 | |
| with: | |
| prefix-key: "0" # change this to invalidate CI cache | |
| shared-key: "cargo_nextest-${{ matrix.cache_id }}" | |
| - run: cargo nextest run --locked --workspace -p '*' --cargo-profile quick-release --profile ci ${{ matrix.flags }} | |
| env: | |
| RUST_BACKTRACE: short | |
| protobuf_backward_compat: | |
| name: "Protobuf Backward Compatibility" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: bufbuild/buf-setup-action@1158f4fa81bc02e1ff62abcca6d516c9e24c77da | |
| - uses: bufbuild/buf-breaking-action@a074e988ee34efcd4927079e79c611f428354c01 | |
| with: | |
| against: "https://github.com/near/nearcore.git#${{github.event.pull_request.base.sha && format('ref={0}', github.event.pull_request.base.sha) || 'branch=master' }}" | |
| py_backward_compat: | |
| name: "Backward Compatibility" | |
| needs: build_binary | |
| runs-on: ubuntu-22.04 | |
| defaults: | |
| run: | |
| working-directory: ./pytest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v4 | |
| with: | |
| python-version: 3.11 | |
| cache: pip | |
| - uses: actions/download-artifact@v3 | |
| with: | |
| name: neard | |
| path: pytest # NB: this does not account for defaults.run.working-directory | |
| - run: echo "CURRENT_NEARD=$PWD/neard" >> "$GITHUB_ENV" | |
| - run: chmod +x "$CURRENT_NEARD" | |
| - run: pip3 install --user -r requirements.txt | |
| - run: python3 tests/sanity/backward_compatible.py | |
| py_db_migration: | |
| name: "Database Migration" | |
| needs: build_binary | |
| runs-on: ubuntu-22.04 | |
| defaults: | |
| run: | |
| working-directory: ./pytest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v4 | |
| with: | |
| python-version: 3.11 | |
| cache: pip | |
| - uses: actions/download-artifact@v3 | |
| with: | |
| name: neard | |
| path: pytest # NB: this does not account for defaults.run.working-directory | |
| - run: echo "CURRENT_NEARD=$PWD/neard" >> "$GITHUB_ENV" | |
| - run: echo "NEAR_ROOT=$PWD" >> "$GITHUB_ENV" | |
| - run: chmod +x "$CURRENT_NEARD" | |
| - run: pip3 install --user -r requirements.txt | |
| - run: python3 tests/sanity/db_migration.py | |
| py_sanity_checks: | |
| name: "Sanity Checks" | |
| runs-on: ubuntu-22.04-16core | |
| strategy: | |
| fail-fast: false | |
| timeout-minutes: 90 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v4 | |
| with: | |
| python-version: 3.11 | |
| cache: pip | |
| - uses: Swatinem/rust-cache@a95ba195448af2da9b00fb742d14ffaaf3c21f43 | |
| with: | |
| prefix-key: "0" # change this to invalidate CI cache | |
| shared-key: "cargo_nextest-linux" | |
| save-if: "false" # use the cache from nextest, but don’t double-save | |
| - run: pip3 install --user -r pytest/requirements.txt | |
| # This is the only job that uses `--features nightly` so we build this in-line instead of a | |
| # separate job like done with the regular neard. | |
| - run: cargo build --profile quick-release -p neard --bin neard --features nightly | |
| # Note: We're not running spin_up_cluster.py for non-nightly | |
| # because spinning up non-nightly clusters is already covered | |
| # by other steps in the CI, e.g. upgradable. | |
| - run: python3 pytest/tests/sanity/spin_up_cluster.py | |
| env: | |
| NEAR_ROOT: "target/quick-release" | |
| py_genesis_check: | |
| name: "Genesis Changes" | |
| needs: build_binary | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v4 | |
| with: | |
| python-version: 3.11 | |
| cache: pip | |
| - uses: actions/download-artifact@v3 | |
| with: | |
| name: neard | |
| path: target/quick-release | |
| - run: echo "CURRENT_NEARD=$PWD/target/quick-release/neard" >> "$GITHUB_ENV" | |
| - run: chmod +x "$CURRENT_NEARD" | |
| - run: pip3 install --user -r pytest/requirements.txt | |
| - run: python3 scripts/state/update_res.py check | |
| py_style_check: | |
| name: "Style" | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v4 | |
| with: | |
| python-version: 3.11 | |
| cache: pip | |
| - run: pip3 install --user -r pytest/requirements.txt | |
| - run: python3 scripts/check_nightly.py | |
| - run: python3 scripts/check_pytests.py | |
| - run: python3 scripts/fix_nightly_feature_flags.py | |
| - run: ./scripts/formatting --check | |
| py_upgradability: | |
| name: "Upgradability" | |
| needs: build_binary | |
| runs-on: ubuntu-22.04 | |
| defaults: | |
| run: | |
| working-directory: ./pytest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v4 | |
| with: | |
| python-version: 3.11 | |
| cache: pip | |
| - uses: actions/download-artifact@v3 | |
| with: | |
| name: neard | |
| path: pytest # NB: this does not account for defaults.run.working-directory | |
| - run: echo "CURRENT_NEARD=$PWD/neard" >> "$GITHUB_ENV" | |
| - run: chmod +x "$CURRENT_NEARD" | |
| - run: pip3 install --user -r requirements.txt | |
| - run: python3 tests/sanity/upgradable.py | |
| rpc_error_schema: | |
| name: "RPC Schema" | |
| runs-on: ubuntu-22.04-8core | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: Swatinem/rust-cache@a95ba195448af2da9b00fb742d14ffaaf3c21f43 | |
| with: | |
| prefix-key: "0" # change this to invalidate CI cache | |
| shared-key: "cargo_nextest-linux" | |
| save-if: "false" # use the cache from nextest, but don’t double-save | |
| - run: ./chain/jsonrpc/build_errors_schema.sh | |
| - run: git diff --quiet ./chain/jsonrpc/res/rpc_errors_schema.json || exit 1 | |
| cargo_audit: | |
| name: "Cargo Audit" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: baptiste0928/cargo-install@21a18ba3bf4a184d1804e8b759930d3471b1c941 | |
| with: | |
| crate: cargo-audit | |
| - run: cargo audit -D warnings |