pezkuwichain/pezkuwi-sdk
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix(ci): fix build failures and add security audit workflow

Browse Source 
- build-linux-stable: disable forklift GCS cache (RUSTC_WRAPPER="")
  that panics without GCP credentials on VPS runners
- prepare-bridges-zombienet-artifacts: fix bridges/testing path to
  pezbridges/testing (rebrand path was not updated in workflow)
- build-rustdoc: use CARGO_TARGET_DIR instead of ./target for doc
  output path (docs generated at /cache/target/doc, not ./target/doc)
- build-push-image-*: add workspace permission fix step before checkout
  to handle root-owned files left by Docker container jobs
- All build jobs: increase timeout from 120 to 180 minutes for VPS
- Add cargo-deny + cargo-audit security audit workflow (weekly + on PR)
- Add deny.toml with license, advisory, and source checks
This commit is contained in:
Kurdistan Tech Ministry
2026-02-25 19:39:47 +03:00
parent 97bc5a5092
commit c55a371edb
4 changed files with 182 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/build-publish-images.yml
+36 -20
View File
@@ -16,6 +16,8 @@ permissions: read-all
env:
COMMIT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
# Disable Parity's forklift GCS cache wrapper - we don't have GCP credentials on our VPS runners
RUSTC_WRAPPER: ""
jobs:
#
@@ -35,7 +37,7 @@ jobs:
build-linux-stable:
needs: [preflight]
runs-on: ${{ needs.preflight.outputs.RUNNER }}
timeout-minutes: 120
timeout-minutes: 180
container:
image: ${{ needs.preflight.outputs.IMAGE }}
env:
@@ -95,7 +97,7 @@ jobs:
build-linux-stable-pezcumulus:
needs: [preflight]
runs-on: ${{ needs.preflight.outputs.RUNNER }}
timeout-minutes: 120
timeout-minutes: 180
container:
image: ${{ needs.preflight.outputs.IMAGE }}
env:
@@ -131,7 +133,7 @@ jobs:
build-test-teyrchain:
needs: [preflight]
runs-on: ${{ needs.preflight.outputs.RUNNER }}
timeout-minutes: 120
timeout-minutes: 180
container:
image: ${{ needs.preflight.outputs.IMAGE }}
env:
@@ -171,7 +173,7 @@ jobs:
build-test-collators:
needs: [preflight]
runs-on: ${{ needs.preflight.outputs.RUNNER }}
timeout-minutes: 120
timeout-minutes: 180
container:
image: ${{ needs.preflight.outputs.IMAGE }}
steps:
@@ -210,7 +212,7 @@ jobs:
build-malus:
needs: [preflight]
runs-on: ${{ needs.preflight.outputs.RUNNER }}
timeout-minutes: 120
timeout-minutes: 180
container:
image: ${{ needs.preflight.outputs.IMAGE }}
steps:
@@ -248,7 +250,7 @@ jobs:
build-linux-bizinikiwi:
needs: [preflight]
runs-on: ${{ needs.preflight.outputs.RUNNER }}
timeout-minutes: 120
timeout-minutes: 180
container:
image: ${{ needs.preflight.outputs.IMAGE }}
steps:
@@ -293,7 +295,7 @@ jobs:
build-templates-node:
needs: [preflight]
runs-on: ${{ needs.preflight.outputs.RUNNER }}
timeout-minutes: 120
timeout-minutes: 180
container:
image: ${{ needs.preflight.outputs.IMAGE }}
steps:
@@ -336,7 +338,7 @@ jobs:
prepare-bridges-zombienet-artifacts:
needs: [preflight]
runs-on: ${{ needs.preflight.outputs.RUNNER }}
timeout-minutes: 120
timeout-minutes: 180
container:
image: ${{ needs.preflight.outputs.IMAGE }}
steps:
@@ -349,8 +351,8 @@ jobs:
cargo build --locked --profile testnet -p pezkuwi-test-malus --bin malus --bin pezkuwi-prepare-worker --bin pezkuwi-execute-worker
- name: pack artifacts
run: |
mkdir -p ./artifacts/bridges-pezkuwi-sdk/bridges
cp -r bridges/testing ./artifacts/bridges-pezkuwi-sdk/bridges/testing
mkdir -p ./artifacts/bridges-pezkuwi-sdk/pezbridges
cp -r pezbridges/testing ./artifacts/bridges-pezkuwi-sdk/pezbridges/testing
- name: tar
run: tar -cvf artifacts.tar artifacts
@@ -368,7 +370,7 @@ jobs:
prepare-pezkuwi-zombienet-artifacts:
needs: [preflight]
runs-on: ${{ needs.preflight.outputs.RUNNER }}
timeout-minutes: 120
timeout-minutes: 180
container:
image: ${{ needs.preflight.outputs.IMAGE }}
steps:
@@ -400,7 +402,7 @@ jobs:
prepare-pezcumulus-zombienet-artifacts:
needs: [preflight]
runs-on: ${{ needs.preflight.outputs.RUNNER }}
timeout-minutes: 120
timeout-minutes: 180
container:
image: ${{ needs.preflight.outputs.IMAGE }}
steps:
@@ -429,7 +431,7 @@ jobs:
prepare-teyrchain-templates-zombienet-artifacts:
needs: [preflight]
runs-on: ${{ needs.preflight.outputs.RUNNER }}
timeout-minutes: 120
timeout-minutes: 180
container:
image: ${{ needs.preflight.outputs.IMAGE }}
steps:
@@ -463,8 +465,10 @@ jobs:
build-push-image-test-teyrchain:
needs: [preflight, build-test-teyrchain]
runs-on: ${{ needs.preflight.outputs.RUNNER_DEFAULT }}
timeout-minutes: 120
timeout-minutes: 180
steps:
- name: Fix workspace permissions
run: sudo chown -R "$(whoami)" "$GITHUB_WORKSPACE" 2>/dev/null || true
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -489,8 +493,10 @@ jobs:
build-push-image-pezkuwi-debug:
needs: [preflight, build-linux-stable]
runs-on: ${{ needs.preflight.outputs.RUNNER_DEFAULT }}
timeout-minutes: 120
timeout-minutes: 180
steps:
- name: Fix workspace permissions
run: sudo chown -R "$(whoami)" "$GITHUB_WORKSPACE" 2>/dev/null || true
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -515,8 +521,10 @@ jobs:
build-push-image-colander:
needs: [preflight, build-test-collators]
runs-on: ${{ needs.preflight.outputs.RUNNER_DEFAULT }}
timeout-minutes: 120
timeout-minutes: 180
steps:
- name: Fix workspace permissions
run: sudo chown -R "$(whoami)" "$GITHUB_WORKSPACE" 2>/dev/null || true
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -541,8 +549,10 @@ jobs:
build-push-image-malus:
needs: [preflight, build-malus]
runs-on: ${{ needs.preflight.outputs.RUNNER_DEFAULT }}
timeout-minutes: 120
timeout-minutes: 180
steps:
- name: Fix workspace permissions
run: sudo chown -R "$(whoami)" "$GITHUB_WORKSPACE" 2>/dev/null || true
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -567,8 +577,10 @@ jobs:
build-push-image-bizinikiwi-pr:
needs: [preflight, build-linux-bizinikiwi]
runs-on: ${{ needs.preflight.outputs.RUNNER_DEFAULT }}
timeout-minutes: 120
timeout-minutes: 180
steps:
- name: Fix workspace permissions
run: sudo chown -R "$(whoami)" "$GITHUB_WORKSPACE" 2>/dev/null || true
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -601,8 +613,10 @@ jobs:
prepare-bridges-zombienet-artifacts,
]
runs-on: ${{ needs.preflight.outputs.RUNNER_DEFAULT }}
timeout-minutes: 120
timeout-minutes: 180
steps:
- name: Fix workspace permissions
run: sudo chown -R "$(whoami)" "$GITHUB_WORKSPACE" 2>/dev/null || true
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -644,8 +658,10 @@ jobs:
build-push-image-pezkuwi-teyrchain-debug:
needs: [preflight, build-linux-stable-pezcumulus]
runs-on: ${{ needs.preflight.outputs.RUNNER_DEFAULT }}
timeout-minutes: 120
timeout-minutes: 180
steps:
- name: Fix workspace permissions
run: sudo chown -R "$(whoami)" "$GITHUB_WORKSPACE" 2>/dev/null || true
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
.github/workflows/docs.yml
+2 -2
View File
@@ -85,8 +85,8 @@ jobs:
run: |
git config --global --add safe.directory '*'
cargo doc --all-features --workspace --no-deps --locked --exclude pezkuwi-zombienet-sdk-tests
- run: rm -f ./target/doc/.lock
- run: mv ./target/doc ./crate-docs
- run: rm -f ${CARGO_TARGET_DIR}/doc/.lock
- run: mv ${CARGO_TARGET_DIR}/doc ./crate-docs
- name: Inject Simple Analytics script
run: |
script_content="<script async defer src=\"https://apisa.pezkuwichain.io/latest.js\"></script><noscript><img src=\"https://apisa.pezkuwichain.io/latest.js\" alt=\"\" referrerpolicy=\"no-referrer-when-downgrade\" /></noscript>"
.github/workflows/security-audit.yml
+71
View File
@@ -0,0 +1,71 @@
name: Security Audit
on:
push:
branches:
- main
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
# Run weekly on Monday at 06:00 UTC
schedule:
- cron: "0 6 * * 1"
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
isdraft:
# Skip draft PRs but always run on schedule/push
if: github.event_name != 'pull_request' || !github.event.pull_request.draft
runs-on: ubuntu-latest
steps:
- run: echo "Not a draft"
cargo-deny:
needs: isdraft
runs-on: ubuntu-latest
timeout-minutes: 30
strategy:
matrix:
checks:
- advisories
- licenses
- sources
# Continue on advisory warnings so we see all results
continue-on-error: ${{ matrix.checks == 'advisories' }}
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2.0.15
with:
command: check ${{ matrix.checks }}
arguments: --workspace
cargo-audit:
needs: isdraft
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Install cargo-audit
run: cargo install cargo-audit --locked
- name: Run cargo audit
run: cargo audit --deny warnings 2>&1 || true
- name: Run cargo audit (deny vulnerabilities only)
run: cargo audit
confirm-security-audit-passed:
runs-on: ubuntu-latest
name: All security audits passed
needs: [cargo-deny, cargo-audit]
if: always() && !cancelled()
steps:
- run: |
tee resultfile <<< '${{ toJSON(needs) }}'
FAILURES=$(cat resultfile | grep '"result": "failure"' | wc -l)
if [ $FAILURES -gt 0 ]; then
echo "### At least one security audit failed" >> $GITHUB_STEP_SUMMARY
exit 1
else
echo '### All security audits passed' >> $GITHUB_STEP_SUMMARY
fi