fix(ci): fix build failures and add security audit workflow

- build-linux-stable: disable forklift GCS cache (RUSTC_WRAPPER="")
  that panics without GCP credentials on VPS runners
- prepare-bridges-zombienet-artifacts: fix bridges/testing path to
  pezbridges/testing (rebrand path was not updated in workflow)
- build-rustdoc: use CARGO_TARGET_DIR instead of ./target for doc
  output path (docs generated at /cache/target/doc, not ./target/doc)
- build-push-image-*: add workspace permission fix step before checkout
  to handle root-owned files left by Docker container jobs
- All build jobs: increase timeout from 120 to 180 minutes for VPS
- Add cargo-deny + cargo-audit security audit workflow (weekly + on PR)
- Add deny.toml with license, advisory, and source checks

.github/workflows/build-publish-images.yml

@@ -16,6 +16,8 @@ permissions: read-all
 
 env:
   COMMIT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
+  # Disable Parity's forklift GCS cache wrapper - we don't have GCP credentials on our VPS runners
+  RUSTC_WRAPPER: ""
 
 jobs:
   #
@@ -35,7 +37,7 @@ jobs:
   build-linux-stable:
     needs: [preflight]
     runs-on: ${{ needs.preflight.outputs.RUNNER }}
-    timeout-minutes: 120
+    timeout-minutes: 180
     container:
       image: ${{ needs.preflight.outputs.IMAGE }}
     env:
@@ -95,7 +97,7 @@ jobs:
   build-linux-stable-pezcumulus:
     needs: [preflight]
     runs-on: ${{ needs.preflight.outputs.RUNNER }}
-    timeout-minutes: 120
+    timeout-minutes: 180
     container:
       image: ${{ needs.preflight.outputs.IMAGE }}
     env:
@@ -131,7 +133,7 @@ jobs:
   build-test-teyrchain:
     needs: [preflight]
     runs-on: ${{ needs.preflight.outputs.RUNNER }}
-    timeout-minutes: 120
+    timeout-minutes: 180
     container:
       image: ${{ needs.preflight.outputs.IMAGE }}
     env:
@@ -171,7 +173,7 @@ jobs:
   build-test-collators:
     needs: [preflight]
     runs-on: ${{ needs.preflight.outputs.RUNNER }}
-    timeout-minutes: 120
+    timeout-minutes: 180
     container:
       image: ${{ needs.preflight.outputs.IMAGE }}
     steps:
@@ -210,7 +212,7 @@ jobs:
   build-malus:
     needs: [preflight]
     runs-on: ${{ needs.preflight.outputs.RUNNER }}
-    timeout-minutes: 120
+    timeout-minutes: 180
     container:
       image: ${{ needs.preflight.outputs.IMAGE }}
     steps:
@@ -248,7 +250,7 @@ jobs:
   build-linux-bizinikiwi:
     needs: [preflight]
     runs-on: ${{ needs.preflight.outputs.RUNNER }}
-    timeout-minutes: 120
+    timeout-minutes: 180
     container:
       image: ${{ needs.preflight.outputs.IMAGE }}
     steps:
@@ -293,7 +295,7 @@ jobs:
   build-templates-node:
     needs: [preflight]
     runs-on: ${{ needs.preflight.outputs.RUNNER }}
-    timeout-minutes: 120
+    timeout-minutes: 180
     container:
       image: ${{ needs.preflight.outputs.IMAGE }}
     steps:
@@ -336,7 +338,7 @@ jobs:
   prepare-bridges-zombienet-artifacts:
     needs: [preflight]
     runs-on: ${{ needs.preflight.outputs.RUNNER }}
-    timeout-minutes: 120
+    timeout-minutes: 180
     container:
       image: ${{ needs.preflight.outputs.IMAGE }}
     steps:
@@ -349,8 +351,8 @@ jobs:
           cargo build --locked --profile testnet -p pezkuwi-test-malus --bin malus --bin pezkuwi-prepare-worker --bin pezkuwi-execute-worker
       - name: pack artifacts
         run: |
-          mkdir -p ./artifacts/bridges-pezkuwi-sdk/bridges
+          mkdir -p ./artifacts/bridges-pezkuwi-sdk/pezbridges
-          cp -r bridges/testing ./artifacts/bridges-pezkuwi-sdk/bridges/testing
+          cp -r pezbridges/testing ./artifacts/bridges-pezkuwi-sdk/pezbridges/testing
 
       - name: tar
         run: tar -cvf artifacts.tar artifacts
@@ -368,7 +370,7 @@ jobs:
   prepare-pezkuwi-zombienet-artifacts:
     needs: [preflight]
     runs-on: ${{ needs.preflight.outputs.RUNNER }}
-    timeout-minutes: 120
+    timeout-minutes: 180
     container:
       image: ${{ needs.preflight.outputs.IMAGE }}
     steps:
@@ -400,7 +402,7 @@ jobs:
   prepare-pezcumulus-zombienet-artifacts:
     needs: [preflight]
     runs-on: ${{ needs.preflight.outputs.RUNNER }}
-    timeout-minutes: 120
+    timeout-minutes: 180
     container:
       image: ${{ needs.preflight.outputs.IMAGE }}
     steps:
@@ -429,7 +431,7 @@ jobs:
   prepare-teyrchain-templates-zombienet-artifacts:
     needs: [preflight]
     runs-on: ${{ needs.preflight.outputs.RUNNER }}
-    timeout-minutes: 120
+    timeout-minutes: 180
     container:
       image: ${{ needs.preflight.outputs.IMAGE }}
     steps:
@@ -463,8 +465,10 @@ jobs:
   build-push-image-test-teyrchain:
     needs: [preflight, build-test-teyrchain]
     runs-on: ${{ needs.preflight.outputs.RUNNER_DEFAULT }}
-    timeout-minutes: 120
+    timeout-minutes: 180
     steps:
+      - name: Fix workspace permissions
+        run: sudo chown -R "$(whoami)" "$GITHUB_WORKSPACE" 2>/dev/null || true
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
@@ -489,8 +493,10 @@ jobs:
   build-push-image-pezkuwi-debug:
     needs: [preflight, build-linux-stable]
     runs-on: ${{ needs.preflight.outputs.RUNNER_DEFAULT }}
-    timeout-minutes: 120
+    timeout-minutes: 180
     steps:
+      - name: Fix workspace permissions
+        run: sudo chown -R "$(whoami)" "$GITHUB_WORKSPACE" 2>/dev/null || true
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
@@ -515,8 +521,10 @@ jobs:
   build-push-image-colander:
     needs: [preflight, build-test-collators]
     runs-on: ${{ needs.preflight.outputs.RUNNER_DEFAULT }}
-    timeout-minutes: 120
+    timeout-minutes: 180
     steps:
+      - name: Fix workspace permissions
+        run: sudo chown -R "$(whoami)" "$GITHUB_WORKSPACE" 2>/dev/null || true
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
@@ -541,8 +549,10 @@ jobs:
   build-push-image-malus:
     needs: [preflight, build-malus]
     runs-on: ${{ needs.preflight.outputs.RUNNER_DEFAULT }}
-    timeout-minutes: 120
+    timeout-minutes: 180
     steps:
+      - name: Fix workspace permissions
+        run: sudo chown -R "$(whoami)" "$GITHUB_WORKSPACE" 2>/dev/null || true
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
@@ -567,8 +577,10 @@ jobs:
   build-push-image-bizinikiwi-pr:
     needs: [preflight, build-linux-bizinikiwi]
     runs-on: ${{ needs.preflight.outputs.RUNNER_DEFAULT }}
-    timeout-minutes: 120
+    timeout-minutes: 180
     steps:
+      - name: Fix workspace permissions
+        run: sudo chown -R "$(whoami)" "$GITHUB_WORKSPACE" 2>/dev/null || true
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
@@ -601,8 +613,10 @@ jobs:
         prepare-bridges-zombienet-artifacts,
       ]
     runs-on: ${{ needs.preflight.outputs.RUNNER_DEFAULT }}
-    timeout-minutes: 120
+    timeout-minutes: 180
     steps:
+      - name: Fix workspace permissions
+        run: sudo chown -R "$(whoami)" "$GITHUB_WORKSPACE" 2>/dev/null || true
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
@@ -644,8 +658,10 @@ jobs:
   build-push-image-pezkuwi-teyrchain-debug:
     needs: [preflight, build-linux-stable-pezcumulus]
     runs-on: ${{ needs.preflight.outputs.RUNNER_DEFAULT }}
-    timeout-minutes: 120
+    timeout-minutes: 180
     steps:
+      - name: Fix workspace permissions
+        run: sudo chown -R "$(whoami)" "$GITHUB_WORKSPACE" 2>/dev/null || true
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 

.github/workflows/docs.yml

@@ -85,8 +85,8 @@ jobs:
         run: |
           git config --global --add safe.directory '*'
           cargo doc --all-features --workspace --no-deps --locked --exclude pezkuwi-zombienet-sdk-tests
-      - run: rm -f ./target/doc/.lock
+      - run: rm -f ${CARGO_TARGET_DIR}/doc/.lock
-      - run: mv ./target/doc ./crate-docs
+      - run: mv ${CARGO_TARGET_DIR}/doc ./crate-docs
       - name: Inject Simple Analytics script
         run: |
           script_content="<script async defer src=\"https://apisa.pezkuwichain.io/latest.js\"></script><noscript><img src=\"https://apisa.pezkuwichain.io/latest.js\" alt=\"\" referrerpolicy=\"no-referrer-when-downgrade\" /></noscript>"

.github/workflows/security-audit.yml

@@ -0,0 +1,71 @@
+name: Security Audit
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+  # Run weekly on Monday at 06:00 UTC
+  schedule:
+    - cron: "0 6 * * 1"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  isdraft:
+    # Skip draft PRs but always run on schedule/push
+    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "Not a draft"
+
+  cargo-deny:
+    needs: isdraft
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    strategy:
+      matrix:
+        checks:
+          - advisories
+          - licenses
+          - sources
+    # Continue on advisory warnings so we see all results
+    continue-on-error: ${{ matrix.checks == 'advisories' }}
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2.0.15
+        with:
+          command: check ${{ matrix.checks }}
+          arguments: --workspace
+
+  cargo-audit:
+    needs: isdraft
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Install cargo-audit
+        run: cargo install cargo-audit --locked
+      - name: Run cargo audit
+        run: cargo audit --deny warnings 2>&1 || true
+      - name: Run cargo audit (deny vulnerabilities only)
+        run: cargo audit
+
+  confirm-security-audit-passed:
+    runs-on: ubuntu-latest
+    name: All security audits passed
+    needs: [cargo-deny, cargo-audit]
+    if: always() && !cancelled()
+    steps:
+      - run: |
+          tee resultfile <<< '${{ toJSON(needs) }}'
+          FAILURES=$(cat resultfile | grep '"result": "failure"' | wc -l)
+          if [ $FAILURES -gt 0 ]; then
+            echo "### At least one security audit failed" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          else
+            echo '### All security audits passed' >> $GITHUB_STEP_SUMMARY
+          fi

deny.toml

@@ -0,0 +1,73 @@
+# cargo-deny configuration for Pezkuwi SDK
+# https://embarkstudios.github.io/cargo-deny/
+
+[graph]
+targets = [
+	{ triple = "x86_64-unknown-linux-gnu" },
+	{ triple = "x86_64-unknown-linux-musl" },
+	{ triple = "wasm32-unknown-unknown" },
+]
+# Exclude test/bench-only crates from checks
+exclude = []
+
+# Advisory database - check for known vulnerabilities
+[advisories]
+vulnerability = "deny"
+unmaintained = "warn"
+yanked = "warn"
+notice = "warn"
+ignore = [
+	# Add specific advisory IDs to ignore here with justification:
+	# "RUSTSEC-0000-0000", # reason for ignoring
+]
+
+# License compliance
+[licenses]
+unlicensed = "deny"
+copyleft = "warn"
+allow-osi-fsf-free = "either"
+default = "deny"
+confidence-threshold = 0.8
+allow = [
+	"Apache-2.0",
+	"Apache-2.0 WITH LLVM-exception",
+	"MIT",
+	"MIT-0",
+	"BSD-2-Clause",
+	"BSD-3-Clause",
+	"ISC",
+	"Unlicense",
+	"CC0-1.0",
+	"BSL-1.0",
+	"Unicode-3.0",
+	"Unicode-DFS-2016",
+	"Zlib",
+	"MPL-2.0",
+	"OpenSSL",
+	"GPL-3.0-only WITH Classpath-exception-2.0",
+	"GPL-3.0-or-later WITH Classpath-exception-2.0",
+]
+exceptions = [
+	# ring uses a custom ISC-style license
+	{ allow = ["OpenSSL"], name = "ring" },
+]
+
+[licenses.private]
+ignore = true
+
+# Banned crates and duplicate version detection
+[bans]
+multiple-versions = "warn"
+wildcards = "allow"
+highlight = "simplest-path"
+# Deny specific problematic crates
+deny = []
+skip = []
+skip-tree = []
+
+# Source origin checks
+[sources]
+unknown-registry = "warn"
+unknown-git = "warn"
+allow-registry = ["https://github.com/rust-lang/crates.io-index"]
+allow-git = []