Re-add RUSTSEC-2023-0071 (rsa) and RUSTSEC-2025-0055 (tracing-subscriber)
which were incorrectly removed — they are still in transitive deps.
Add new advisories:
- RUSTSEC-2026-0067 (tar symlink traversal) — no 0.4.x patch available
- RUSTSEC-2026-0068 (tar link following) — no 0.4.x patch available
- Fix refund_cancelled_presale benchmark: add missing start_index and
batch_size arguments (0, 100) to match the 3-param extrinsic signature
- Remove 3 stale RUSTSEC advisories from deny.toml and security-audit.yml
(RUSTSEC-2023-0071, RUSTSEC-2025-0055, RUSTSEC-2026-0002 no longer in deps)
- Add RUSTSEC-2026-0049 (rustls-webpki) to ignore lists (upstream kube/jsonrpsee
haven't released compatible versions yet)
- Add NCSA and CDLA-Permissive-2.0 to allowed licenses in deny.toml
(both are permissive open-source licenses used by transitive deps)
- Set fail-fast: false on cargo-deny matrix so all checks run
independently even if one fails
All unmaintained crate warnings are transitive upstream dependencies
that we cannot replace. Disable unmaintained checks in cargo-deny
to prevent false CI failures. Track via quarterly review instead.
- build-linux-stable: disable forklift GCS cache (RUSTC_WRAPPER="")
that panics without GCP credentials on VPS runners
- prepare-bridges-zombienet-artifacts: fix bridges/testing path to
pezbridges/testing (rebrand path was not updated in workflow)
- build-rustdoc: use CARGO_TARGET_DIR instead of ./target for doc
output path (docs generated at /cache/target/doc, not ./target/doc)
- build-push-image-*: add workspace permission fix step before checkout
to handle root-owned files left by Docker container jobs
- All build jobs: increase timeout from 120 to 180 minutes for VPS
- Add cargo-deny + cargo-audit security audit workflow (weekly + on PR)
- Add deny.toml with license, advisory, and source checks
pezkuwichain