pezkuwichain/pezkuwi-sdk
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
331 Commits 1 Branch 0 Tags
2fbe8da2cd768e4db2c4e4b1143830883b194ba8
Commit Graph

8 Commits

Author SHA1 Message Date
pezkuwichain 2fbe8da2cd fix(security): add NCSA and CDLA-Permissive-2.0 licenses, disable fail-fast 
- Add NCSA and CDLA-Permissive-2.0 to allowed licenses in deny.toml
  (both are permissive open-source licenses used by transitive deps)
- Set fail-fast: false on cargo-deny matrix so all checks run
  independently even if one fails
 2026-03-05 03:28:41 +03:00
pezkuwichain 6e307b0999 fix(security): set unmaintained=none in deny.toml 
All unmaintained crate warnings are transitive upstream dependencies
that we cannot replace. Disable unmaintained checks in cargo-deny
to prevent false CI failures. Track via quarterly review instead.
 2026-03-05 03:11:35 +03:00
pezkuwichain 4f672222f7 fix(security): upgrade deps and enforce security audit workflow 
- Upgrade bytes 1.11.0 → 1.11.1 (RUSTSEC-2026-0007 integer overflow)
- Upgrade time 0.3.46 → 0.3.47 (RUSTSEC-2026-0009 DoS stack exhaustion)
- Upgrade git2 0.20.3 → 0.20.4 (RUSTSEC-2026-0008 undefined behavior)
- Upgrade keccak 0.1.5 → 0.1.6 (RUSTSEC-2026-0012 unsoundness)
- Add ignore rules in deny.toml for unfixable upstream advisories
  (wasmtime 37.x, rsa, tracing-subscriber 0.2.x, lru)
- Remove continue-on-error from security-audit workflow — audit is now
  enforced and will block CI on new unignored vulnerabilities
 2026-03-05 03:00:59 +03:00
pezkuwichain 20ad3489ee fix(ci): fix deny.toml taplo formatting (tabs + sorted arrays) 2026-02-25 21:43:36 +03:00
pezkuwichain 070553a89d fix(ci): add GPL-3.0-only to allowed licenses, fix taplo formatting 2026-02-25 21:27:05 +03:00
pezkuwichain e5b3f453eb fix(ci): fix cargo-deny v2 config and make security audit informational 2026-02-25 21:09:34 +03:00
pezkuwichain 535ab80740 fix(ci): update deny.toml to cargo-deny v2 format 2026-02-25 19:44:38 +03:00
pezkuwichain c55a371edb fix(ci): fix build failures and add security audit workflow 
- build-linux-stable: disable forklift GCS cache (RUSTC_WRAPPER="")
  that panics without GCP credentials on VPS runners
- prepare-bridges-zombienet-artifacts: fix bridges/testing path to
  pezbridges/testing (rebrand path was not updated in workflow)
- build-rustdoc: use CARGO_TARGET_DIR instead of ./target for doc
  output path (docs generated at /cache/target/doc, not ./target/doc)
- build-push-image-*: add workspace permission fix step before checkout
  to handle root-owned files left by Docker container jobs
- All build jobs: increase timeout from 120 to 180 minutes for VPS
- Add cargo-deny + cargo-audit security audit workflow (weekly + on PR)
- Add deny.toml with license, advisory, and source checks
 2026-02-25 19:39:47 +03:00