pezkuwi-sdk

Author	SHA1	Message	Date
pezkuwichain	a0607b420c	fix(security): add missing advisory ignores for cargo-audit + cargo-deny Re-add RUSTSEC-2023-0071 (rsa) and RUSTSEC-2025-0055 (tracing-subscriber) which were incorrectly removed — they are still in transitive deps. Add new advisories: - RUSTSEC-2026-0067 (tar symlink traversal) — no 0.4.x patch available - RUSTSEC-2026-0068 (tar link following) — no 0.4.x patch available	2026-03-28 15:47:09 +03:00
pezkuwichain	fd197ae78f	fix: presale benchmark missing args + security audit advisory cleanup - Fix refund_cancelled_presale benchmark: add missing start_index and batch_size arguments (0, 100) to match the 3-param extrinsic signature - Remove 3 stale RUSTSEC advisories from deny.toml and security-audit.yml (RUSTSEC-2023-0071, RUSTSEC-2025-0055, RUSTSEC-2026-0002 no longer in deps) - Add RUSTSEC-2026-0049 (rustls-webpki) to ignore lists (upstream kube/jsonrpsee haven't released compatible versions yet)	2026-03-27 09:34:47 +03:00
pezkuwichain	2fbe8da2cd	fix(security): add NCSA and CDLA-Permissive-2.0 licenses, disable fail-fast - Add NCSA and CDLA-Permissive-2.0 to allowed licenses in deny.toml (both are permissive open-source licenses used by transitive deps) - Set fail-fast: false on cargo-deny matrix so all checks run independently even if one fails	2026-03-05 03:28:41 +03:00
pezkuwichain	4f672222f7	fix(security): upgrade deps and enforce security audit workflow - Upgrade bytes 1.11.0 → 1.11.1 (RUSTSEC-2026-0007 integer overflow) - Upgrade time 0.3.46 → 0.3.47 (RUSTSEC-2026-0009 DoS stack exhaustion) - Upgrade git2 0.20.3 → 0.20.4 (RUSTSEC-2026-0008 undefined behavior) - Upgrade keccak 0.1.5 → 0.1.6 (RUSTSEC-2026-0012 unsoundness) - Add ignore rules in deny.toml for unfixable upstream advisories (wasmtime 37.x, rsa, tracing-subscriber 0.2.x, lru) - Remove continue-on-error from security-audit workflow — audit is now enforced and will block CI on new unignored vulnerabilities	2026-03-05 03:00:59 +03:00
dependabot[bot]	b3d2a1837c	chore(deps): bump the ci_dependencies group across 1 directory with 14 updates Bumps the ci_dependencies group with 14 updates in the / directory: \| Package \| From \| To \| \| --- \| --- \| --- \| \| [actions/checkout](https://github.com/actions/checkout) \| `5.0.0` \| `6.0.2` \| \| [actions/upload-artifact](https://github.com/actions/upload-artifact) \| `4.3.1` \| `6.0.0` \| \| [actions/download-artifact](https://github.com/actions/download-artifact) \| `6.0.0` \| `7.0.0` \| \| [actions/create-github-app-token](https://github.com/actions/create-github-app-token) \| `2.1.4` \| `2.2.1` \| \| [docker/build-push-action](https://github.com/docker/build-push-action) \| `6.18.0` \| `6.19.2` \| \| [docker/login-action](https://github.com/docker/login-action) \| `3.6.0` \| `3.7.0` \| \| [actions/setup-node](https://github.com/actions/setup-node) \| `5.0.0` \| `6.2.0` \| \| [actions/cache](https://github.com/actions/cache) \| `4.3.0` \| `5.0.3` \| \| [lycheeverse/lychee-action](https://github.com/lycheeverse/lychee-action) \| `2.7.0` \| `2.8.0` \| \| [actions-rust-lang/setup-rust-toolchain](https://github.com/actions-rust-lang/setup-rust-toolchain) \| `1.13.0` \| `1.15.2` \| \| [Swatinem/rust-cache](https://github.com/swatinem/rust-cache) \| `2.7.8` \| `2.8.2` \| \| [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) \| `2.4.0` \| `3.2.0` \| \| [tj-actions/changed-files](https://github.com/tj-actions/changed-files) \| `47.0.0` \| `47.0.4` \| \| [codecov/codecov-action](https://github.com/codecov/codecov-action) \| `5.5.1` \| `5.5.2` \| Updates `actions/checkout` from 5.0.0 to 6.0.2 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/08c6903cd8c0fde910a37f88322edcfb5dd907a8...de0fac2e4500dabe0009e67214ff5f5447ce83dd) Updates `actions/upload-artifact` from 4.3.1 to 6.0.0 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v4.3.1...b7c566a772e6b6bfb58ed0dc250532a479d7789f) Updates `actions/download-artifact` from 6.0.0 to 7.0.0 - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/018cc2cf5baa6db3ef3c5f8a56943fffe632ef53...37930b1c2abaa49bbe596cd826c3c89aef350131) Updates `actions/create-github-app-token` from 2.1.4 to 2.2.1 - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Commits](https://github.com/actions/create-github-app-token/compare/67018539274d69449ef7c02e8e71183d1719ab42...29824e69f54612133e76f7eaac726eef6c875baf) Updates `docker/build-push-action` from 6.18.0 to 6.19.2 - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/263435318d21b8e681c14492fe198d362a7d2c83...10e90e3645eae34f1e60eeb005ba3a3d33f178e8) Updates `docker/login-action` from 3.6.0 to 3.7.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/5e57cd118135c172c3672efd75eb46360885c0ef...c94ce9fb468520275223c153574b00df6fe4bcc9) Updates `actions/setup-node` from 5.0.0 to 6.2.0 - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](https://github.com/actions/setup-node/compare/v5...6044e13b5dc448c55e2357c09f80417699197238) Updates `actions/cache` from 4.3.0 to 5.0.3 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/0057852bfaa89a56745cba8c7296529d2fc39830...cdf6c1fa76f9f475f3d7449005a359c84ca0f306) Updates `lycheeverse/lychee-action` from 2.7.0 to 2.8.0 - [Release notes](https://github.com/lycheeverse/lychee-action/releases) - [Commits](https://github.com/lycheeverse/lychee-action/compare/a8c4c7cb88f0c7386610c35eb25108e448569cb0...8646ba30535128ac92d33dfc9133794bfdd9b411) Updates `actions-rust-lang/setup-rust-toolchain` from 1.13.0 to 1.15.2 - [Release notes](https://github.com/actions-rust-lang/setup-rust-toolchain/releases) - [Changelog](https://github.com/actions-rust-lang/setup-rust-toolchain/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions-rust-lang/setup-rust-toolchain/compare/v1.13...1780873c7b576612439a134613cc4cc74ce5538c) Updates `Swatinem/rust-cache` from 2.7.8 to 2.8.2 - [Release notes](https://github.com/swatinem/rust-cache/releases) - [Changelog](https://github.com/Swatinem/rust-cache/blob/master/CHANGELOG.md) - [Commits](https://github.com/swatinem/rust-cache/compare/v2.7.8...779680da715d629ac1d338a641029a2f4372abb5) Updates `actions/attest-build-provenance` from 2.4.0 to 3.2.0 - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](https://github.com/actions/attest-build-provenance/compare/v2.4.0...96278af6caaf10aea03fd8d33a09a777ca52d62f) Updates `tj-actions/changed-files` from 47.0.0 to 47.0.4 - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/24d32ffd492484c1d75e0c0b894501ddb9d30d62...7dee1b0c1557f278e5c7dc244927139d78c0e22a) Updates `codecov/codecov-action` from 5.5.1 to 5.5.2 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/codecov/codecov-action/compare/5a1091511ad55cbe89839c7260b706298ca349f7...671740ac38dd9b0130fbe1cec585b89eea48d3de) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major dependency-group: ci_dependencies - dependency-name: actions/upload-artifact dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: ci_dependencies - dependency-name: actions/download-artifact dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: ci_dependencies - dependency-name: actions/create-github-app-token dependency-version: 2.2.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci_dependencies - dependency-name: docker/build-push-action dependency-version: 6.19.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci_dependencies - dependency-name: docker/login-action dependency-version: 3.7.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci_dependencies - dependency-name: actions/setup-node dependency-version: 6.2.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: ci_dependencies - dependency-name: actions/cache dependency-version: 5.0.3 dependency-type: direct:production update-type: version-update:semver-major dependency-group: ci_dependencies - dependency-name: lycheeverse/lychee-action dependency-version: 2.8.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci_dependencies - dependency-name: actions-rust-lang/setup-rust-toolchain dependency-version: 1.15.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci_dependencies - dependency-name: Swatinem/rust-cache dependency-version: 2.8.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci_dependencies - dependency-name: actions/attest-build-provenance dependency-version: 3.2.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: ci_dependencies - dependency-name: tj-actions/changed-files dependency-version: 47.0.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: ci_dependencies - dependency-name: codecov/codecov-action dependency-version: 5.5.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: ci_dependencies ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-02 11:07:51 +00:00
pezkuwichain	f8c4bca688	fix(ci): fix Docker push permissions, macOS disk space, and audit summary overflow - build-publish-images: replace silent sudo chown failure (2>/dev/null \|\| true) with proper error handling and fallback cleanup for all 7 push jobs. Root cause: container build jobs create root-owned files, non-container push jobs on runner2 couldn't sudo chown without sudoers config. - tests-misc: add disk cleanup step to cargo-check-all-crate-macos job to free space before cargo check (remove Android SDK, old CLT SDKs, etc.) - security-audit: truncate cargo-audit output to 500 lines before writing to GITHUB_STEP_SUMMARY to avoid the 1MB size limit crash.	2026-03-02 13:58:38 +03:00
pezkuwichain	e5b3f453eb	fix(ci): fix cargo-deny v2 config and make security audit informational	2026-02-25 21:09:34 +03:00
pezkuwichain	c55a371edb	fix(ci): fix build failures and add security audit workflow - build-linux-stable: disable forklift GCS cache (RUSTC_WRAPPER="") that panics without GCP credentials on VPS runners - prepare-bridges-zombienet-artifacts: fix bridges/testing path to pezbridges/testing (rebrand path was not updated in workflow) - build-rustdoc: use CARGO_TARGET_DIR instead of ./target for doc output path (docs generated at /cache/target/doc, not ./target/doc) - build-push-image-*: add workspace permission fix step before checkout to handle root-owned files left by Docker container jobs - All build jobs: increase timeout from 120 to 180 minutes for VPS - Add cargo-deny + cargo-audit security audit workflow (weekly + on PR) - Add deny.toml with license, advisory, and source checks	2026-02-25 19:39:47 +03:00

8 Commits