Merge/upstream main 2025 08 28

.github/workflows/codeql.yml

@@ -0,0 +1,40 @@
+name: "CodeQL Advanced"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '35 21 * * 4'
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: rust
+          build-mode: none
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/pull-request.yaml

@@ -4,7 +4,7 @@ on:
   # We require PRs to be up to date before merging so technically it is not needed run the rust job
   # on main. However for the cache to be usable in PRs we do need the job on main.
   push:
-    branches: [main]
+    branches: [ main ]
 jobs:
   lint:
     timeout-minutes: 60
@@ -28,6 +28,25 @@ jobs:
           cargo clippy --version
       - run: cargo +nightly fmt --all -- --check
       - run: cargo clippy --locked --workspace --all-features --all-targets -- -D warnings
+
+  trivy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Run Trivy
+        uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0
+        with:
+          scan-type: 'fs'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
+        with:
+          sarif_file: 'trivy-results.sarif'
 
   nitpicker:
     runs-on: ubuntu-latest
@@ -182,10 +201,6 @@ jobs:
           persist-credentials: false
       - run: rustup toolchain install stable --profile minimal
       - uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de # v1.4.0
-        with:
-          # the latest version introduced a bug caused driver tests to fail
-          # only switch back to latest stable version after it was fixed in anvil
-          version: v1.2.3
       - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0
       - uses: taiki-e/install-action@e4767ccc6762bc4347ef2275c75ea77f5f36e27f # nextest
       # Build the driver's tests.

.github/workflows/release.yml

@@ -16,7 +16,6 @@ jobs:
           fetch-depth: 0 # Fetch all history for all branches and tags
           # Requires "Read and Write access to code" permission
           token: ${{ secrets.RELEASE_ACTION_ACCESS_TOKEN }}
-          persist-credentials: false
 
       - name: Fetch latest release version tag
         id: fetch_tag

crates/autopilot/src/run.rs

@@ -114,7 +114,7 @@ async fn unbuffered_ethrpc(url: &Url) -> infra::blockchain::Rpc {
     .await
 }
 
-#[instrument(skip_all, fields(chain = ?chain))]
+#[instrument(skip_all)]
 async fn ethereum(
     web3: DynWeb3,
     unbuffered_web3: DynWeb3,
@@ -158,8 +158,8 @@ pub async fn start(args: impl Iterator<Item = String>) {
 pub async fn run(args: Arguments) {
     assert!(args.shadow.is_none(), "cannot run in shadow mode");
     // Start a new span that measures the initialization phase of the autopilot
-    let startup_span = info_span!("autopilot_startup", ?args.shared.node_url);
-    let startup_span = startup_span.enter();
+    let startup_span = info_span!("autopilot_startup");
+    let startup_span_guard = startup_span.enter();
 
     let db = Postgres::new(args.db_url.as_str(), args.insert_batch_size)
         .await
@@ -272,8 +272,6 @@ pub async fn run(args: Arguments) {
             &http_factory,
             &web3,
             args.shared.gas_estimators.as_slice(),
-            args.shared.blocknative_api_key.clone(),
-            args.shared.gas_estimation_driver_url.clone(),
         )
         .await
         .expect("failed to create gas price estimator"),
@@ -668,7 +666,7 @@ pub async fn run(args: Arguments) {
         Arc::new(maintenance),
         competition_updates_sender,
     );
-    drop(startup_span);
+    drop(startup_span_guard);
     run.run_forever().await;
 }