From cf6805a6819250f836d514a48f21bbf86dbb3868 Mon Sep 17 00:00:00 2001 From: zerosnacks Date: Mon, 15 Sep 2025 11:16:26 +0200 Subject: [PATCH 1/4] harden ci and clean up --- .github/scripts/install_test_binaries.sh | 51 -------------------- .github/workflows/ci.yml | 61 +++++++++++++++--------- 2 files changed, 39 insertions(+), 73 deletions(-) delete mode 100755 .github/scripts/install_test_binaries.sh diff --git a/.github/scripts/install_test_binaries.sh b/.github/scripts/install_test_binaries.sh deleted file mode 100755 index 39a1f86..0000000 --- a/.github/scripts/install_test_binaries.sh +++ /dev/null @@ -1,51 +0,0 @@ -#!/usr/bin/env bash -# Installs Solc and Geth binaries -# Note: intended for use only with CI (x86_64 Ubuntu, MacOS or Windows) -set -e - -GETH_BUILD=${GETH_BUILD:-"1.11.2-73b01f40"} - -BIN_DIR=${BIN_DIR:-"$HOME/bin"} - -PLATFORM="$(uname -s | awk '{print tolower($0)}')" -if [ "$PLATFORM" != "linux" ] && [ "$PLATFORM" != "darwin" ]; then - EXT=".exe" -fi - -main() { - mkdir -p "$BIN_DIR" - cd "$BIN_DIR" - export PATH="$BIN_DIR:$PATH" - if [ "$GITHUB_PATH" ]; then - echo "$BIN_DIR" >> "$GITHUB_PATH" - fi - - install_geth - - echo "" - echo "Installed Geth:" - geth version -} - -# Installs geth from https://geth.ethereum.org/downloads -install_geth() { - case "$PLATFORM" in - linux|darwin) - name="geth-$PLATFORM-amd64-$GETH_BUILD" - curl -s "https://gethstore.blob.core.windows.net/builds/$name.tar.gz" | tar -xzf - - mv -f "$name/geth" ./ - rm -rf "$name" - chmod +x geth - ;; - *) - name="geth-windows-amd64-$GETH_BUILD" - zip="$name.zip" - curl -so "$zip" "https://gethstore.blob.core.windows.net/builds/$zip" - unzip "$zip" - mv -f "$name/geth.exe" ./ - rm -rf "$name" "$zip" - ;; - esac -} - -main diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f9834e8..58af905 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,5 +1,8 @@ name: CI +permissions: + contents: read + on: push: branches: [main] @@ -17,6 +20,8 @@ jobs: name: test ${{ matrix.rust }} ${{ matrix.flags }} runs-on: ubuntu-latest timeout-minutes: 30 + permissions: + actions: write strategy: fail-fast: false matrix: @@ -27,20 +32,12 @@ jobs: - rust: "1.88" # MSRV flags: "--all-features" steps: - - uses: actions/checkout@v3 - - uses: dtolnay/rust-toolchain@master - with: - toolchain: ${{ matrix.rust }} - - name: Install Anvil - uses: foundry-rs/foundry-toolchain@v1 + - uses: actions/checkout@v5 with: - version: nightly - - name: Install test binaries - shell: bash - run: ./.github/scripts/install_test_binaries.sh - - uses: Swatinem/rust-cache@v2 + persist-credentials: false + - uses: dtolnay/rust-toolchain@stable with: - cache-on-failure: true + toolchain: ${{ matrix.rust }} # Only run tests on latest stable and above - name: Install cargo-nextest if: ${{ matrix.rust != '1.88' }} # MSRV @@ -55,8 +52,12 @@ jobs: doctest: runs-on: ubuntu-latest timeout-minutes: 30 + permissions: + actions: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 + with: + persist-credentials: false - uses: dtolnay/rust-toolchain@stable - uses: Swatinem/rust-cache@v2 with: @@ -67,8 +68,12 @@ jobs: no-std: runs-on: ubuntu-latest timeout-minutes: 30 + permissions: + actions: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v5 + with: + persist-credentials: false - uses: dtolnay/rust-toolchain@stable with: target: riscv32imac-unknown-none-elf @@ -82,8 +87,12 @@ jobs: feature-checks: runs-on: ubuntu-latest timeout-minutes: 30 + permissions: + actions: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v5 + with: + persist-credentials: false - uses: dtolnay/rust-toolchain@stable - uses: taiki-e/install-action@cargo-hack - uses: Swatinem/rust-cache@v2 @@ -95,24 +104,29 @@ jobs: clippy: runs-on: ubuntu-latest timeout-minutes: 30 + permissions: + actions: write steps: - - uses: actions/checkout@v4 - - uses: dtolnay/rust-toolchain@master + - uses: actions/checkout@v5 with: - toolchain: stable - components: clippy + persist-credentials: false + - uses: dtolnay/rust-toolchain@clippy - uses: Swatinem/rust-cache@v2 with: cache-on-failure: true - - run: cargo +stable clippy --workspace --all-targets --all-features + - run: cargo clippy --workspace --all-targets --all-features env: RUSTFLAGS: -Dwarnings docs: runs-on: ubuntu-latest timeout-minutes: 30 + permissions: + actions: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v5 + with: + persist-credentials: false - uses: dtolnay/rust-toolchain@nightly - uses: Swatinem/rust-cache@v2 with: @@ -125,7 +139,9 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v5 + with: + persist-credentials: false - uses: dtolnay/rust-toolchain@nightly with: components: rustfmt @@ -137,6 +153,7 @@ jobs: ci-success: runs-on: ubuntu-latest if: always() + permissions: {} needs: - test - doctest From a989d695bfc9b1dd463670db1d8d7708dba47971 Mon Sep 17 00:00:00 2001 From: zerosnacks Date: Mon, 15 Sep 2025 11:46:28 +0200 Subject: [PATCH 2/4] drop no-std compatibility requirement in ci test, no source code change however --- .github/workflows/ci.yml | 19 ------------------- scripts/check_no_std.sh | 20 -------------------- 2 files changed, 39 deletions(-) delete mode 100755 scripts/check_no_std.sh diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 58af905..51d34bd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -65,25 +65,6 @@ jobs: - run: cargo test --workspace --doc - run: cargo test --all-features --workspace --doc - no-std: - runs-on: ubuntu-latest - timeout-minutes: 30 - permissions: - actions: write - steps: - - uses: actions/checkout@v5 - with: - persist-credentials: false - - uses: dtolnay/rust-toolchain@stable - with: - target: riscv32imac-unknown-none-elf - - uses: taiki-e/install-action@cargo-hack - - uses: Swatinem/rust-cache@v2 - with: - cache-on-failure: true - - name: check - run: ./scripts/check_no_std.sh - feature-checks: runs-on: ubuntu-latest timeout-minutes: 30 diff --git a/scripts/check_no_std.sh b/scripts/check_no_std.sh deleted file mode 100755 index eb5f1fa..0000000 --- a/scripts/check_no_std.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/usr/bin/env bash -set -eo pipefail - -no_std_packages=( -) - -for package in "${no_std_packages[@]}"; do - cmd="cargo +stable build -p $package --target riscv32imac-unknown-none-elf --no-default-features" - if [ -n "$CI" ]; then - echo "::group::$cmd" - else - printf "\n%s:\n %s\n" "$package" "$cmd" - fi - - $cmd - - if [ -n "$CI" ]; then - echo "::endgroup::" - fi -done From e7cde60881c5b6df14e2e33cf498d9ad1562f711 Mon Sep 17 00:00:00 2001 From: zerosnacks Date: Mon, 15 Sep 2025 11:46:45 +0200 Subject: [PATCH 3/4] fix --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 51d34bd..53041d7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -138,7 +138,6 @@ jobs: needs: - test - doctest - - no-std - feature-checks - clippy - docs From 65ca2569fdf1e746f800ac4ddf02931080781d59 Mon Sep 17 00:00:00 2001 From: zerosnacks Date: Mon, 15 Sep 2025 12:32:53 +0200 Subject: [PATCH 4/4] no actions: write required I think --- .github/workflows/ci.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 53041d7..1c68f92 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,8 +20,6 @@ jobs: name: test ${{ matrix.rust }} ${{ matrix.flags }} runs-on: ubuntu-latest timeout-minutes: 30 - permissions: - actions: write strategy: fail-fast: false matrix: @@ -52,8 +50,6 @@ jobs: doctest: runs-on: ubuntu-latest timeout-minutes: 30 - permissions: - actions: write steps: - uses: actions/checkout@v5 with: @@ -68,8 +64,6 @@ jobs: feature-checks: runs-on: ubuntu-latest timeout-minutes: 30 - permissions: - actions: write steps: - uses: actions/checkout@v5 with: @@ -85,8 +79,6 @@ jobs: clippy: runs-on: ubuntu-latest timeout-minutes: 30 - permissions: - actions: write steps: - uses: actions/checkout@v5 with: @@ -102,8 +94,6 @@ jobs: docs: runs-on: ubuntu-latest timeout-minutes: 30 - permissions: - actions: write steps: - uses: actions/checkout@v5 with: