Merge pull request #2861 from tnull/2024-01-introduce-cargo-audit

Introduce CI workflow running `cargo audit`

Author: TheBlueMatt

.github/workflows/audit.yml

@@ -0,0 +1,17 @@
+name: Security Audit
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 0 * * *'
+
+jobs:
+  audit:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      checks: write
+    steps:
+      - uses: actions/checkout@v3
+      - uses: rustsec/[email protected]
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}

Cargo.toml

@@ -10,10 +10,10 @@ members = [
     "lightning-background-processor",
     "lightning-rapid-gossip-sync",
     "lightning-custom-message",
+    "lightning-transaction-sync",
 ]
 
 exclude = [
-    "lightning-transaction-sync",
     "no-std-check",
     "msrv-no-dev-deps-check",
     "bench",

README.md

@@ -4,8 +4,9 @@ Rust-Lightning
 [![Crate](https://img.shields.io/crates/v/lightning.svg?logo=rust)](https://crates.io/crates/lightning)
 [![Documentation](https://img.shields.io/static/v1?logo=read-the-docs&label=docs.rs&message=lightning&color=informational)](https://docs.rs/lightning/)
 [![Safety Dance](https://img.shields.io/badge/unsafe-forbidden-success.svg)](https://github.com/rust-secure-code/safety-dance/)
+[![Security Audit](https://github.com/lightningdevkit/rust-lightning/actions/workflows/audit.yml/badge.svg)](https://github.com/lightningdevkit/rust-lightning/actions/workflows/audit.yml)
 
-[LDK](https://lightningdevkit.org)/`rust-lightning` is a highly performant and flexible 
+[LDK](https://lightningdevkit.org)/`rust-lightning` is a highly performant and flexible
 implementation of the Lightning Network protocol.
 
 The primary crate, `lightning`, is runtime-agnostic. Data persistence, chain interactions,

ci/ci-tests.sh

@@ -63,8 +63,14 @@ PIN_RELEASE_DEPS # pin the release dependencies in our main workspace
 # The addr2line v0.21 crate (a dependency of `backtrace` starting with 0.3.69) relies on rustc 1.65
 [ "$RUSTC_MINOR_VERSION" -lt 65 ] && cargo update -p backtrace --precise "0.3.68" --verbose
 
+# Starting with version 0.5.9 (there is no .6-.8), the `home` crate has an MSRV of rustc 1.70.0.
+[ "$RUSTC_MINOR_VERSION" -lt 70 ] && cargo update -p home --precise "0.5.5" --verbose
+
 export RUST_BACKTRACE=1
 
+# Build `lightning-transaction-sync` in no_download mode.
+export RUSTFLAGS="$RUSTFLAGS --cfg no_download"
+
 echo -e "\n\nBuilding and testing all workspace crates..."
 cargo test --verbose --color always
 cargo check --verbose --color always
@@ -85,24 +91,16 @@ if [[ "$HOST_PLATFORM" != *windows* ]]; then
 	echo -e "\n\nBuilding and testing Transaction Sync Clients with features"
 	pushd lightning-transaction-sync
 
-	# reqwest 0.11.21 had a regression that broke its 1.63.0 MSRV
-	[ "$RUSTC_MINOR_VERSION" -lt 65 ] && cargo update -p reqwest --precise "0.11.20" --verbose
-	# Starting with version 1.10.0, the `regex` crate has an MSRV of rustc 1.65.0.
-	[ "$RUSTC_MINOR_VERSION" -lt 65 ] && cargo update -p regex --precise "1.9.6" --verbose
-	# Starting with version 0.5.9 (there is no .6-.8), the `home` crate has an MSRV of rustc 1.70.0.
-	[ "$RUSTC_MINOR_VERSION" -lt 70 ] && cargo update -p home --precise "0.5.5" --verbose
-
 	DOWNLOAD_ELECTRS_AND_BITCOIND
 
-	RUSTFLAGS="$RUSTFLAGS --cfg no_download" cargo test --verbose --color always --features esplora-blocking
-	RUSTFLAGS="$RUSTFLAGS --cfg no_download" cargo check --verbose --color always --features esplora-blocking
-	RUSTFLAGS="$RUSTFLAGS --cfg no_download" cargo test --verbose --color always --features esplora-async
-	RUSTFLAGS="$RUSTFLAGS --cfg no_download" cargo check --verbose --color always --features esplora-async
-	RUSTFLAGS="$RUSTFLAGS --cfg no_download" cargo test --verbose --color always --features esplora-async-https
-	RUSTFLAGS="$RUSTFLAGS --cfg no_download" cargo check --verbose --color always --features esplora-async-https
-	RUSTFLAGS="$RUSTFLAGS --cfg no_download" cargo test --verbose --color always --features electrum
-	RUSTFLAGS="$RUSTFLAGS --cfg no_download" cargo check --verbose --color always --features electrum
-
+	cargo test --verbose --color always --features esplora-blocking
+	cargo check --verbose --color always --features esplora-blocking
+	cargo test --verbose --color always --features esplora-async
+	cargo check --verbose --color always --features esplora-async
+	cargo test --verbose --color always --features esplora-async-https
+	cargo check --verbose --color always --features esplora-async-https
+	cargo test --verbose --color always --features electrum
+	cargo check --verbose --color always --features electrum
 	popd
 fi
 

lightning-transaction-sync/Cargo.toml

@@ -34,8 +34,8 @@ electrum-client = { version = "0.18.0", optional = true }
 lightning = { version = "0.0.121", path = "../lightning", default-features = false, features = ["std", "_test_utils"] }
 tokio = { version = "1.35.0", features = ["full"] }
 
-[target.'cfg(not(no_download))'.dev-dependencies]
+[target.'cfg(all(not(target_os = "windows"), not(no_download)))'.dev-dependencies]
 electrsd = { version = "0.26.0", default-features = false, features = ["legacy", "esplora_a33e97e1", "bitcoind_25_0"] }
 
-[target.'cfg(no_download)'.dev-dependencies]
+[target.'cfg(all(not(target_os = "windows"), no_download))'.dev-dependencies]
 electrsd = { version = "0.26.0", default-features = false, features = ["legacy"] }

lightning-transaction-sync/tests/integration_tests.rs

@@ -1,4 +1,4 @@
-#![cfg(any(feature = "esplora-blocking", feature = "esplora-async", feature = "electrum"))]
+#![cfg(all(not(target_os = "windows"), any(feature = "esplora-blocking", feature = "esplora-async", feature = "electrum")))]
 
 #[cfg(any(feature = "esplora-blocking", feature = "esplora-async"))]
 use lightning_transaction_sync::EsploraSyncClient;