Merge branch 'main' of github.com:subspace/subspace into operator-sto…

…rage-fee

.github/workflows/chain-spec-snapshot-build.yml

@@ -28,21 +28,23 @@ jobs:
 
       - name: Generate testnet chain specifications
         run: |
-          docker run --rm -u root ${{ steps.build.outputs.digest }} build-spec --chain gemini-3g-compiled --disable-default-bootnode > chain-spec-gemini-3g.json
-          docker run --rm -u root ${{ steps.build.outputs.digest }} build-spec --chain gemini-3g-compiled --disable-default-bootnode --raw > chain-spec-raw-gemini-3g.json
+          docker run --rm -u root ${{ steps.build.outputs.digest }} build-spec --chain gemini-3h-compiled --disable-default-bootnode > chain-spec-gemini-3h.json
+          docker run --rm -u root ${{ steps.build.outputs.digest }} build-spec --chain gemini-3h-compiled --disable-default-bootnode --raw > chain-spec-raw-gemini-3h.json
 
       - name: Upload chain specifications to artifacts
         uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # @v3.1.1
         with:
           name: chain-specifications
           path: |
-            chain-spec-gemini-3g.json
-            chain-spec-raw-gemini-3g.json
+            chain-spec-gemini-3h.json
+            chain-spec-raw-gemini-3h.json
           if-no-files-found: error
 
       - name: Upload chain specifications to assets
         uses: alexellis/upload-assets@259de5111cb56966d046ced998941e93f91d2c93 # @0.4.0
         env:
           GITHUB_TOKEN: ${{ github.token }}
         with:
-          asset_paths: '["chain-spec-gemini-3g.json", "chain-spec-raw-gemini-3g.json"]'
+          asset_paths: '["chain-spec-gemini-3h.json", "chain-spec-raw-gemini-3h.json"]'
+        # Only run for releases
+        if: github.event_name == 'push' && github.ref_type == 'tag'

.github/workflows/rustsec-audit.yml

@@ -0,0 +1,22 @@
+##
+# This GitHub Action is using cargo-audit to perform an audit for crates with security vulnerabilities.
+# https://github.com/rustsec/audit-check
+##
+
+name: Rustsec Cargo Audit
+on:
+  workflow_dispatch:
+  push:
+    paths:
+      - "**/Cargo.toml"
+      - "**/Cargo.lock"
+  schedule:
+    - cron: "40 13 * * 0"
+jobs:
+  security_audit:
+    runs-on: ${{ fromJson(github.repository_owner == 'subspace' && '["self-hosted", "ubuntu-20.04-x86-64"]' || '"ubuntu-22.04"') }}
+    steps:
+      - uses: actions/checkout@v3
+      - uses: rustsec/audit-check@dd51754d4e59da7395a4cd9b593f0ff2d61a9b95 #v1.4.1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/snapshot-build.yml

@@ -39,6 +39,7 @@ jobs:
             dockerfile-suffix: ".aarch64"
             suffix: ubuntu-aarch64-${{ github.ref_name }}
             image-suffix: "-aarch64"
+      fail-fast: false
 
     steps:
       - name: Set up QEMU
@@ -80,6 +81,13 @@ jobs:
             SUBSTRATE_CLI_GIT_COMMIT_HASH=${{ github.sha }}
             RUSTFLAGS=${{ matrix.platform.rustflags }}
 
+      - name: Trigger trivy-security-scan Workflow
+        uses: peter-evans/repository-dispatch@a4a90276d01e3a2ae44fa10a0247287f045afd59 # @v2.1.2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          event-type: trivy-scan-dispatch
+          client-payload: '{"sha": "${{ github.sha }}"}'
+
   executables:
     strategy:
       matrix:
@@ -116,6 +124,7 @@ jobs:
             target: x86_64-pc-windows-msvc
             suffix: windows-x86_64-v2-${{ github.ref_name }}
             rustflags: "-C target-cpu=x86-64-v2 -C target-feature=+aes"
+      fail-fast: false
     runs-on: ${{ matrix.build.os }}
     env:
       PRODUCTION_TARGET: target/${{ matrix.build.target }}/production
@@ -176,7 +185,7 @@ jobs:
             gcc-aarch64-linux-gnu \
             libc6-dev-arm64-cross \
             zlib1g-dev:arm64
-          
+
           echo "PKG_CONFIG_ALLOW_CROSS=true" >> $GITHUB_ENV
         if: matrix.build.target == 'aarch64-unknown-linux-gnu'
 

.github/workflows/trivy-security-scan.yml

@@ -0,0 +1,60 @@
+##
+# This action runs trivy container and repository vulnerability
+# scanner for docker images and cargo packages.
+##
+
+name: trivy-security-scan
+
+on:
+  repository_dispatch:
+    types: [trivy-scan-dispatch]
+
+jobs:
+  trivy_scan_image:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        image:
+          - farmer
+          - node
+          - bootstrap-node
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # @v3.1.0
+
+      - name: Run Trivy vulnerability scanner on image
+        uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # @v0.16.1
+        with:
+          image-ref: ghcr.io/${{ github.repository_owner }}/${{ matrix.image }}:sha-${{ github.event.client_payload.sha }}
+          format: "sarif"
+          output: "trivy-results.sarif"
+          exit-code: "1"
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@4759df8df70c5ebe7042c3029bbace20eee13edd # @v2.23.1
+        with:
+          sarif_file: "trivy-results.sarif"
+
+  trivy_scan_repo:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # @v3.1.0
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # @v0.16.1
+        with:
+          scan-type: fs
+          ignore-unfixed: true
+          format: sarif
+          output: trivy-results.sarif
+          severity: CRITICAL
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@4759df8df70c5ebe7042c3029bbace20eee13edd # @v2.23.1
+        with:
+          sarif_file: trivy-results.sarif