Skip to content

deps(client): update eventsource-client to fix CVE(s) #7811

deps(client): update eventsource-client to fix CVE(s)

deps(client): update eventsource-client to fix CVE(s) #7811

Workflow file for this run

name: CI
on:
workflow_dispatch:
push:
branches:
- master
pull_request:
types: [ opened, synchronize, reopened, labeled, unlabeled ]
release:
types: [ published ]
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
env:
CARGO_TERM_COLOR: always
RUST_VERSION: 1.75.0
NIGHTLY_RUST_VERSION: nightly-2023-10-29
RUSTFLAGS: -D warnings
REGISTRY: ghcr.io
SEGMENT_DOWNLOAD_TIMEOUT_MINS: 2
FUEL_ALWAYS_USE_WASM: true
jobs:
check-changelog:
name: Check Changelog
runs-on: ubuntu-latest
steps:
- uses: tarides/changelog-check-action@v2
with:
changelog: CHANGELOG.md
rustfmt:
runs-on: buildjet-4vcpu-ubuntu-2204
steps:
- uses: actions/checkout@v3
- name: Install latest nightly
uses: dtolnay/rust-toolchain@master
with:
toolchain: ${{ env.NIGHTLY_RUST_VERSION }}
components: rustfmt
- name: Rustfmt check
run: cargo +${{ env.NIGHTLY_RUST_VERSION }} fmt --all -- --check
lint-toml-files:
runs-on: buildjet-4vcpu-ubuntu-2204
steps:
- uses: actions/checkout@v3
- uses: dtolnay/rust-toolchain@master
with:
toolchain: ${{ env.RUST_VERSION }}
- name: setup binstall
uses: taiki-e/install-action@cargo-binstall
- name: Install Cargo.toml linter
run: cargo binstall --no-confirm cargo-sort
- name: Run Cargo.toml sort check
run: cargo sort -w --check
- name: Install Prettier and TOML Plugin
run: |
# prettier has issues with global installation and plugin discovery. The temporary `package.json` created by `npm init -y` is a workaround.
npm init -y > /dev/null 2>&1
npm install prettier prettier-plugin-toml
- name: Check format of Cargo.toml files
run: |
if ! npx prettier --check "**/Cargo.toml"; then
npx prettier --write "**/Cargo.toml" > /dev/null 2>&1
echo "Changes required:"
git --no-pager diff
exit 1
fi
- uses: FuelLabs/.github/.github/actions/slack-notify-template@master
if: always() && github.ref == 'refs/heads/master'
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
slack_webhook: ${{ secrets.SLACK_WEBHOOK_NOTIFY_BUILD }}
prevent-openssl:
runs-on: buildjet-4vcpu-ubuntu-2204
steps:
- uses: actions/checkout@v3
# ensure openssl hasn't crept into the dep tree
- name: Check if openssl is included
run: ./.github/workflows/scripts/verify_openssl.sh
- uses: FuelLabs/.github/.github/actions/slack-notify-template@master
if: always() && github.ref == 'refs/heads/master'
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
slack_webhook: ${{ secrets.SLACK_WEBHOOK_NOTIFY_BUILD }}
cargo-verifications:
needs:
- lint-toml-files
- prevent-openssl
- rustfmt
- check-changelog
runs-on: buildjet-4vcpu-ubuntu-2204
env:
RUSTFLAGS: -D warnings
strategy:
matrix:
include:
- command: clippy
args: -p fuel-core-wasm-executor --target wasm32-unknown-unknown --no-default-features
- command: clippy
args: --all-targets --all-features
- command: check
args: --all-targets
- command: doc
args: --all-features --workspace --no-deps
- command: make
args: check --locked
- command: test
args: --workspace
- command: test
args: --all-features --workspace
- command: test
args: -p fuel-core --no-default-features
- command: test
args: -p fuel-core-client --no-default-features
- command: test
args: -p fuel-core-chain-config --no-default-features
# Don't split this command; this is a workaround.
# We need to run `cargo check` first to fetch the locked dependencies
# for `fuel-core 0.26.0`(because of the bug with `--offline`
# and `--locked` when we build `fuel-core-wasm-executor 0.26.0`).
- command: check
args: --manifest-path version-compatibility/Cargo.toml --workspace && cargo test --manifest-path version-compatibility/Cargo.toml --workspace
- command: build
args: -p fuel-core-bin --no-default-features --features production
# WASM compatibility checks
- command: check
args: -p fuel-core-types --target wasm32-unknown-unknown --no-default-features
- command: check
args: -p fuel-core-storage --target wasm32-unknown-unknown --no-default-features
- command: check
args: -p fuel-core-client --target wasm32-unknown-unknown --no-default-features
- command: check
args: -p fuel-core-chain-config --target wasm32-unknown-unknown --no-default-features
- command: check
args: -p fuel-core-executor --target wasm32-unknown-unknown --no-default-features
# disallow any job that takes longer than 45 minutes
timeout-minutes: 45
continue-on-error: ${{ matrix.skip-error || false }}
steps:
- uses: actions/checkout@v3
- uses: dtolnay/rust-toolchain@master
with:
toolchain: ${{ env.RUST_VERSION }}
targets: "wasm32-unknown-unknown"
components: "clippy"
- name: Install Cargo Make
uses: davidB/rust-cargo-make@v1
with:
version: "0.36.4"
- uses: rui314/setup-mold@v1
- uses: buildjet/cache@v3
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
key: ${{ matrix.command }}-${{ matrix.args }}-${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
- name: ${{ matrix.command }} ${{ matrix.args }}
run: cargo ${{ matrix.command }} ${{ matrix.args }}
- uses: FuelLabs/.github/.github/actions/slack-notify-template@master
if: always() && github.ref == 'refs/heads/master'
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
slack_webhook: ${{ secrets.SLACK_WEBHOOK_NOTIFY_BUILD }}
env:
RUSTFLAGS: -D warnings
publish-crates-check:
runs-on: buildjet-4vcpu-ubuntu-2204
steps:
- name: Checkout repository
uses: actions/checkout@v3
- uses: dtolnay/rust-toolchain@master
with:
toolchain: ${{ env.RUST_VERSION }}
targets: "wasm32-unknown-unknown"
- name: Publish crate check
uses: xgreenx/publish-crates@v1
with:
dry-run: true
check-repo: false
ignore-unpublished-changes: true
verifications-complete:
needs:
- cargo-verifications
- publish-crates-check
runs-on: buildjet-4vcpu-ubuntu-2204
steps:
- run: echo "pass"
verify-tag-version:
# Only do this job if publishing a release
if: github.event_name == 'release' && github.event.action == 'published'
runs-on: buildjet-4vcpu-ubuntu-2204
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Verify tag version
run: |
# TODO: Automate running `verify_tag` only for "publish = true" crates
curl -sSLf "https://github.com/TomWright/dasel/releases/download/v1.24.3/dasel_linux_amd64" -L -o dasel && chmod +x dasel
mv ./dasel /usr/local/bin/dasel
./.github/workflows/scripts/verify_tag.sh ${{ github.ref_name }} Cargo.toml
publish-crates:
# Only do this job if publishing a release
needs:
- verify-tag-version
- verifications-complete
if: github.event_name == 'release' && github.event.action == 'published'
runs-on: buildjet-4vcpu-ubuntu-2204
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Install toolchain
uses: dtolnay/rust-toolchain@master
with:
toolchain: ${{ env.RUST_VERSION }}
targets: "wasm32-unknown-unknown"
- name: Publish crate
uses: xgreenx/publish-crates@v1
with:
publish-delay: 60000
registry-token: ${{ secrets.CARGO_REGISTRY_TOKEN }}
- uses: FuelLabs/.github/.github/actions/slack-notify-template@master
if: always()
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
slack_webhook: ${{ secrets.SLACK_WEBHOOK_NOTIFY_BUILD }}
publish-docker-image:
needs:
- verifications-complete
runs-on: buildjet-4vcpu-ubuntu-2204
permissions:
contents: read
packages: write
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Docker meta
id: meta
uses: docker/metadata-action@v3
with:
images: |
ghcr.io/fuellabs/fuel-core
tags: |
type=sha
type=ref,event=branch
type=ref,event=tag
type=semver,pattern={{raw}}
type=raw,value=sha-{{sha}}-{{date 'YYYYMMDDhhmmss'}}
flavor: |
latest=${{ github.ref == 'refs/heads/master' }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- name: Log in to the ghcr.io registry
uses: docker/login-action@v1
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Log in to the docker.io registry
uses: docker/login-action@v2
with:
username: fuellabs
password: ${{ secrets.DOCKER_IO_READ_ONLY_TOKEN }}
- name: Build and push the image to ghcr.io
uses: docker/build-push-action@v4
with:
context: .
platforms: linux/amd64,linux/arm64
file: deployment/Dockerfile
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=registry,ref=ghcr.io/fuellabs/fuel-core-build-cache:latest
cache-to: type=registry,ref=ghcr.io/fuellabs/fuel-core-build-cache:latest,mode=max
# duplicate of publish-docker-image, but with profiling features enabled
# this is split into a separate action since it takes longer to build
publish-docker-image-profiling:
needs:
- verifications-complete
runs-on: buildjet-16vcpu-ubuntu-2204
permissions:
contents: read
packages: write
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Docker meta
id: meta
uses: docker/metadata-action@v3
with:
images: |
ghcr.io/fuellabs/fuel-core-debug
tags: |
type=sha
type=ref,event=branch
type=ref,event=tag
type=semver,pattern={{raw}}
type=raw,value=sha-{{sha}}-{{date 'YYYYMMDDhhmmss'}}
flavor: |
latest=${{ github.ref == 'refs/heads/master' }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- name: Log in to the ghcr.io registry
uses: docker/login-action@v1
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push the image to ghcr.io
uses: docker/build-push-action@v2
with:
context: .
file: deployment/Dockerfile
build-args: "DEBUG_SYMBOLS=true"
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=registry,ref=ghcr.io/fuellabs/fuel-core-debug-build-cache:latest
cache-to: type=registry,ref=ghcr.io/fuellabs/fuel-core-debug-build-cache:latest,mode=max
- uses: FuelLabs/.github/.github/actions/slack-notify-template@master
if: always() && (github.ref == 'refs/heads/master' || github.ref_type == 'tag')
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
slack_webhook: ${{ secrets.SLACK_WEBHOOK_NOTIFY_BUILD }}
publish-e2e-client-docker-image:
needs:
- verifications-complete
runs-on: buildjet-4vcpu-ubuntu-2204
permissions:
contents: read
packages: write
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Docker meta
id: meta
uses: docker/metadata-action@v3
with:
images: |
ghcr.io/fuellabs/fuel-core-e2e-client
tags: |
type=sha
type=ref,event=branch
type=ref,event=tag
type=semver,pattern={{raw}}
type=raw,value=sha-{{sha}}-{{date 'YYYYMMDDhhmmss'}}
flavor: |
latest=${{ github.ref == 'refs/heads/master' }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- name: Log in to the ghcr.io registry
uses: docker/login-action@v1
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Log in to the docker.io registry
uses: docker/login-action@v2
with:
username: fuellabs
password: ${{ secrets.DOCKER_IO_READ_ONLY_TOKEN }}
- name: Build and push the image to ghcr.io
uses: docker/build-push-action@v2
with:
context: .
file: deployment/e2e-client.Dockerfile
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=registry,ref=ghcr.io/fuellabs/fuel-core-e2e-build-cache:latest
cache-to: type=registry,ref=ghcr.io/fuellabs/fuel-core-e2e-build-cache:latest,mode=max
- uses: FuelLabs/.github/.github/actions/slack-notify-template@master
if: always() && (github.ref == 'refs/heads/master' || github.ref_type == 'tag')
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
slack_webhook: ${{ secrets.SLACK_WEBHOOK_NOTIFY_BUILD }}
publish-fuel-core-binary:
name: Release fuel-core binaries
runs-on: ${{ matrix.job.os }}
# Only do this job if publishing a release
needs:
- verify-tag-version
- verifications-complete
if: github.event_name == 'release' && github.event.action == 'published'
continue-on-error: true
strategy:
fail-fast: false
matrix:
job:
- os: buildjet-4vcpu-ubuntu-2204
platform: linux
target: x86_64-unknown-linux-gnu
cross_image: x86_64-linux-gnu
- os: buildjet-4vcpu-ubuntu-2204
platform: linux-arm
target: aarch64-unknown-linux-gnu
cross_image: aarch64-linux-gnu
- os: macos-latest
platform: darwin
target: x86_64-apple-darwin
- os: macos-latest
platform: darwin-arm
target: aarch64-apple-darwin
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Set up Docker Buildx
if: matrix.job.cross_image
uses: docker/setup-buildx-action@v1
- name: Log in to the ghcr.io registry
if: matrix.job.os == 'buildjet-4vcpu-ubuntu-2204'
uses: docker/login-action@v1
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Log in to the docker.io registry
if: matrix.job.os == 'buildjet-4vcpu-ubuntu-2204'
uses: docker/login-action@v2
with:
username: fuellabs
password: ${{ secrets.DOCKER_IO_READ_ONLY_TOKEN }}
- name: Setup custom cross env ${{ matrix.job.cross_image }}
if: matrix.job.cross_image
uses: docker/build-push-action@v2
with:
context: ci
file: ci/Dockerfile.${{ matrix.job.target }}-clang
tags: ${{ matrix.job.cross_image }}:latest
load: true
cache-from: type=registry,ref=ghcr.io/fuellabs/${{ matrix.job.cross_image }}-build-cache:latest
cache-to: type=registry,ref=ghcr.io/fuellabs/${{ matrix.job.cross_image }}-build-cache:latest,mode=max
- name: Install packages (macOS)
if: matrix.job.os == 'macos-latest'
run: |
ci/macos-install-packages.sh
- name: Install toolchain
uses: dtolnay/rust-toolchain@master
with:
toolchain: ${{ env.RUST_VERSION }}
target: ${{ matrix.job.target }},"wasm32-unknown-unknown"
- name: Install cross
uses: baptiste0928/cargo-install@v1
with:
crate: cross
cache-key: '${{ matrix.job.target }}'
- name: Build fuel-core and fuel-core-keygen
run: |
cross build --profile=release --target ${{ matrix.job.target }} --no-default-features --features "production" -p fuel-core-bin
cross build --profile=release --target ${{ matrix.job.target }} -p fuel-core-keygen-bin
- name: Strip release binary linux x86_64
if: matrix.job.platform == 'linux'
run: |
strip "target/${{ matrix.job.target }}/release/fuel-core"
strip "target/${{ matrix.job.target }}/release/fuel-core-keygen"
- name: Strip release binary aarch64-linux-gnu
if: matrix.job.target == 'aarch64-unknown-linux-gnu'
run: |
docker run --rm -v \
"$PWD/target:/target:Z" \
aarch64-linux-gnu:latest \
aarch64-linux-gnu-strip \
/target/aarch64-unknown-linux-gnu/release/fuel-core
docker run --rm -v \
"$PWD/target:/target:Z" \
aarch64-linux-gnu:latest \
aarch64-linux-gnu-strip \
/target/aarch64-unknown-linux-gnu/release/fuel-core-keygen
- name: Strip release binary mac
if: matrix.job.os == 'macos-latest'
run: |
strip -x "target/${{ matrix.job.target }}/release/fuel-core"
strip -x "target/${{ matrix.job.target }}/release/fuel-core-keygen"
- name: Prepare Binary Artifact
env:
PLATFORM_NAME: ${{ matrix.job.platform }}
TARGET: ${{ matrix.job.target }}
run: |
# trim refs/tags/ prefix
FUEL_CORE_VERSION="${GITHUB_REF#refs/tags/}"
# optionally trim v from tag prefix
FUEL_CORE_VERSION="${FUEL_CORE_VERSION#v}"
echo "version is: $FUEL_CORE_VERSION"
# setup artifact filename
ARTIFACT="fuel-core-$FUEL_CORE_VERSION-${{ env.TARGET }}"
ZIP_FILE_NAME="$ARTIFACT.tar.gz"
echo "ZIP_FILE_NAME=$ZIP_FILE_NAME" >> $GITHUB_ENV
# create zip file
mkdir -pv "$ARTIFACT"
cp "target/${{ matrix.job.target }}/release/fuel-core" "$ARTIFACT"
cp "target/${{ matrix.job.target }}/release/fuel-core-keygen" "$ARTIFACT"
cp "target/${{ matrix.job.target }}/release/fuel-core-upgradable-executor-cache/wasm32-unknown-unknown/release/fuel-core-wasm-executor.wasm" "$ARTIFACT"
tar -czvf "$ZIP_FILE_NAME" "$ARTIFACT"
- name: Upload Binary Artifact
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ github.token }}
with:
upload_url: ${{ github.event.release.upload_url }}
asset_path: ./${{ env.ZIP_FILE_NAME }}
asset_name: ${{ env.ZIP_FILE_NAME }}
asset_content_type: application/gzip
- uses: FuelLabs/.github/.github/actions/slack-notify-template@master
if: always() && (github.ref == 'refs/heads/master' || github.ref_type == 'tag') && matrix.job.os != 'macos-latest'
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
slack_webhook: ${{ secrets.SLACK_WEBHOOK_NOTIFY_BUILD }}
# Deploy Fuel Core Ephemeral Developer Environment
deploy-eph-env:
if: startsWith(github.head_ref, 'preview/')
needs:
- publish-docker-image
runs-on: buildjet-4vcpu-ubuntu-2204
steps:
- name: Set Environment Variables
run: |
tag=(`echo $GITHUB_SHA | cut -c1-7`)
echo "IMAGE_TAG=`echo sha-$tag`" >> $GITHUB_ENV
echo "DEPLOYMENT_VERSION=$(echo $GITHUB_SHA)" >> $GITHUB_ENV
echo "NAMESPACE=$(echo ${GITHUB_HEAD_REF} | cut -c 9-)" >> $GITHUB_ENV
- name: Deploy Fuel Core Ephemeral Developer Environment
uses: benc-uk/workflow-dispatch@v1
with:
workflow: Deploy Fuel-Core on k8s
repo: FuelLabs/fuel-deployment
ref: refs/heads/master
token: ${{ secrets.REPO_TOKEN }}
inputs: '{ "k8s-type": "${{ env.K8S }}", "config-directory": "${{ env.CONFIG }}", "config-env": "${{ env.ENV }}", "deployment-version": "${{ env.DEPLOYMENT_VERSION }}", "image-tag": "${{ env.IMAGE_TAG }}", "namespace": "${{ env.NAMESPACE }}", "delete-infra": "${{ env.DELETE_INFRA }}" }'
env:
K8S: 'eks'
CONFIG: 'fuel-dev1'
ENV: 'fueldevsway.env'
DELETE_INFRA: true
cargo-audit:
runs-on: ubuntu-latest
continue-on-error: true
steps:
- uses: actions/checkout@v3
- uses: actions-rs/audit-check@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}