security: Rate limit GetAddr responses #1406
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This workflow checks that Zebra's crates.io release script works. | |
# | |
# We use a separate action, because the changed files are different to a Continuous Deployment | |
# or Docker release. | |
# | |
# This workflow is triggered when: | |
# - A PR that changes Rust files, a README, or this workflow is opened or updated | |
# - A change is pushed to the main branch | |
# | |
# TODO: | |
# If we decide to automate crates.io releases, we can also publish crates using this workflow, when: | |
# - A release is published | |
# - A pre-release is changed to a release | |
name: Release crates | |
# Ensures that only one workflow task will run at a time. Previous releases, if | |
# already in process, won't get cancelled. Instead, we let the first release complete, | |
# then queue the latest pending workflow, cancelling any workflows in between. | |
# | |
# Since the different event types do very different things (test vs release), | |
# we can run different event types concurrently. | |
# | |
# For pull requests, we only run the tests from this workflow, and don't do any releases. | |
# So an in-progress pull request gets cancelled, just like other tests. | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.ref }} | |
cancel-in-progress: ${{ github.event_name == 'pull_request' }} | |
on: | |
# disabled for now | |
# release: | |
# types: | |
# - released | |
# Only runs the release tests, doesn't release any crates. | |
# | |
# We test all changes on the main branch, just in case the PR paths are too strict. | |
push: | |
branches: | |
- main | |
pull_request: | |
paths: | |
# code and tests | |
- '**/*.rs' | |
# hard-coded checkpoints (and proptest regressions, which are not actually needed) | |
- '**/*.txt' | |
# dependencies | |
- '**/Cargo.toml' | |
- '**/Cargo.lock' | |
# configuration files | |
- '.cargo/config.toml' | |
- '**/clippy.toml' | |
# READMEs, which are shown on the crate page | |
- '**/README.md' | |
# workflow definitions | |
- '.github/workflows/release-crates.io.yml' | |
jobs: | |
# Test that Zebra can be released to crates.io using `cargo`. | |
# This checks that Zebra's dependencies and release configs are correct. | |
check-release: | |
name: Check crate release dry run | |
timeout-minutes: 15 | |
runs-on: ubuntu-latest | |
steps: | |
- uses: r7kamura/[email protected] | |
- name: Checkout git repository | |
uses: actions/[email protected] | |
with: | |
persist-credentials: false | |
- name: Inject slug/short variables | |
uses: rlespinasse/github-slug-action@v4 | |
with: | |
short-length: 7 | |
# Setup Rust with stable toolchain and minimal profile | |
- name: Setup Rust | |
run: | | |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain=stable --profile=minimal | |
- name: Install cargo-release | |
uses: baptiste0928/[email protected] | |
with: | |
crate: cargo-release | |
# Make sure Zebra can be released! | |
# | |
# These steps should be kept up to date with the release checklist. | |
# | |
# TODO: move these steps into a script which is run in the release checklist and CI | |
- name: Crate release dry run | |
run: | | |
set -ex | |
git config --global user.email "[email protected]" | |
git config --global user.name "Automated Release Test" | |
# This script must be the same as: | |
# https://github.com/ZcashFoundation/zebra/blob/main/.github/PULL_REQUEST_TEMPLATE/release-checklist.md#update-crate-versions | |
# with an extra `--no-confirm` argument for non-interactive testing. | |
cargo release version --verbose --execute --no-confirm --allow-branch '*' --workspace --exclude zebrad beta | |
cargo release version --verbose --execute --no-confirm --allow-branch '*' --package zebrad patch | |
cargo release replace --verbose --execute --no-confirm --allow-branch '*' --package zebrad | |
cargo release commit --verbose --execute --no-confirm --allow-branch '*' | |
# Check the release will work using a dry run | |
# | |
# Workaround unpublished dependency version errors by skipping those crates: | |
# https://github.com/crate-ci/cargo-release/issues/691 | |
# | |
# TODO: check all crates after fixing these errors | |
cargo release publish --verbose --dry-run --allow-branch '*' --workspace --exclude zebra-consensus --exclude zebra-utils --exclude zebrad | |
# TODO: actually do the release here | |
#release-crates: | |
# name: Release Zebra Crates | |
# needs: [ check-release ] | |
# runs-on: ubuntu-latest | |
# timeout-minutes: 30 | |
# if: ${{ !cancelled() && !failure() && github.event_name == 'release' }} | |
# steps: | |
# ... | |
failure-issue: | |
name: Open or update issues for release crates failures | |
# When a new job is added to this workflow, add it to this list. | |
needs: [ check-release ] | |
# Only open tickets for failed or cancelled jobs that are not coming from PRs. | |
# (PR statuses are already reported in the PR jobs list, and checked by Mergify.) | |
if: (failure() && github.event.pull_request == null) || (cancelled() && github.event.pull_request == null) | |
runs-on: ubuntu-latest | |
steps: | |
- uses: jayqi/failed-build-issue-action@v1 | |
with: | |
title-template: "{{refname}} branch CI failed: {{eventName}} in {{workflow}}" | |
# New failures open an issue with this label. | |
label-name: S-ci-fail-release-crates-auto-issue | |
# If there is already an open issue with this label, any failures become comments on that issue. | |
always-create-new-issue: false | |
github-token: ${{ secrets.GITHUB_TOKEN }} |