diff --git a/.github/workflows/build/action.yaml b/.github/workflows/build/action.yaml index c3f183d18..ea6dd98b3 100644 --- a/.github/workflows/build/action.yaml +++ b/.github/workflows/build/action.yaml @@ -14,21 +14,18 @@ runs: if: ${{ contains(fromJSON('["pull_request"]'), github.event_name) }} id: cargo-deny run: | - set -xe - command -v cargo-deny >/dev/null 2>&1 || { - echo Installing cargo-deny >&2 - cargo install --quiet cargo-deny - } - bin/cargo-deny-checks.sh + set -euxo pipefail + rye sync + rye run python3 scripts/cargo-deny-checks.py shell: bash - name: "Build and repin" id: build run: | - set -x + set -euxo pipefail rm -rf /home/runner/work/_temp/*/cache.tzst function bazel_build_auto_repin() { - local MYTMPDIR="$(mktemp -d)" + MYTMPDIR="$(mktemp -d)" trap 'rm -rf -- "$MYTMPDIR"' EXIT local logfile="$MYTMPDIR/bazel-out.log" local r=0 @@ -55,6 +52,7 @@ runs: - name: Commit files if: ${{ steps.build.outputs.repin == 'true' }} run: | + set -euxo pipefail CARGO_BAZEL_REPIN=true bazel build ... || return $? git config --local user.email "github-actions[bot]@users.noreply.github.com" git config --local user.name "github-actions[bot]" @@ -74,9 +72,7 @@ runs: if: ${{ !startsWith(runner.name, 'dre-runner-custom') }} shell: bash run: | - #!/bin/bash - - set -euo pipefail + set -euxo pipefail bazel query ... | grep -E "tarball$" | while IFS= read -r target; do echo "Testing $target" bazel run $target diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 021056472..6380aa553 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -80,5 +80,4 @@ repos: language: script name: Cargo deny checks verbose: true - entry: bin/cargo-deny-checks.sh - + entry: scripts/cargo-deny-checks.py diff --git a/bin/cargo-deny-checks.sh b/bin/cargo-deny-checks.sh deleted file mode 100755 index 9319accd0..000000000 --- a/bin/cargo-deny-checks.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/env bash - -command -v cargo >/dev/null || { - if test -x "$HOME/.cargo/bin/cargo"; then - export PATH="$HOME/.cargo/bin:$PATH" - else - echo "'cargo' not found. Please install it by following the instructions at https://doc.rust-lang.org/cargo/getting-started/installation.html" - exit 1 - fi -} - -command -v cargo-deny >/dev/null || echo "'cargo-deny' not found. Please install it by running 'cargo install cargo-deny'" -# Do not change -D here. -# If there is a warning that causes a problem, and there -# is no fix at hand, then add an exception to deny.toml. -# If --warn unmaintained is added below, then the exceptions -# already listed in deny.toml are ignored, which is exactly -# the OPPOSITE of what we want. -cargo deny check -D warnings diff --git a/deny.toml b/deny.toml deleted file mode 100644 index eb9cca1e3..000000000 --- a/deny.toml +++ /dev/null @@ -1,941 +0,0 @@ -# This template contains all of the possible sections and their default values - -# Note that all fields that take a lint level have these possible values: -# * deny - An error will be produced and the check will fail -# * warn - A warning will be produced, but the check will not fail -# * allow - No warning or error will be produced, though in some cases a note -# will be - -# The values provided in this template are the default values that will be used -# when any section or field is not specified in your own configuration - -# Root options - -# The graph table configures how the dependency graph is constructed and thus -# which crates the checks are performed against -[graph] -# If 1 or more target triples (and optionally, target_features) are specified, -# only the specified targets will be checked when running `cargo deny check`. -# This means, if a particular package is only ever used as a target specific -# dependency, such as, for example, the `nix` crate only being used via the -# `target_family = "unix"` configuration, that only having windows targets in -# this list would mean the nix crate, as well as any of its exclusive -# dependencies not shared by any other crates, would be ignored, as the target -# list here is effectively saying which targets you are building for. -targets = [ - # The triple can be any string, but only the target triples built in to - # rustc (as of 1.40) can be checked against actual config expressions - #"x86_64-unknown-linux-musl", - # You can also specify which target_features you promise are enabled for a - # particular target. target_features are currently not validated against - # the actual valid features supported by the target architecture. - #{ triple = "wasm32-unknown-unknown", features = ["atomics"] }, -] -# When creating the dependency graph used as the source of truth when checks are -# executed, this field can be used to prune crates from the graph, removing them -# from the view of cargo-deny. This is an extremely heavy hammer, as if a crate -# is pruned from the graph, all of its dependencies will also be pruned unless -# they are connected to another crate in the graph that hasn't been pruned, -# so it should be used with care. The identifiers are [Package ID Specifications] -# (https://doc.rust-lang.org/cargo/reference/pkgid-spec.html) -#exclude = [] -# If true, metadata will be collected with `--all-features`. Note that this can't -# be toggled off if true, if you want to conditionally enable `--all-features` it -# is recommended to pass `--all-features` on the cmd line instead -all-features = false -# If true, metadata will be collected with `--no-default-features`. The same -# caveat with `all-features` applies -no-default-features = false -# If set, these feature will be enabled when collecting metadata. If `--features` -# is specified on the cmd line they will take precedence over this option. -#features = [] - -# The output table provides options for how/if diagnostics are outputted -[output] -# When outputting inclusion graphs in diagnostics that include features, this -# option can be used to specify the depth at which feature edges will be added. -# This option is included since the graphs can be quite large and the addition -# of features from the crate(s) to all of the graph roots can be far too verbose. -# This option can be overridden via `--feature-depth` on the cmd line -feature-depth = 1 - -# This section is considered when running `cargo deny check advisories` -# More documentation for the advisories section can be found here: -# https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html -[advisories] -# The path where the advisory databases are cloned/fetched into -#db-path = "$CARGO_HOME/advisory-dbs" -# The url(s) of the advisory databases to use -#db-urls = ["https://github.com/rustsec/advisory-db"] -# A list of advisory IDs to ignore. Note that ignored advisories will still -# output a note when they are encountered. -ignore = [ - #"RUSTSEC-0000-0000", - { id = "RUSTSEC-2021-0127", reason = "migration to ciborium / minicbor pending" }, - { id = "RUSTSEC-2021-0141", reason = "migration away from dotenv pending" }, - { id = "RUSTSEC-2024-0370", reason = "alternative not yet available" }, - { id = "RUSTSEC-2024-0384", reason = "instant is a transitive dependency" }, - #"a-crate-that-is-yanked@0.1.1", # you can also ignore yanked crate versions if you wish - #{ crate = "a-crate-that-is-yanked@0.1.1", reason = "you can specify why you are ignoring the yanked crate" }, -] -# If this is true, then cargo deny will use the git executable to fetch advisory database. -# If this is false, then it uses a built-in git library. -# Setting this to true can be helpful if you have special authentication requirements that cargo-deny does not support. -# See Git Authentication for more information about setting up git authentication. -#git-fetch-with-cli = true - -# This section is considered when running `cargo deny check licenses` -# More documentation for the licenses section can be found here: -# https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html -[licenses] -# List of explicitly allowed licenses -# See https://spdx.org/licenses/ for list of possible licenses -# [possible values: any SPDX 3.11 short identifier (+ optional exception)]. -allow = [ - "MIT", - "Apache-2.0", - "Apache-2.0 WITH LLVM-exception", - "Unicode-3.0", - "MPL-2.0", # https://www.mozilla.org/en-US/MPL/2.0/FAQ/ - "Zlib", - "BSD-3-Clause", - "BSD-2-Clause", - "CC0-1.0", # basically public domain but explicitly put in legal terms - "ISC", - "BSL-1.0", - "OpenSSL", -] -# The confidence threshold for detecting a license from license text. -# The higher the value, the more closely the license text must be to the -# canonical license text of a valid SPDX license file. -# [possible values: any between 0.0 and 1.0]. -confidence-threshold = 0.8 -# Allow 1 or more licenses on a per-crate basis, so that particular licenses -# aren't accepted for every possible crate as with the normal allow list -exceptions = [ - # Each entry is the crate and version constraint, and its specific allow - # list - #{ allow = ["Zlib"], crate = "adler32" }, -] - -# Some crates don't have (easily) machine readable licensing information, -# adding a clarification entry for it allows you to manually specify the -# licensing information -[[licenses.clarify]] -crate = "config-writer-common" -expression = "Apache-2.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ring" -expression = "OpenSSL" -license-files = [{ path = "./LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "cycles-minting-canister" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "decentralization" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "dfn_candid" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "dfn_core" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "dfn_http" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "dfn_http_metrics" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "dfn_protobuf" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "fe-derive" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-adapter-metrics-client" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-adapter-metrics-service" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-async-utils" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-base-types" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-btc-replica-types" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-canister-client" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-canister-client-sender" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-canister-profiler" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-canisters-http-types" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-canonical-state" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-canonical-state-tree-hash" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-certification" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-certification-version" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-config" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-constants" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-crypto-ed25519" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-crypto-getrandom-for-wasm" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-crypto-interfaces-sig-verification" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-crypto-internal-basic-sig-der-utils" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-crypto-internal-basic-sig-ed25519" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-crypto-internal-bls12-381-type" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-crypto-internal-hmac" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-crypto-internal-multi-sig-bls12381" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-crypto-internal-seed" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-crypto-internal-sha2" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-crypto-internal-threshold-sig-bls12381" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-crypto-internal-threshold-sig-ecdsa" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-crypto-internal-types" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-crypto-node-key-validation" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-crypto-secp256k1" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-crypto-secrets-containers" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-crypto-sha2" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-crypto-tls-cert-validation" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-crypto-tree-hash" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-crypto-utils-basic-sig" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-crypto-utils-ni-dkg" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-crypto-utils-threshold-sig" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-crypto-utils-threshold-sig-der" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-error-types" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-http-endpoints-metrics" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-icrc1" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-icrc1-index-ng" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-icrc1-ledger" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-icrc1-tokens-u64" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-interfaces" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-interfaces-registry" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-interfaces-state-manager" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-ledger-canister-core" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-ledger-core" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-logger" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-limits" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-management-canister-types" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-metrics" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-nervous-system-canisters" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-nervous-system-clients" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-nervous-system-collections-union-multi-map" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-nervous-system-common" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-nervous-system-common-build-metadata" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-nervous-system-common-test-keys" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-nervous-system-governance" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-nervous-system-lock" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-nervous-system-proto" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-nervous-system-proxied-canister-calls-tracker" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-nervous-system-root" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-nervous-system-runtime" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-nervous-system-string" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-nervous-system-temporary" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-neurons-fund" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-nns-common" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-nns-constants" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-nns-governance" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-nns-governance-api" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-nns-governance-init" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-nns-gtc-accounts" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-nns-handler-root-interface" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-protobuf" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-registry-canister-api" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-registry-canister-client" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-registry-client" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-registry-client-fake" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-registry-client-helpers" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-registry-common-proto" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-registry-keys" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-registry-local-registry" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-registry-local-store" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-registry-local-store-artifacts" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-registry-nns-data-provider" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-registry-node-provider-rewards" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-registry-provisional-whitelist" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-registry-routing-table" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-registry-subnet-features" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-registry-subnet-type" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-registry-transport" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-replicated-state" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-sns-governance" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-sns-governance-proposal-criticality" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-sns-governance-proposals-amount-total-limit" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-sns-governance-token-valuation" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-sns-init" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-sns-root" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-sns-swap" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-sns-swap-proto-library" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-sns-wasm" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-sys" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-types" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-utils" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-utils-thread" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-validate-eq" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-validate-eq-derive" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-wasm-types" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "icp-ledger" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "on_wire" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "phantom_newtype" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "registry-canister" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "tree-deserializer" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "rosetta-core" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-icrc1-test-utils" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-crypto-test-utils-reproducible-rng" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-crypto-internal-basic-sig-ecdsa-secp256k1" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-nervous-system-initial-supply" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-nervous-system-common-validation" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-crypto-internal-threshold-sig-canister-threshold-sig" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-nervous-system-linear-map" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../LICENSE", hash = 0xbd0eed23 }] - -[[licenses.clarify]] -crate = "ic-sns-governance-api" -expression = "LicenseRef-IC-1.0" -license-files = [{ path = "../../../../LICENSE", hash = 0xbd0eed23 }] - - -[licenses.private] -# If true, ignores workspace crates that aren't published, or are only -# published to private registries. -# To see how to mark a crate as unpublished (to the official registry), -# visit https://doc.rust-lang.org/cargo/reference/manifest.html#the-publish-field. -ignore = false -# One or more private registries that you might publish crates to, if a crate -# is only published to private registries, and ignore is true, the crate will -# not have its license(s) checked -registries = [ - #"https://sekretz.com/registry -] - -# This section is considered when running `cargo deny check bans`. -# More documentation about the 'bans' section can be found here: -# https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html -[bans] -# Lint level for when multiple versions of the same crate are detected -multiple-versions = "deny" -# Lint level for when a crate version requirement is `*` -wildcards = "allow" -# The graph highlighting used when creating dotgraphs for crates -# with multiple versions -# * lowest-version - The path to the lowest versioned duplicate is highlighted -# * simplest-path - The path to the version with the fewest edges is highlighted -# * all - Both lowest-version and simplest-path are used -highlight = "all" -# The default lint level for `default` features for crates that are members of -# the workspace that is being checked. This can be overridden by allowing/denying -# `default` on a crate-by-crate basis if desired. -workspace-default-features = "allow" -# The default lint level for `default` features for external crates that are not -# members of the workspace. This can be overridden by allowing/denying `default` -# on a crate-by-crate basis if desired. -external-default-features = "allow" -# List of crates that are allowed. Use with care! -allow = [ - #"ansi_term@0.11.0", - #{ crate = "ansi_term@0.11.0", reason = "you can specify a reason it is allowed" }, -] -# List of crates to deny -deny = [ - "openssl", - "openssl-sys", - #"ansi_term@0.11.0", - #{ crate = "ansi_term@0.11.0", reason = "you can specify a reason it is banned" }, - # Wrapper crates can optionally be specified to allow the crate when it - # is a direct dependency of the otherwise banned crate - #{ crate = "ansi_term@0.11.0", wrappers = ["this-crate-directly-depends-on-ansi_term"] }, -] - -# List of features to allow/deny -# Each entry the name of a crate and a version range. If version is -# not specified, all versions will be matched. -#[[bans.features]] -#crate = "reqwest" -# Features to not allow -#deny = ["json"] -# Features to allow -#allow = [ -# "rustls", -# "__rustls", -# "__tls", -# "hyper-rustls", -# "rustls", -# "rustls-pemfile", -# "rustls-tls-webpki-roots", -# "tokio-rustls", -# "webpki-roots", -#] -# If true, the allowed features must exactly match the enabled feature set. If -# this is set there is no point setting `deny` -#exact = true - -# Certain crates/versions that will be skipped when doing duplicate detection. -skip = [] -skip-tree = [ - # These which follow should be fixed! - { crate = "tokio-rustls", reason = "it is known that octocrab requires a version older than the version required by ic-canister-client" }, - { crate = "hyper-rustls", reason = "it is known that octocrab requires a version older than the version required by ic-canister-client" }, - { crate = "sync_wrapper", reason = "ic-adapter-metrics-client requires tonic which requires an older sync-wrapper, recommend migrating away from tonic" }, - { crate = "hyper-timeout", reason = "ic-adapter-metrics-client requires tonic which requires an older sync-wrapper, recommend migrating away from tonic" }, - { crate = "strum_macros", reason = "spinners requires an older version of strum which requires an older version of strum_macros" }, - { crate = "strum", reason = "spinners requires an older version of strum which requires an older version of strum_macros" }, - { crate = "strsim", reason = "some IC canisters require clap 3.x which brings in older strsim" }, - { crate = "clap_derive", reason = "some IC canisters require the old clap 3.x" }, - { crate = "clap_lex", reason = "some IC canisters require the old clap 3.x" }, - { crate = "clap", reason = "some IC canisters require the old clap 3.x" }, - { crate = "convert_case", reason = "auto_generate_cdp, whose license is GPL and should not be here, brings old convert_case" }, - { crate = "sha2", reason = "ic-agent brings in ed25519-consensus which brings in an older sha2" }, - { crate = "arrayvec", reason = "candid v0.10.10 brings an older pretty, which brings in an older arraayvec" }, - { crate = "axum", reason = "ic-adapter-metrics-client and other IC crates bring in tonic which brings in an older axum" }, - { crate = "axum-core", reason = "ic-adapter-metrics-client and other IC crates bring in tonic which brings in an older axum" }, - { crate = "base64", reason = "build-info-build v0.0.27 depends on an older bas64 crate" }, - { crate = "cached", reason = "ic-crypto-interna-threshoold-sig-bls12381 brings in an older cached" }, - { crate = "darling", reason = "ic-types crate brings in old serde-with which pulls in this old crate" }, - { crate = "darling_core", reason = "ic-types crate brings in old serde-with which pulls in this old crate" }, - { crate = "env_logger", reason = "pretty_env_logger pulls in an old version of env_logger" }, - { crate = "erased-serde", reason = "ic-protobuf and others pull in an old version of erased-serde" }, - { crate = "fastrand", reason = "self_update pulls in self-replace which pulls old version of fastrand" }, - { crate = "half", reason = "unmaintained serde_cbor which should be replaced (search in this file) pulls in old half" }, - { crate = "ic-agent", reason = "transitive dependency" }, - { crate = "ic-cdk", reason = "various IC packages require an older ic-cdk which pulls in these macros" }, - { crate = "ic-cdk-macros", reason = "various IC packages require an older ic-cdk which pulls in these macros" }, - { crate = "ic-cdk-timers", reason = "various IC packages require an older ic-cdk which pulls in these macros" }, - { crate = "ic-certification", reason = "ic-canister-client and ic-registry-nns-data-provider needs to have this dependency updated" }, - { crate = "idna", reason = "a number of packages pull an old url version which in turn pulls this package" }, - { crate = "libloading", reason = "the workspace pulls in old version of pkcs11 (v0.5.0) which pulls in an old libloading" }, - { crate = "pem", reason = "ic-crypto-ed25519 v0.9.0 depended by a lot of packages pulls in an old pem" }, - { crate = "procfs", reason = "ic-metrics crate pulls in an old version of procfs" }, - { crate = "ic-transport-types", reason = "version in the ic repo not yet updated" }, - { crate = "secrecy", reason = "transitive dependency" }, - { crate = "windows-sys", reason = "transitive dependency" }, - { crate = "windows_i686_msvc", reason = "transitive dependency" }, - { crate = "windows_i686_gnu", reason = "transitive dependency" }, - { crate = "windows_x86_64_msvc", reason = "transitive dependency" }, - { crate = "windows_x86_64_gnullvm", reason = "transitive dependency" }, - { crate = "windows_x86_64_gnu", reason = "transitive dependency" }, -] - -# This section is considered when running `cargo deny check sources`. -# More documentation about the 'sources' section can be found here: -# https://embarkstudios.github.io/cargo-deny/checks/sources/cfg.html -[sources] -# Lint level for what to happen when a crate from a crate registry that is not -# in the allow list is encountered -unknown-registry = "warn" -# Lint level for what to happen when a crate from a git repository that is not -# in the allow list is encountered -unknown-git = "warn" -# List of URLs for allowed crate registries. Defaults to the crates.io index -# if not specified. If it is specified but empty, no registries are allowed. -allow-registry = ["https://github.com/rust-lang/crates.io-index"] -# List of URLs for allowed Git repositories -allow-git = [ - "https://github.com/dfinity-lab/build-info", - "https://github.com/dfinity/ic", - "https://github.com/dfinity/cdk-rs.git", -] - -[sources.allow-org] -# github.com organizations to allow git sources for -github = [] -# gitlab.com organizations to allow git sources for -gitlab = [] -# bitbucket.org organizations to allow git sources for -bitbucket = [] diff --git a/rs/ic-management-backend/src/health.rs b/rs/ic-management-backend/src/health.rs index c5b53c3d6..62142f8c4 100644 --- a/rs/ic-management-backend/src/health.rs +++ b/rs/ic-management-backend/src/health.rs @@ -176,18 +176,34 @@ impl PublicDashboardHealthClient { } }; - let status = match node.get("status") { - None => { + let status = match (node.get("alertname"), node.get("status")) { + (alertname, Some(s)) => { + let s = s.to_string(); + let s = get_unquoted(&s); + let alertname = alertname.map(|a| a.to_string()).unwrap_or_default(); + let alertname = get_unquoted(&alertname); + HealthStatus::from_str_from_dashboard(alertname, s) + } + (_, None) => { warn!("Didn't find node while checking node health which shouldn't happen!"); continue; } - Some(s) => { - let s = s.to_string(); - let s = get_unquoted(&s); - HealthStatus::from_str_from_dashboard(s) + }; + + let node_dc = match node.get("dc_id") { + None => { + warn!("Didn't find datacenter while checking node health which shouldn't happen!"); + continue; + } + Some(dc) => { + let dc = dc.to_string(); + let dc = get_unquoted(&dc); + dc.to_string() } }; + let status = if node_dc == "mn2" { HealthStatus::Healthy } else { status }; + let maybe_subnet = match node.get("subnet_id") { None => None, Some(pr) => { @@ -256,7 +272,10 @@ impl PrometheusHealthClient { // Alerts are synthetic time series and cannot be queries as regular metrics // https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/#inspecting-alerts-during-runtime - let query_alert = format!("ALERTS{{ic=\"{}\", job=\"replica\", alertstate=\"firing\"}}", self.network.legacy_name(),); + let query_alert = format!( + "ALERTS{{ic=\"{}\", job=\"replica\", alertstate=\"firing\", alertname!=\"IC_PrometheusTargetMissing\"}}", + self.network.legacy_name(), + ); let response_alert = self.client.query(query_alert).get().await?; let instant_alert = response_alert.data().as_vector().expect("Expected instant vector"); let node_ids_with_alerts: HashSet = instant_alert diff --git a/rs/ic-management-types/src/lib.rs b/rs/ic-management-types/src/lib.rs index 01543e9a6..87a0ad561 100644 --- a/rs/ic-management-types/src/lib.rs +++ b/rs/ic-management-types/src/lib.rs @@ -710,11 +710,12 @@ pub enum HealthStatus { /// Even if `from_str` is implemented by `EnumString` in derive, public api returns them capitalized and this is the implementation for that convertion impl HealthStatus { - pub fn from_str_from_dashboard(s: &str) -> Self { - match s { - "UP" | "UNASSIGNED" => Self::Healthy, - "DEGRADED" => Self::Degraded, - "DOWN" => Self::Dead, + pub fn from_str_from_dashboard(alertname: &str, s: &str) -> Self { + match (alertname, s) { + (_, "UP" | "UNASSIGNED") => Self::Healthy, + ("IC_PrometheusTargetMissing", "DEGRADED") => Self::Healthy, + (_, "DEGRADED") => Self::Degraded, + (_, "DOWN") => Self::Dead, _ => Self::Unknown, } } diff --git a/scripts/cargo-deny-checks.py b/scripts/cargo-deny-checks.py new file mode 100755 index 000000000..c79b23f16 --- /dev/null +++ b/scripts/cargo-deny-checks.py @@ -0,0 +1,74 @@ +#!/usr/bin/env python3 +"""Check Cargo.lock for a) disallowed crates or b) multiple versions of crates required to have a single version.""" + +import sys + +try: + import tomllib # Available in Python 3.11 and later +except ModuleNotFoundError: + import tomli as tomllib # Third-party package for earlier versions + +DISALLOWED_CRATES = {"openssl", "openssl-sys"} +REQUIRE_SINGLE_VERSION = {"opentelemetry"} + + +def main(): + try: + with open("Cargo.lock", "rb") as f: + data = tomllib.load(f) + except FileNotFoundError: + print("Cargo.lock file not found.", file=sys.stderr) + sys.exit(1) + except Exception as e: + print(f"Error parsing Cargo.lock: {e}", file=sys.stderr) + sys.exit(1) + + packages = data.get("package", []) + package_versions = {} + found_disallowed_crates = set() + + for pkg in packages: + name = pkg.get("name") + version = pkg.get("version") + + # Check for disallowed crates + if name in DISALLOWED_CRATES: + found_disallowed_crates.add(name) + + # Collect versions for each crate + if name not in package_versions: + package_versions[name] = set() + package_versions[name].add(version) + + duplicates = { + name: versions + for name, versions in package_versions.items() + if name in REQUIRE_SINGLE_VERSION and len(versions) > 1 + } + + exit_code = 0 + + if duplicates: + print("Error: The following crates are used with multiple versions:") + for name, versions in duplicates.items(): + versions_list = ", ".join(sorted(versions)) + print(f" - {name}: versions {versions_list}") + exit_code = 1 + + if found_disallowed_crates: + print("\nError: The following disallowed crates are used:") + for name in sorted(found_disallowed_crates): + print(f" - {name}") + exit_code = 1 + + if exit_code == 0: + print( + f"SUCCESS: only a single version of crates {REQUIRE_SINGLE_VERSION} is used, " + + f"and no disallowed crates {DISALLOWED_CRATES} are used in Cargo.lock" + ) + else: + sys.exit(exit_code) + + +if __name__ == "__main__": + main()