From 64fcaae819b71f87a173316cd9a726988c3e0861 Mon Sep 17 00:00:00 2001 From: Cezary Olborski Date: Mon, 27 Apr 2026 13:04:53 +0800 Subject: [PATCH 1/6] chore: Rust & CI update --- .github/actions/macos/action.yml | 50 ++++++++++ .github/actions/ubuntu/action.yml | 51 ++++++++++ .github/workflows/ci.yml | 64 ++++--------- .github/workflows/codeql.yml | 50 ++++++++++ .../create-release-tag-and-publish.yml | 94 ++++++++++--------- Cargo.toml | 36 +++---- rust-toolchain => rust-toolchain.toml | 2 +- taplo.toml | 13 ++- 8 files changed, 250 insertions(+), 110 deletions(-) create mode 100644 .github/actions/macos/action.yml create mode 100644 .github/actions/ubuntu/action.yml create mode 100644 .github/workflows/codeql.yml rename rust-toolchain => rust-toolchain.toml (77%) diff --git a/.github/actions/macos/action.yml b/.github/actions/macos/action.yml new file mode 100644 index 0000000..d0bc8f8 --- /dev/null +++ b/.github/actions/macos/action.yml @@ -0,0 +1,50 @@ +--- +name: macos dependencies +description: installs dependencies required to compile quantus-cli on macos + +runs: + using: composite + steps: + - name: rust compilation prerequisites (macos) + run: | + brew update + OK=0 + for i in 1 2 3; do + if brew install protobuf llvm; then OK=1; break; fi + echo "brew install attempt $i failed (often transient ghcr.io), retrying in 15s..." + sleep 15 + done + if [ "$OK" -ne 1 ]; then echo "::error::brew install protobuf llvm failed after 3 attempts"; exit 1; fi + curl https://sh.rustup.rs -sSf | sh -s -- -y + brew uninstall cmake + brew install openssl cmake 2>&1 | sed '/already installed and up-to-date/d'; exit "${PIPESTATUS[0]:-$?}" + # Unconditionally install the toolchain pinned in rust-toolchain.toml + # (rustup >=1.28 no longer auto-installs the active toolchain, and + # `rustup update` only refreshes already-installed toolchains). + # This installs the channel + every component/target listed in the file. + rustup toolchain install + rustup target add wasm32-unknown-unknown + rustup component add rustfmt --toolchain nightly + rustup component add clippy rust-src + shell: bash + - name: Set LIBCLANG_PATH for clang-sys (bindgen/rocksdb etc.) + run: | + # Homebrew LLVM provides libclang.dylib; clang-sys looks for libclang.dylib. + # ARM (Apple Silicon): /opt/homebrew/opt/llvm/lib + # x86 (Intel): /usr/local/opt/llvm/lib + DIR= + if command -v brew >/dev/null 2>&1; then + PREFIX="$(brew --prefix llvm 2>/dev/null)" + [ -n "$PREFIX" ] && [ -d "$PREFIX/lib" ] && ls "$PREFIX/lib"/libclang*.dylib 1>/dev/null 2>&1 && DIR="$PREFIX/lib" + fi + if [ -z "$DIR" ] && [ -d /usr/local/opt/llvm/lib ] && ls /usr/local/opt/llvm/lib/libclang*.dylib 1>/dev/null 2>&1; then + DIR=/usr/local/opt/llvm/lib + fi + if [ -z "$DIR" ] && [ -d /opt/homebrew/opt/llvm/lib ] && ls /opt/homebrew/opt/llvm/lib/libclang*.dylib 1>/dev/null 2>&1; then + DIR=/opt/homebrew/opt/llvm/lib + fi + if [ -n "$DIR" ]; then + echo "LIBCLANG_PATH=$DIR" >> $GITHUB_ENV + fi + echo "LIBCLANG_PATH=${LIBCLANG_PATH:-not set}" + shell: bash diff --git a/.github/actions/ubuntu/action.yml b/.github/actions/ubuntu/action.yml new file mode 100644 index 0000000..563a72b --- /dev/null +++ b/.github/actions/ubuntu/action.yml @@ -0,0 +1,51 @@ +--- +name: ubuntu dependencies +description: installs dependencies required to compile quantus-cli on ubuntu + +runs: + using: composite + steps: + - name: rust compilation prerequisites (ubuntu) + run: | + sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list + sudo rm -f /etc/apt/sources.list.d/azure-cli.list + sudo apt-get update -yqq + sudo apt-get install -yqq --no-install-recommends \ + libclang-dev \ + clang \ + protobuf-compiler + # Unconditionally install the toolchain pinned in rust-toolchain.toml + # (rustup >=1.28 no longer auto-installs the active toolchain, and + # `rustup update` only refreshes already-installed toolchains). + # This installs the channel + every component/target listed in the file. + rustup toolchain install + rustup target add wasm32-unknown-unknown + rustup component add rustfmt --toolchain nightly + rustup component add clippy rust-src + shell: bash + - name: Set LIBCLANG_PATH for clang-sys (bindgen/rocksdb etc.) + run: | + # Runner may set wrong LIBCLANG_PATH; use known dirs then find then llvm-config. + DIR= + for ver in 18 17 16 15 14; do + D="/usr/lib/llvm-$ver/lib" + if [ -d "$D" ] && ls "$D"/libclang*.so* 1>/dev/null 2>&1; then + DIR=$D + break + fi + done + if [ -z "$DIR" ]; then + LIB=$(find /usr -name 'libclang.so*' \( -type f -o -type l \) 2>/dev/null | head -1) + [ -n "$LIB" ] && DIR=$(dirname "$LIB") + fi + if [ -z "$DIR" ] && command -v llvm-config >/dev/null 2>&1; then + D=$(llvm-config --libdir 2>/dev/null) + if [ -n "$D" ] && [ -d "$D" ] && ls "$D"/libclang*.so* 1>/dev/null 2>&1; then + DIR=$D + fi + fi + if [ -n "$DIR" ] && [ "$DIR" != "." ]; then + echo "LIBCLANG_PATH=$DIR" >> $GITHUB_ENV + fi + echo "LIBCLANG_PATH=${LIBCLANG_PATH:-not set}" + shell: bash diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1218aa3..b9f27e5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -19,9 +19,16 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +# Principle of least privilege: all jobs only read the repo (checkout + cargo). +# Per-job override is unnecessary because no job pushes, creates releases or PRs. +permissions: + contents: read + env: CARGO_INCREMENTAL: 0 CARGO_TERM_COLOR: always + CARGO_NET_RETRY: 10 + CARGO_NET_TIMEOUT: 60 jobs: fast-checks: @@ -29,8 +36,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - name: Install required components - run: rustup component add rustfmt --toolchain nightly + - uses: ./.github/actions/ubuntu - name: Install taplo run: cargo install taplo-cli --locked - name: Run format checks @@ -42,33 +48,21 @@ jobs: name: 🛠️ Build & Test Matrix needs: fast-checks runs-on: ${{ matrix.os }} + timeout-minutes: 60 strategy: - fail-fast: true + fail-fast: false matrix: os: - ubuntu-latest - macos-latest - rust: - - stable steps: - uses: actions/checkout@v4 - - name: Install Rust ${{ matrix.rust }} - uses: dtolnay/rust-toolchain@master - with: - toolchain: ${{ matrix.rust }} - - name: Install dependencies (Ubuntu) + - name: Setup Ubuntu if: matrix.os == 'ubuntu-latest' - run: | - sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list - sudo rm -f /etc/apt/sources.list.d/azure-cli.list - sudo apt-get update -yqq - sudo apt-get install -yqq --no-install-recommends \ - libclang-dev \ - protobuf-compiler - - name: Install dependencies (macOS) + uses: ./.github/actions/ubuntu + - name: Setup macOS if: matrix.os == 'macos-latest' - run: | - brew install protobuf + uses: ./.github/actions/macos - name: Build (all targets) run: cargo build --locked - name: Build (library only) @@ -80,20 +74,10 @@ jobs: name: 🤖 Analysis (Clippy & Doc) needs: fast-checks runs-on: ubuntu-latest + timeout-minutes: 30 steps: - uses: actions/checkout@v4 - - name: Install Rust stable - uses: dtolnay/rust-toolchain@stable - with: - components: clippy, rust-src - - name: Install dependencies - run: | - sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list - sudo rm -f /etc/apt/sources.list.d/azure-cli.list - sudo apt-get update -yqq - sudo apt-get install -yqq --no-install-recommends \ - libclang-dev \ - protobuf-compiler + - uses: ./.github/actions/ubuntu - name: Run clippy (all targets) run: SKIP_CIRCUIT_BUILD=1 cargo clippy --all-targets --locked -- -D warnings - name: Run clippy (library only) @@ -107,6 +91,7 @@ jobs: name: 🔒 Security Audit needs: fast-checks runs-on: ubuntu-latest + timeout-minutes: 10 steps: - uses: actions/checkout@v4 - name: Install cargo-audit @@ -118,21 +103,12 @@ jobs: name: 📚 Examples needs: fast-checks runs-on: ubuntu-latest + timeout-minutes: 30 steps: - uses: actions/checkout@v4 - - name: Install Rust stable - uses: dtolnay/rust-toolchain@stable - - name: Install dependencies - run: | - sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list - sudo rm -f /etc/apt/sources.list.d/azure-cli.list - sudo apt-get update -yqq - sudo apt-get install -yqq --no-install-recommends \ - libclang-dev \ - protobuf-compiler + - uses: ./.github/actions/ubuntu - name: Build examples - run: | - cargo build --examples --locked + run: cargo build --examples --locked - name: Check example compilation run: | for example in examples/*.rs; do diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..44f9d50 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,50 @@ +--- +name: CodeQL + +on: + push: + branches: [main] + pull_request: + branches: [main] + +# No scheduled scans by design: every code change reaches main via push or PR, +# both of which trigger this workflow. Security advisories for Rust dependencies +# are independently caught by `cargo audit` in ci.yml. + +permissions: + contents: read + security-events: write + actions: read + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ubuntu-latest + timeout-minutes: 30 + strategy: + fail-fast: false + matrix: + include: + # `actions` covers GitHub Actions workflow hygiene (e.g. the + # `actions/missing-workflow-permissions` rule). + - language: actions + build-mode: none + # `rust` is GA since Oct 2025 and supports build-mode `none`, + # so we get source-level analysis without compiling the crate. + # Note: `cargo audit` in ci.yml stays as the authoritative source + # for known CVEs in dependencies; CodeQL adds taint/quality checks + # on our own source. + - language: rust + build-mode: none + steps: + - uses: actions/checkout@v5 + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + queries: security-and-quality + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 + with: + category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/create-release-tag-and-publish.yml b/.github/workflows/create-release-tag-and-publish.yml index 2e53f0b..383a062 100644 --- a/.github/workflows/create-release-tag-and-publish.yml +++ b/.github/workflows/create-release-tag-and-publish.yml @@ -3,6 +3,8 @@ name: Create Release Tag & Publish env: CARGO_INCREMENTAL: 0 CARGO_TERM_COLOR: always + CARGO_NET_RETRY: 10 + CARGO_NET_TIMEOUT: 60 on: pull_request: @@ -10,6 +12,11 @@ on: branches: - main +# Default to read-only; jobs that need to push tags or create releases +# override this with explicit `contents: write` (see create-tag, create-github-release). +permissions: + contents: read + jobs: create-tag: name: Create Release Tag @@ -62,8 +69,7 @@ jobs: with: ref: ${{ needs.create-tag.outputs.version }} - - name: Install required components - run: rustup component add rustfmt --toolchain nightly + - uses: ./.github/actions/ubuntu - name: Install taplo run: cargo install taplo-cli --locked @@ -77,6 +83,7 @@ jobs: name: 🛠️ Build & Test Release needs: [create-tag, format-checks] runs-on: ${{ matrix.os }} + timeout-minutes: 60 strategy: fail-fast: true matrix: @@ -89,13 +96,16 @@ jobs: with: ref: ${{ needs.create-tag.outputs.version }} - - name: Install Rust stable - uses: dtolnay/rust-toolchain@stable - with: - components: clippy, rust-src + - name: Setup Ubuntu + if: matrix.os == 'ubuntu-latest' + uses: ./.github/actions/ubuntu + + - name: Setup macOS + if: matrix.os == 'macos-latest' + uses: ./.github/actions/macos - name: Cache cargo registry - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: | ~/.cargo/registry @@ -103,19 +113,6 @@ jobs: target key: ${{ runner.os }}-release-cargo-${{ hashFiles('**/Cargo.lock') }} - - name: Install dependencies (Ubuntu) - if: matrix.os == 'ubuntu-latest' - run: | - sudo apt-get update -yqq - sudo apt-get install -yqq --no-install-recommends \ - libclang-dev \ - protobuf-compiler - - - name: Install dependencies (macOS) - if: matrix.os == 'macos-latest' - run: | - brew install protobuf - - name: Build release (all targets) run: cargo build --locked --release @@ -126,13 +123,13 @@ jobs: run: cargo test --locked --release - name: Run clippy - run: cargo clippy --all-targets --locked -- -D warnings + run: SKIP_CIRCUIT_BUILD=1 cargo clippy --all-targets --locked -- -D warnings - name: Generate documentation - run: cargo doc --locked --no-deps + run: SKIP_CIRCUIT_BUILD=1 cargo doc --locked --no-deps - name: Check documentation - run: cargo doc --locked --no-deps --document-private-items + run: SKIP_CIRCUIT_BUILD=1 cargo doc --locked --no-deps --document-private-items - name: Build examples run: cargo build --examples --locked --release @@ -141,6 +138,7 @@ jobs: name: 🔒 Security Audit needs: [create-tag, format-checks] runs-on: ubuntu-latest + timeout-minutes: 10 steps: - name: Checkout code at tag uses: actions/checkout@v4 @@ -157,6 +155,7 @@ jobs: name: 📦 Build Binary (${{ matrix.target }}) needs: create-tag runs-on: ${{ matrix.os }} + timeout-minutes: 90 strategy: fail-fast: false matrix: @@ -179,10 +178,29 @@ jobs: with: ref: ${{ needs.create-tag.outputs.version }} - - name: Install Rust stable - uses: dtolnay/rust-toolchain@stable - with: - targets: ${{ matrix.target }} + # On Linux/macOS the composite actions install the toolchain pinned in + # rust-toolchain.toml plus required system dependencies. On Windows we + # provision the toolchain explicitly via rustup below. + - name: Setup Ubuntu + if: matrix.os == 'ubuntu-latest' + uses: ./.github/actions/ubuntu + + - name: Setup macOS + if: startsWith(matrix.os, 'macos') + uses: ./.github/actions/macos + + - name: Install Rust (Windows) + if: runner.os == 'Windows' + shell: bash + run: | + # rust-toolchain.toml pins the channel; rustup will install it on first invocation. + rustup show active-toolchain || rustup toolchain install + rustup target add ${{ matrix.target }} + + - name: Add target (Linux/macOS) + if: runner.os != 'Windows' + shell: bash + run: rustup target add ${{ matrix.target }} - name: Cache cargo registry and target uses: actions/cache@v4 @@ -195,17 +213,12 @@ jobs: restore-keys: | ${{ runner.os }}-release-bin-${{ matrix.target }}- - - name: Install protoc + - name: Install protoc (Windows) + if: runner.os == 'Windows' uses: arduino/setup-protoc@v3 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - - name: Install libclang (Ubuntu) - if: runner.os == 'Linux' - run: | - sudo apt-get update -yqq - sudo apt-get install -yqq --no-install-recommends libclang-dev - - name: Set LIBCLANG_PATH (Windows) if: runner.os == 'Windows' shell: bash @@ -330,15 +343,10 @@ jobs: with: ref: ${{ needs.create-tag.outputs.version }} - - name: Install Rust stable - uses: dtolnay/rust-toolchain@stable - - - name: Install dependencies - run: | - sudo apt-get update -yqq - sudo apt-get install -yqq --no-install-recommends \ - libclang-dev \ - protobuf-compiler + # `cargo publish` needs the toolchain pinned in rust-toolchain.toml to be + # actually installed on the runner; the composite action handles that + # (rustup >=1.28 no longer auto-installs the active toolchain). + - uses: ./.github/actions/ubuntu - name: Publish to crates.io run: | diff --git a/Cargo.toml b/Cargo.toml index a7b8668..f074a50 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,15 +1,15 @@ [package] -name = "quantus-cli" -version = "1.3.3" -edition = "2021" authors = ["Quantus Network"] -license = "Apache-2.0" +categories = ["api-bindings", "command-line-utilities", "cryptography"] description = "Command line interface and library for interacting with the Quantus Network" +edition = "2021" homepage = "https://quantus.com" -repository = "https://github.com/Quantus-Network/quantus-cli" keywords = ["blockchain", "cli", "crypto", "quantum", "quantus-network"] -categories = ["api-bindings", "command-line-utilities", "cryptography"] +license = "Apache-2.0" +name = "quantus-cli" readme = "README.md" +repository = "https://github.com/Quantus-Network/quantus-cli" +version = "1.3.3" [lib] name = "quantus_cli" @@ -37,26 +37,26 @@ colored = "3.0" indicatif = "0.17" # Additional utilities -sha2 = "0.10" -hex = "0.4" chrono = { version = "0.4", features = ["serde"] } dirs = "6.0" +hex = "0.4" rpassword = "7.4" +sha2 = "0.10" # Quantum-Safe Encryption +aes-gcm = "0.10" # AES-256-GCM (quantum-safe with 256-bit keys) argon2 = "0.5" # Password-based key derivation (quantum-safe) rand = "0.9" -aes-gcm = "0.10" # AES-256-GCM (quantum-safe with 256-bit keys) # Quantus crypto dependencies (aligned with chain) -qp-rusty-crystals-dilithium = { version = "2.4.0" } -qp-rusty-crystals-hdwallet = { version = "2.3.1" } qp-dilithium-crypto = { version = "0.3.1", features = ["serde"] } qp-poseidon = { version = "1.4.0" } +qp-rusty-crystals-dilithium = { version = "2.4.0" } +qp-rusty-crystals-hdwallet = { version = "2.3.1" } # HTTP client for Subsquid queries -reqwest = { version = "0.12", features = ["json", "rustls-tls"], default-features = false } blake3 = "1.8" +reqwest = { version = "0.12", features = ["json", "rustls-tls"], default-features = false } # Force patched version of bytes (RUSTSEC-2026-0007) bytes = "1.11.1" @@ -69,9 +69,9 @@ rustls-webpki = "0.103.12" # Blockchain deps: align with chain workspace; use chain primitives for qp-dilithium-crypto so sp-* versions match codec = { package = "parity-scale-codec", version = "3.7", features = ["derive"] } +jsonrpsee = { version = "0.24", features = ["client"] } sp-core = { version = "39.0.0" } sp-runtime = { version = "45.0.0" } -jsonrpsee = { version = "0.24", features = ["client"] } # Subxt: latest 0.44.x (bug fixes; compatible with sp-core 39 / scale-codec 3.6) subxt = "0.44" @@ -81,13 +81,13 @@ subxt-metadata = "0.44" anyhow = "1.0" qp-plonky2 = { version = "1.4.1", default-features = false, features = ["rand", "std"] } +qp-wormhole-aggregator = { version = "2.0.1", default-features = false, features = ["rayon", "std"] } qp-wormhole-circuit = { version = "2.0.1", default-features = false, features = ["std"] } +qp-wormhole-circuit-builder = { version = "2.0.1" } +qp-wormhole-inputs = { version = "2.0.1", default-features = false, features = ["std"] } qp-wormhole-prover = { version = "2.0.1", default-features = false, features = ["std"] } qp-wormhole-verifier = { version = "2.0.1", default-features = false, features = ["std"] } -qp-wormhole-aggregator = { version = "2.0.1", default-features = false, features = ["rayon", "std"] } -qp-wormhole-inputs = { version = "2.0.1", default-features = false, features = ["std"] } qp-zk-circuits-common = { version = "2.0.1", default-features = false, features = ["std"] } -qp-wormhole-circuit-builder = { version = "2.0.1" } [build-dependencies] @@ -96,9 +96,9 @@ qp-poseidon-core = "1.4.0" qp-wormhole-circuit-builder = { version = "2.0.1" } [dev-dependencies] -tempfile = "3.8.1" -serial_test = "3.1" qp-poseidon-core = "1.4.0" +serial_test = "3.1" +tempfile = "3.8.1" # Optimize build scripts and their dependencies in dev mode. # This is critical for circuit generation which is CPU-intensive. diff --git a/rust-toolchain b/rust-toolchain.toml similarity index 77% rename from rust-toolchain rename to rust-toolchain.toml index 92a57c5..7864ec2 100644 --- a/rust-toolchain +++ b/rust-toolchain.toml @@ -1,4 +1,4 @@ [toolchain] -channel = "stable" +channel = "1.93.0" components = ["clippy", "rustfmt"] profile = "minimal" diff --git a/taplo.toml b/taplo.toml index e8bcfa1..de3c77b 100644 --- a/taplo.toml +++ b/taplo.toml @@ -1,12 +1,17 @@ # all options https://taplo.tamasfe.dev/configuration/formatter-options.html -# global rules +# This is a taplo configuration file. +# For more information, see: https://taplo.tamasfe.dev/configuration/ +exclude = ["**/target/**"] +include = ["**/*.toml"] + [formatting] -reorder_arrays = true -inline_table_expand = false -array_auto_expand = true array_auto_collapse = false +array_auto_expand = true indent_string = " " # tab +inline_table_expand = false +reorder_arrays = true +reorder_keys = true [[rule]] include = ["Cargo.toml"] From 28eac13cceae12736277f1bcfd69c9966f80ff0e Mon Sep 17 00:00:00 2001 From: Cezary Olborski Date: Mon, 27 Apr 2026 13:15:38 +0800 Subject: [PATCH 2/6] fix: Security audit - dependency update --- Cargo.lock | 4 ++-- Cargo.toml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index add5cc9..733b618 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4401,9 +4401,9 @@ checksum = "f87165f0995f63a9fbeea62b64d10b4d9d8e78ec6d7d51fb2125fda7bb36788f" [[package]] name = "rustls-webpki" -version = "0.103.12" +version = "0.103.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8279bb85272c9f10811ae6a6c547ff594d6a7f3c6c6b02ee9726d1d0dcfcdd06" +checksum = "61c429a8649f110dddef65e2a5ad240f747e85f7758a6bccc7e5777bd33f756e" dependencies = [ "ring", "rustls-pki-types", diff --git a/Cargo.toml b/Cargo.toml index f074a50..b052671 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -64,8 +64,8 @@ bytes = "1.11.1" # Force patched version of quinn-proto (RUSTSEC-2026-0037) quinn-proto = "0.11.14" -# Force patched version of rustls-webpki (RUSTSEC-2026-0098, RUSTSEC-2026-0099) -rustls-webpki = "0.103.12" +# Force patched version of rustls-webpki (RUSTSEC-2026-0098, RUSTSEC-2026-0099, RUSTSEC-2026-0104) +rustls-webpki = "0.103.13" # Blockchain deps: align with chain workspace; use chain primitives for qp-dilithium-crypto so sp-* versions match codec = { package = "parity-scale-codec", version = "3.7", features = ["derive"] } From 2e59abfc6da1ceac910e1fa2574b5d3817be2877 Mon Sep 17 00:00:00 2001 From: Cezary Olborski Date: Sun, 3 May 2026 06:32:47 +0800 Subject: [PATCH 3/6] fix: Merge fix --- Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index b052671..28ea575 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -9,7 +9,7 @@ license = "Apache-2.0" name = "quantus-cli" readme = "README.md" repository = "https://github.com/Quantus-Network/quantus-cli" -version = "1.3.3" +version = "1.3.4" [lib] name = "quantus_cli" From b95555b8b696e6a3fdf6d131a50afd5b0caccb76 Mon Sep 17 00:00:00 2001 From: Cezary Olborski Date: Sun, 3 May 2026 06:59:12 +0800 Subject: [PATCH 4/6] fix: CI dependencies udpated and continue on error unified --- .github/workflows/ci.yml | 56 ++++++++++++++++++++++++++++++++++------ 1 file changed, 48 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b9f27e5..4e570ae 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,8 +34,9 @@ jobs: fast-checks: name: 🏁 Fast Checks (Format) runs-on: ubuntu-latest + timeout-minutes: 15 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - uses: ./.github/actions/ubuntu - name: Install taplo run: cargo install taplo-cli --locked @@ -56,13 +57,23 @@ jobs: - ubuntu-latest - macos-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Setup Ubuntu if: matrix.os == 'ubuntu-latest' uses: ./.github/actions/ubuntu - name: Setup macOS if: matrix.os == 'macos-latest' uses: ./.github/actions/macos + - name: Cache cargo registry & target + uses: actions/cache@v5 + with: + path: | + ~/.cargo/registry + ~/.cargo/git + target + key: ${{ runner.os }}-cargo-build-${{ hashFiles('**/Cargo.lock', 'rust-toolchain.toml') }} + restore-keys: | + ${{ runner.os }}-cargo-build- - name: Build (all targets) run: cargo build --locked - name: Build (library only) @@ -76,8 +87,18 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - uses: ./.github/actions/ubuntu + - name: Cache cargo registry & target + uses: actions/cache@v5 + with: + path: | + ~/.cargo/registry + ~/.cargo/git + target + key: ${{ runner.os }}-cargo-analysis-${{ hashFiles('**/Cargo.lock', 'rust-toolchain.toml') }} + restore-keys: | + ${{ runner.os }}-cargo-analysis- - name: Run clippy (all targets) run: SKIP_CIRCUIT_BUILD=1 cargo clippy --all-targets --locked -- -D warnings - name: Run clippy (library only) @@ -88,15 +109,34 @@ jobs: run: SKIP_CIRCUIT_BUILD=1 cargo doc --locked --no-deps --document-private-items security-audit: - name: 🔒 Security Audit + name: 🔐 Security Audit (non-blocking) needs: fast-checks runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 + - name: Cache cargo-audit binary + uses: actions/cache@v5 + with: + path: ~/.cargo/bin/cargo-audit + key: cargo-audit-bin-${{ runner.os }}-0.22.1 + - name: Cache RustSec advisory database + uses: actions/cache@v5 + with: + path: ~/.cargo/advisory-db + key: cargo-advisory-db-${{ runner.os }}-${{ github.run_id }} + restore-keys: | + cargo-advisory-db-${{ runner.os }}- - name: Install cargo-audit - run: cargo install cargo-audit --locked - - name: Run security audit + run: | + if ! command -v cargo-audit >/dev/null 2>&1; then + cargo install cargo-audit --locked --version 0.22.1 + fi + - name: Run cargo audit (informational only) + # Only this step is non-blocking — every other step in this job + # (checkout, caches, cargo-audit install) must fail loudly so we + # don't silently skip the audit. + continue-on-error: true run: cargo audit examples: @@ -105,7 +145,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - uses: ./.github/actions/ubuntu - name: Build examples run: cargo build --examples --locked From 4cfb904751ddbd535d8d4b3469ad2cbb5d4ecc4d Mon Sep 17 00:00:00 2001 From: Ethan Cemer Date: Sun, 3 May 2026 22:10:27 -0500 Subject: [PATCH 5/6] *fix exit before rust setup --- .github/actions/macos/action.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/.github/actions/macos/action.yml b/.github/actions/macos/action.yml index d0bc8f8..1f2adb1 100644 --- a/.github/actions/macos/action.yml +++ b/.github/actions/macos/action.yml @@ -17,11 +17,15 @@ runs: if [ "$OK" -ne 1 ]; then echo "::error::brew install protobuf llvm failed after 3 attempts"; exit 1; fi curl https://sh.rustup.rs -sSf | sh -s -- -y brew uninstall cmake - brew install openssl cmake 2>&1 | sed '/already installed and up-to-date/d'; exit "${PIPESTATUS[0]:-$?}" - # Unconditionally install the toolchain pinned in rust-toolchain.toml - # (rustup >=1.28 no longer auto-installs the active toolchain, and - # `rustup update` only refreshes already-installed toolchains). - # This installs the channel + every component/target listed in the file. + set +e + brew install openssl cmake 2>&1 | sed '/already installed and up-to-date/d' + brew_status=${PIPESTATUS[0]} + set -e + + if [ "$brew_status" -ne 0 ]; then + exit "$brew_status" + fi + rustup toolchain install rustup target add wasm32-unknown-unknown rustup component add rustfmt --toolchain nightly From 49eca4d424df37484745404d4f8975901d7b82fd Mon Sep 17 00:00:00 2001 From: Ethan Date: Tue, 5 May 2026 20:02:59 -0500 Subject: [PATCH 6/6] *fmt --- Cargo.lock | 42 ++++++++++++++++++++++++++++++++++++++++++ Cargo.toml | 2 +- 2 files changed, 43 insertions(+), 1 deletion(-) diff --git a/Cargo.lock b/Cargo.lock index ccc5154..5897ea0 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3969,6 +3969,7 @@ dependencies = [ "rustls-webpki", "serde", "serde_json", + "serial_test", "sha2 0.10.9", "sp-core", "sp-runtime", @@ -4571,6 +4572,15 @@ dependencies = [ "yap", ] +[[package]] +name = "scc" +version = "2.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "46e6f046b7fef48e2660c57ed794263155d713de679057f2d0c169bfc6e756cc" +dependencies = [ + "sdd", +] + [[package]] name = "schannel" version = "0.1.29" @@ -4616,6 +4626,12 @@ version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" +[[package]] +name = "sdd" +version = "3.0.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "490dcfcbfef26be6800d11870ff2df8774fa6e86d047e3e8c8a76b25655e41ca" + [[package]] name = "sec1" version = "0.7.3" @@ -4786,6 +4802,32 @@ dependencies = [ "serde", ] +[[package]] +name = "serial_test" +version = "3.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "911bd979bf1070a3f3aa7b691a3b3e9968f339ceeec89e08c280a8a22207a32f" +dependencies = [ + "futures-executor", + "futures-util", + "log", + "once_cell", + "parking_lot", + "scc", + "serial_test_derive", +] + +[[package]] +name = "serial_test_derive" +version = "3.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0a7d91949b85b0d2fb687445e448b40d322b6b3e4af6b44a29b21d9a5f33e6d9" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.117", +] + [[package]] name = "sha1" version = "0.10.6" diff --git a/Cargo.toml b/Cargo.toml index 30650b9..28ea575 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -96,9 +96,9 @@ qp-poseidon-core = "1.4.0" qp-wormhole-circuit-builder = { version = "2.0.1" } [dev-dependencies] -tempfile = "3.8.1" qp-poseidon-core = "1.4.0" serial_test = "3.1" +tempfile = "3.8.1" # Optimize build scripts and their dependencies in dev mode. # This is critical for circuit generation which is CPU-intensive.