Merge branch 'main' into spike/noble-usdc

* main: (34 commits)
  feat(proto): add bundle and optimistic block apis (#1519)
  feat(sequencer)!: make empty transactions invalid  (#1609)
  chore(sequencer): simplify boolean expressions in `transaction container` (#1595)
  refactor(cli): merge argument parsing and command execution (#1568)
  feat(charts): astrotrek chart (#1513)
  chore(charts): genesis template to support latest changes (#1594)
  fix(ci): code freeze action fix (#1610)
  chore(sequencer)!: exclusively use Borsh encoding for stored data (ENG-768) (#1492)
  ci: code freeze through github actions (#1588)
  refactor(sequencer): use builder pattern for transaction container tests (#1592)
  feat(conductor)!: implement chain ID checks (#1482)
  chore(ci): upgrade audit-check (#1577)
  feat(sequencer)!: transaction categories on UnsignedTransaction (#1512)
  fix(charts): sequencer prometheus rules   (#1598)
  chore(all): Migrate all instances of `#[allow]` to `#[expect]` (#1561)
  chore(charts,sequencer-faucet): asset precision (#1517)
  chore(docs): endpoints (#1543)
  fix(docker): use target binary build param as name of image entrypoint (#1573)
  fix(ci): ibc bridge test timeout (#1587)
  Feature: Add `graph-node` to charts. (#1489)
  ...

.github/code-freeze-filter.yaml

@@ -0,0 +1,18 @@
+# Each component that is being frozen should have a section in this file.
+# The `changed` section should pull all the files that are changed
+# in order to put an error on the given file if it is changed.
+
+# Please provide a reasoning for each component that is frozen.
+
+# Frozen for audit.
+conductor: &conductor
+  - crates/astria-conductor/src/**
+# Frozen for audit.
+sequencer-relayer: &sequencer-relayer
+  - crates/astria-sequencer-relayer/src/**
+
+# if new components are added above update the list below to get better
+# gh pr level visibility into which files are frozen.
+changed:
+  - *conductor
+  - *sequencer-relayer

.github/workflows/code-freeze.yml

@@ -0,0 +1,60 @@
+name: Code Freeze
+on:
+  pull_request_target:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - labeled
+      - unlabeled
+    branches:
+      - main
+
+jobs:
+  code_freeze:
+    name: Code Freeze
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Filter Check
+        id: filters
+        uses: dorny/paths-filter@v3
+        with:
+          list-files: shell
+          filters: .github/code-freeze-filter.yaml
+      - name: Output Failure
+        if: steps.filters.outputs.changes != '[]' && !contains(github.event.pull_request.labels.*.name, 'override-freeze')
+        run: |
+          TITLE="Code Freeze in Effect"
+          LEGIBLE_CHANGES=$(echo "${{ steps.filters.outputs.changes }}" | sed 's/,changed//g' | sed 's/,/, /g' | sed 's/[][]//g')
+          echo "### ${TITLE}" >> $GITHUB_STEP_SUMMARY
+          echo "This PR updates the following components which are code frozen: ${LEGIBLE_CHANGES}" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "The following files are modified and frozen:" >> $GITHUB_STEP_SUMMARY
+          FILES="${{ steps.filters.outputs.changed_files }}"
+          FILE_MESSAGE="This file is under code freeze."
+          for FILE in $FILES; do
+            echo " - ${FILE}" >> $GITHUB_STEP_SUMMARY
+            echo "::error file=$FILE,title=$TITLE::$FILE_MESSAGE"
+          done
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "Freeze can be overriden by adding the 'override-freeze' label to the PR." >> $GITHUB_STEP_SUMMARY
+          exit 1
+      - name: Output Bypass
+        if: steps.filters.outputs.changes != '[]' && contains(github.event.pull_request.labels.*.name, 'override-freeze')
+        run: |
+          TITLE="Code Freeze in Effect - Bypassed"
+          LEGIBLE_CHANGES=$(echo "${{ steps.filters.outputs.changes }}" | sed 's/,changed//g' | sed 's/,/, /g' | sed 's/[][]//g')
+          echo "### ${TITLE}" >> $GITHUB_STEP_SUMMARY
+          echo "This PR updates the following components which are code frozen: ${LEGIBLE_CHANGES}" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "The following files are modified and frozen:" >> $GITHUB_STEP_SUMMARY
+          FILES="${{ steps.filters.outputs.changed_files }}"
+          FILE_MESSAGE="This file is under code freeze."
+          for FILE in $FILES; do
+            echo " - ${FILE}" >> $GITHUB_STEP_SUMMARY
+            echo "::warning file=$FILE,title=$TITLE::$FILE_MESSAGE"
+          done
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "Freeze has been overriden by adding the 'override-freeze' label to the PR." >> $GITHUB_STEP_SUMMARY
+          exit 0

.github/workflows/docker-build.yml

@@ -17,6 +17,7 @@ on:
           - sequencer
           - sequencer-relayer
           - evm-bridge-withdrawer
+          - cli
   merge_group:
   push:
     branches:
@@ -118,8 +119,23 @@ jobs:
       force: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.target == 'evm-bridge-withdrawer' }}
     secrets: inherit
 
+  cli:
+    needs: run_checker
+    if: needs.run_checker.outputs.run_docker == 'true' || (github.event_name == 'workflow_dispatch' && github.event.inputs.target == 'cli')
+    uses: "./.github/workflows/reusable-docker-build.yml"
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+    with:
+      depot-project-id: kcchkd09m0
+      package-name: astria-cli
+      binary-name: cli
+      tag: ${{ inputs.tag }}
+    secrets: inherit
+
   smoke-test:
-    needs: [run_checker, composer, conductor, sequencer, sequencer-relayer, evm-bridge-withdrawer]
+    needs: [run_checker, composer, conductor, sequencer, sequencer-relayer, evm-bridge-withdrawer, cli]
     if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == 'astriaorg/astria') && (github.event_name == 'merge_group' || needs.run_checker.outputs.run_docker == 'true')
     runs-on: buildjet-8vcpu-ubuntu-2204
     steps:
@@ -130,9 +146,6 @@ jobs:
         uses: helm/kind-action@v1
         with:
           install_only: true
-      - name: Install astria cli (rust)
-        run: |
-          just install-cli
       - name: Log in to GHCR
         uses: docker/login-action@v2
         with:
@@ -149,10 +162,12 @@ jobs:
           just deploy smoke-test $TAG
       - name: Run Smoke test
         timeout-minutes: 3
-        run: just run-smoke-test
+        run: |
+          TAG=sha-$(git rev-parse --short HEAD)
+          just run-smoke-test $TAG
 
   smoke-cli:
-    needs: [run_checker, composer, conductor, sequencer, sequencer-relayer, evm-bridge-withdrawer]
+    needs: [run_checker, composer, conductor, sequencer, sequencer-relayer, evm-bridge-withdrawer, cli]
     if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == 'astriaorg/astria') && (github.event_name == 'merge_group' || needs.run_checker.outputs.run_docker == 'true')
     runs-on: buildjet-8vcpu-ubuntu-2204
     steps:
@@ -163,9 +178,6 @@ jobs:
         uses: helm/kind-action@v1
         with:
           install_only: true
-      - name: Install astria cli (rust)
-        run: |
-          just install-cli
       - name: Log in to GHCR
         uses: docker/login-action@v2
         with:
@@ -182,10 +194,12 @@ jobs:
           just deploy smoke-cli $TAG
       - name: Run Smoke test
         timeout-minutes: 3
-        run: just run-smoke-cli
+        run: |
+          TAG=sha-$(git rev-parse --short HEAD)
+          just run-smoke-cli $TAG
 
   ibc-bridge-test:
-    needs: [ run_checker, composer, conductor, sequencer, sequencer-relayer ]
+    needs: [ run_checker, composer, conductor, sequencer, sequencer-relayer, evm-bridge-withdrawer, cli ]
     if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == 'astriaorg/astria') && (github.event_name == 'merge_group' || needs.run_checker.outputs.run_docker == 'true')
     runs-on: buildjet-8vcpu-ubuntu-2204
     steps:
@@ -196,16 +210,14 @@ jobs:
         uses: helm/kind-action@v1
         with:
           install_only: true
-      - name: Install astria cli (rust)
-        run: just install-cli
       - name: Log in to GHCR
         uses: docker/login-action@v2
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Setup IBC Bridge Test Environment
-        timeout-minutes: 5
+        timeout-minutes: 8
         run: |
           TAG=sha-$(git rev-parse --short HEAD)
           just deploy cluster
@@ -214,11 +226,13 @@ jobs:
           just ibc-test deploy $TAG
       - name: Run IBC ICS20 Transfer test
         timeout-minutes: 3
-        run: just ibc-test run
+        run: |
+          TAG=sha-$(git rev-parse --short HEAD)
+          just ibc-test run $TAG
 
   docker:
     if: ${{ always() && !cancelled() }}
-    needs: [composer, conductor, sequencer, sequencer-relayer, evm-bridge-withdrawer, smoke-test, smoke-cli, ibc-bridge-test]
+    needs: [composer, conductor, sequencer, sequencer-relayer, evm-bridge-withdrawer, cli, smoke-test, smoke-cli, ibc-bridge-test]
     uses: ./.github/workflows/reusable-success.yml
     with:
       success: ${{ !contains(needs.*.result, 'failure') }}

.github/workflows/lint.yml

@@ -53,10 +53,10 @@ jobs:
       - uses: actions/checkout@v4
       - uses: dtolnay/rust-toolchain@master
         with:
-          toolchain: nightly-2024-02-07
+          toolchain: nightly-2024-09-15
           components: rustfmt
       - name: run rustfmt
-        run: cargo fmt --all -- --check
+        run: cargo +nightly-2024-09-15 fmt --all -- --check
 
   toml:
     runs-on: ubuntu-22.04

.github/workflows/reusable-build.yml

@@ -13,6 +13,8 @@ on:
 env:
   REGISTRY: ghcr.io
   FULL_REF: ${{ inputs.tag && format('refs/tags/{0}', inputs.tag) || github.ref }}
+  # This must match the entry in rust-toolchain.toml at the repository root
+  RUSTUP_TOOLCHAIN: "1.81.0"
 
 jobs:
   upload-binaries:
@@ -34,7 +36,9 @@ jobs:
       - uses: actions/checkout@v4
         with:
           ref: ${{ inputs.tag }}
-      - uses: dtolnay/[email protected]
+      - uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: ${{ env.RUSTUP_TOOLCHAIN }}
       - uses: arduino/setup-protoc@v3
         with:
           version: "24.4"

.github/workflows/scheduled.yml

@@ -11,6 +11,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: rustsec/audit-check@v1.4.1
+      - uses: rustsec/audit-check@v2.0.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test.yml

@@ -2,6 +2,9 @@ name: Test
 env:
   CI: true
   RUSTFLAGS: "-D warnings -D unreachable-pub --cfg tokio_unstable"
+
+  # This must match the entry in rust-toolchain.toml at the repository root
+  RUSTUP_TOOLCHAIN: "1.81.0"
 on:
   pull_request:
   merge_group:
@@ -26,7 +29,9 @@ jobs:
           version: "1.32.0"
           github_token: ${{ secrets.GITHUB_TOKEN }}
       - name: Install Rust toolchain
-        uses: dtolnay/[email protected]
+        uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: ${{ env.RUSTUP_TOOLCHAIN }}
       - uses: Swatinem/[email protected]
         with:
           cache-provider: "buildjet"
@@ -51,7 +56,9 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Install Rust toolchain
-        uses: dtolnay/[email protected]
+        uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: ${{ env.RUSTUP_TOOLCHAIN }}
       - uses: Swatinem/[email protected]
         with:
           cache-provider: "buildjet"
@@ -77,7 +84,9 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: 'true'
-      - uses: dtolnay/[email protected]
+      - uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: ${{ env.RUSTUP_TOOLCHAIN }}
       - uses: taiki-e/[email protected]
         with:
           tool: [email protected]
@@ -100,7 +109,9 @@ jobs:
     if: needs.run_checker.outputs.run_tests == 'true'
     steps:
       - uses: actions/checkout@v4
-      - uses: dtolnay/[email protected]
+      - uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: ${{ env.RUSTUP_TOOLCHAIN }}
       - uses: Swatinem/[email protected]
         with:
           cache-provider: "github"
@@ -113,8 +124,10 @@ jobs:
     if: needs.run_checker.outputs.run_audit == 'true'
     steps:
       - uses: actions/checkout@v4
-      - uses: dtolnay/[email protected]
-      - uses: rustsec/[email protected]
+      - uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: ${{ env.RUSTUP_TOOLCHAIN }}
+      - uses: rustsec/[email protected]
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
 
@@ -126,7 +139,9 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: 'true'
-      - uses: dtolnay/[email protected]
+      - uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: ${{ env.RUSTUP_TOOLCHAIN }}
       - uses: Swatinem/[email protected]
         with:
           cache-provider: "buildjet"
@@ -154,7 +169,9 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: 'true'
-      - uses: dtolnay/[email protected]
+      - uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: ${{ env.RUSTUP_TOOLCHAIN }}
       - uses: Swatinem/[email protected]
         with:
           cache-provider: "buildjet"
@@ -179,7 +196,9 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: 'true'
-      - uses: dtolnay/[email protected]
+      - uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: ${{ env.RUSTUP_TOOLCHAIN }}
       - uses: Swatinem/[email protected]
         with:
           cache-provider: "buildjet"
@@ -198,8 +217,9 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: 'true'
-      - uses: dtolnay/rust-toolchain@1.78.0
+      - uses: dtolnay/rust-toolchain@master
         with:
+          toolchain: ${{ env.RUSTUP_TOOLCHAIN }}
           components: clippy
       - uses: Swatinem/[email protected]
         with:
@@ -211,7 +231,9 @@ jobs:
       - name: run pedantic clippy on workspace crates
         run: |
           cargo clippy --all-targets --all-features \
-          -- --warn clippy::pedantic --warn clippy::arithmetic-side-effects --deny warnings
+          -- --warn clippy::pedantic --warn clippy::arithmetic-side-effects \
+          --warn clippy::allow_attributes --warn clippy::allow_attributes_without_reason \
+          --deny warnings
       - name: run pedantic clippy on tools/protobuf-compiler
         run: |
           cargo clippy --manifest-path tools/protobuf-compiler/Cargo.toml \
@@ -226,24 +248,25 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: 'true'
-      - uses: dtolnay/rust-toolchain@v1
+      - uses: dtolnay/rust-toolchain@master
         with:
           # This has to match `rust-toolchain` in the rust-toolchain file of the dylint lints
-          toolchain: nightly-2023-12-28
-          components: "clippy, llvm-tools-preview, rustc-dev"
+          toolchain: nightly-2024-09-05
+          components: "clippy, llvm-tools-preview, rustc-dev, rust-src"
       - uses: Swatinem/[email protected]
         with:
           cache-provider: "buildjet"
       - name: install cargo-dylint and dylint-link
-        run: cargo install cargo-dylint@2.6.1 dylint-link@2.6.1 --locked
+        run: cargo install cargo-dylint@3.2.0 dylint-link@3.2.0 --locked
       - uses: arduino/setup-protoc@v3
         with:
           version: "24.4"
           repo-token: ${{ secrets.GITHUB_TOKEN }}
       - name: run clippy against custom lints
         run: |
           : # list all lint packages here to have clippy explicitly test them
-          cargo clippy --all-targets --all-features \
+          : # uses the same nightly installed above to work around the entry in rust-toolchain.toml 
+          cargo +nightly-2024-09-05 clippy --all-targets --all-features \
           -p tracing_debug_field \
           -- --warn clippy::pedantic --deny warnings
       - name: run dylint clippy on workspace crates