From e3ab65ceafdfb8aad9433cee7af69d01003f77b0 Mon Sep 17 00:00:00 2001
From: "C.Lee Taylor" <47312074+leet4tari@users.noreply.github.com>
Date: Mon, 7 Oct 2024 12:36:05 +0200
Subject: [PATCH] chore(ci): modernise and fix audit plus add file license
 check (#72)

---
 .github/ISSUE_TEMPLATE/bug_report.md          | 36 +++++++++++
 .github/PULL_REQUEST_TEMPLATE.md              | 27 ++++++++
 .github/workflows/audit.yml                   | 35 ++++++++--
 .github/workflows/ci.yml                      | 64 +++++++++++++++++--
 .github/workflows/cov.yml                     |  2 +-
 .github/workflows/pr_signed_commits_check.yml | 24 +++++++
 .github/workflows/pr_title.yml                |  7 +-
 .license.ignore                               |  0
 fuzz/fuzz_targets/randomx_alloc_cache.rs      |  3 +
 ...andomx_create_vm_with_cache_and_dataset.rs |  3 +
 .../randomx_create_vm_with_cache_only.rs      |  3 +
 ...m_calculate_hash_with_cache_and_dataset.rs |  3 +
 ...ndomx_vm_calculate_hash_with_cache_only.rs |  3 +
 code_coverage.sh => scripts/code_coverage.sh  |  0
 scripts/file_license_check.sh                 | 45 +++++++++++++
 15 files changed, 244 insertions(+), 11 deletions(-)
 create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md
 create mode 100644 .github/PULL_REQUEST_TEMPLATE.md
 create mode 100644 .github/workflows/pr_signed_commits_check.yml
 create mode 100644 .license.ignore
 rename code_coverage.sh => scripts/code_coverage.sh (100%)
 create mode 100755 scripts/file_license_check.sh

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
new file mode 100644
index 0000000..c403e78
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,36 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: "[TITLE]"
+labels: 'bug-report'
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Desktop (please complete the following information):**
+ - OS & Version: [e.g. iOS 10.2.1]
+ - Browser & Version [e.g. chrome v71.0.12345]
+
+**Smartphone (please complete the following information):**
+ - Device: [e.g. iPhone6]
+ - OS: [e.g. iOS8.1]
+ - Browser & Version [e.g. stock browser v0.1.2]
+
+**Additional context**
+Add any other context about the problem here.
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
new file mode 100644
index 0000000..ac0792f
--- /dev/null
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -0,0 +1,27 @@
+Description
+---
+
+Motivation and Context
+---
+
+How Has This Been Tested?
+---
+
+What process can a PR reviewer use to test or verify this change?
+---
+
+<!-- Checklist -->
+<!-- 1. Is the title of your PR in the form that would make nice release notes? The title, excluding the conventional commit
+tag, will be included exactly as is in the CHANGELOG, so please think about it carefully. -->
+
+
+Breaking Changes
+---
+
+- [x] None
+- [ ] Requires data directory on base node to be deleted
+- [ ] Requires hard fork
+- [ ] Other - Please specify
+
+<!-- Does this include a breaking change? If so, include this line as a footer -->
+<!-- BREAKING CHANGE: Description what the user should do, e.g. delete a database, resync the chain -->
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
index 6bd0b68..56868cd 100644
--- a/.github/workflows/audit.yml
+++ b/.github/workflows/audit.yml
@@ -1,18 +1,43 @@
 ---
-name: Security audit
+name: Security audit - daily
 
 'on':
   push:
-  pull_request:
+    paths:
+      # Run if workflow changes
+      - '.github/workflows/audit.yml'
+      # Run on changed dependencies
+      - '**/Cargo.toml'
+      - '**/Cargo.lock'
+      # Run if the configuration file changes
+      - '**/audit.toml'
+  # Rerun periodicly to pick up new advisories
   schedule:
-    - cron: "43 04 * * *"
+    - cron: '43 05 * * *'
+  # Run manually
+  workflow_dispatch:
+
+env:
+  toolchain: nightly-2022-11-03
 
 jobs:
   security_audit:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          submodules: "true"
+
+      - name: toolchain
+        uses: dtolnay/rust-toolchain@nightly
+        with:
+          toolchain: ${{ env.toolchain }}
+          components: rustfmt, clippy
+
+      - name: cargo check
+        run: |
+          cargo check
 
-      - uses: rustsec/audit-check@v1.4.1
+      - uses: rustsec/audit-check@v2.0.0
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 53cc5e5..6d91d3b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,15 +1,32 @@
 ---
 name: CI
 
-'on': [push, pull_request]
+'on':
+  workflow_dispatch:
+  push:
+    branches:
+      - "ci-*"
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+  merge_group:
 
 env:
   toolchain: nightly-2022-11-03
 
+concurrency:
+  # https://docs.github.com/en/actions/examples/using-concurrency-expressions-and-a-test-matrix
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: ${{ !startsWith(github.ref, 'refs/tags/v') || github.ref != 'refs/heads/development' || github.ref != 'refs/heads/nextnet' || github.ref != 'refs/heads/stagenet' }}
+
+permissions: {}
+
 jobs:
   clippy:
     name: clippy
-    runs-on: ubuntu-latest
+    runs-on: [ ubuntu-latest ]
     steps:
       - name: checkout
         uses: actions/checkout@v4
@@ -23,7 +40,7 @@ jobs:
           components: rustfmt, clippy
 
       - name: Cache rust dependencies
-        uses: Swatinem/rust-cache@v2
+        uses: swatinem/rust-cache@v2
 
       - name: cargo fmt
         run: |
@@ -37,9 +54,48 @@ jobs:
         run: |
           cargo lints clippy --all-targets --all-features
 
+  machete:
+    # Checks for unused dependencies.
+    name: machete
+    runs-on: [ ubuntu-latest ]
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: "true"
+
+      - name: toolchain
+        uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: ${{ env.toolchain }}
+          components: clippy, rustfmt
+
+      - name: Cache rust dependencies
+        uses: swatinem/rust-cache@v2
+
+      - name: cargo machete
+        run: |
+          cargo install cargo-machete
+          cargo machete
+
+  file-licenses:
+    name: file-licenses
+    runs-on: [ ubuntu-latest ]
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+      - name: install ripgrep
+        run: |
+          # https://github.com/BurntSushi/ripgrep/releases/download/14.1.1/ripgrep_14.1.1-1_amd64.deb.sha256
+          wget -v https://github.com/BurntSushi/ripgrep/releases/download/14.1.1/ripgrep_14.1.1-1_amd64.deb
+          sudo dpkg -i ripgrep_14.1.1-1_amd64.deb
+          rg --version || exit 1
+      - name: run the license check
+        run: ./scripts/file_license_check.sh
+
   build:
     name: build
-    runs-on: ubuntu-latest
+    runs-on: [ ubuntu-latest ]
     steps:
       - name: checkout
         uses: actions/checkout@v4
diff --git a/.github/workflows/cov.yml b/.github/workflows/cov.yml
index c55c46c..6609c19 100644
--- a/.github/workflows/cov.yml
+++ b/.github/workflows/cov.yml
@@ -41,7 +41,7 @@ jobs:
         env:
           SKIP_HTML: "1"
         run: |
-          /bin/bash -c ./code_coverage.sh
+          /bin/bash -c ./scripts/code_coverage.sh
 
       - name: Coveralls upload
         uses: coverallsapp/github-action@master
diff --git a/.github/workflows/pr_signed_commits_check.yml b/.github/workflows/pr_signed_commits_check.yml
new file mode 100644
index 0000000..cd72593
--- /dev/null
+++ b/.github/workflows/pr_signed_commits_check.yml
@@ -0,0 +1,24 @@
+---
+# Checks if the comments are signed or not
+name: PR - Signed commits check
+
+'on':
+  pull_request_target
+
+concurrency:
+  # https://docs.github.com/en/actions/examples/using-concurrency-expressions-and-a-test-matrix
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: ${{ !startsWith(github.ref, 'refs/tags/v') || github.ref != 'refs/heads/development' || github.ref != 'refs/heads/nextnet' || github.ref != 'refs/heads/stagenet' }}
+
+permissions: {}
+
+jobs:
+  check-signed-commits:
+    name: Check signed commits in PR
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Check signed commits in PR
+        uses: 1Password/check-signed-commits-action@v1
diff --git a/.github/workflows/pr_title.yml b/.github/workflows/pr_title.yml
index ebd6666..ada7f71 100644
--- a/.github/workflows/pr_title.yml
+++ b/.github/workflows/pr_title.yml
@@ -1,4 +1,6 @@
 ---
+# Checks that PR titles conform to Conventional Commits
+# See https://www.conventionalcommits.org/en/v1.0.0/ for more information
 name: PR
 
 'on':
@@ -9,6 +11,10 @@ name: PR
       - edited
       - synchronize
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   check-title:
     runs-on: ubuntu-latest
@@ -17,7 +23,6 @@ jobs:
         run: |
           npm install -g @commitlint/cli @commitlint/config-conventional
           echo "module.exports = {extends: ['@commitlint/config-conventional']}" > commitlint.config.js
-
       - name: lint
         env:
           PR_TITLE: ${{github.event.pull_request.title}}
diff --git a/.license.ignore b/.license.ignore
new file mode 100644
index 0000000..e69de29
diff --git a/fuzz/fuzz_targets/randomx_alloc_cache.rs b/fuzz/fuzz_targets/randomx_alloc_cache.rs
index 77877a6..55ea09c 100644
--- a/fuzz/fuzz_targets/randomx_alloc_cache.rs
+++ b/fuzz/fuzz_targets/randomx_alloc_cache.rs
@@ -1,3 +1,6 @@
+// Copyright 2024 The Tari Project
+// SPDX-License-Identifier: BSD-3-Clause
+
 #![no_main]
 
 use libfuzzer_sys::fuzz_target;
diff --git a/fuzz/fuzz_targets/randomx_create_vm_with_cache_and_dataset.rs b/fuzz/fuzz_targets/randomx_create_vm_with_cache_and_dataset.rs
index 5a485d8..121e648 100644
--- a/fuzz/fuzz_targets/randomx_create_vm_with_cache_and_dataset.rs
+++ b/fuzz/fuzz_targets/randomx_create_vm_with_cache_and_dataset.rs
@@ -1,3 +1,6 @@
+// Copyright 2024 The Tari Project
+// SPDX-License-Identifier: BSD-3-Clause
+
 #![no_main]
 
 use libfuzzer_sys::fuzz_target;
diff --git a/fuzz/fuzz_targets/randomx_create_vm_with_cache_only.rs b/fuzz/fuzz_targets/randomx_create_vm_with_cache_only.rs
index 686fe8f..df4e05a 100644
--- a/fuzz/fuzz_targets/randomx_create_vm_with_cache_only.rs
+++ b/fuzz/fuzz_targets/randomx_create_vm_with_cache_only.rs
@@ -1,3 +1,6 @@
+// Copyright 2024 The Tari Project
+// SPDX-License-Identifier: BSD-3-Clause
+
 #![no_main]
 
 use libfuzzer_sys::fuzz_target;
diff --git a/fuzz/fuzz_targets/randomx_vm_calculate_hash_with_cache_and_dataset.rs b/fuzz/fuzz_targets/randomx_vm_calculate_hash_with_cache_and_dataset.rs
index be21873..e478bcf 100644
--- a/fuzz/fuzz_targets/randomx_vm_calculate_hash_with_cache_and_dataset.rs
+++ b/fuzz/fuzz_targets/randomx_vm_calculate_hash_with_cache_and_dataset.rs
@@ -1,3 +1,6 @@
+// Copyright 2024 The Tari Project
+// SPDX-License-Identifier: BSD-3-Clause
+
 #![no_main]
 
 use libfuzzer_sys::fuzz_target;
diff --git a/fuzz/fuzz_targets/randomx_vm_calculate_hash_with_cache_only.rs b/fuzz/fuzz_targets/randomx_vm_calculate_hash_with_cache_only.rs
index 533fe8f..ef6a122 100644
--- a/fuzz/fuzz_targets/randomx_vm_calculate_hash_with_cache_only.rs
+++ b/fuzz/fuzz_targets/randomx_vm_calculate_hash_with_cache_only.rs
@@ -1,3 +1,6 @@
+// Copyright 2024 The Tari Project
+// SPDX-License-Identifier: BSD-3-Clause
+
 #![no_main]
 
 use libfuzzer_sys::fuzz_target;
diff --git a/code_coverage.sh b/scripts/code_coverage.sh
similarity index 100%
rename from code_coverage.sh
rename to scripts/code_coverage.sh
diff --git a/scripts/file_license_check.sh b/scripts/file_license_check.sh
new file mode 100755
index 0000000..a292fcc
--- /dev/null
+++ b/scripts/file_license_check.sh
@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+#
+# Must be run from the repo root
+#
+
+set -e
+
+diffparms=${diffparms:-"-u --suppress-blank-empty --strip-trailing-cr --color=never"}
+rgTemp=${rgTemp:-$(mktemp)}
+
+# rg -i "Copyright.*The Tari Project" --files-without-match \
+#    -g '!*.{Dockerfile,asc,bat,config,config.js,css,csv,drawio,env,gitkeep,hbs,html,ini,iss,json,lock,md,min.js,ps1,py,rc,scss,sh,sql,svg,toml,txt,yml,vue}' . \
+#    | sort > /tmp/rgtemp
+
+# Exclude files without extensions as well as those with extensions that are not in the list
+#
+rg -i "Copyright.*The Tari Project" --files-without-match \
+    --one-file-system --no-follow \
+    -g '!{RandomX}' \
+    -g '!*.{Dockerfile,asc,bat,config,config.js,css,csv,drawio,env,gitkeep,hbs,html,ini,iss,json,lock,md,min.js,ps1,py,rc,scss,sh,sql,svg,toml,txt,yml,vue}' . \
+    | while IFS= read -r file; do
+        if [[ -n $(basename "$file" | grep -E '\.') ]]; then
+            echo "$file"
+        fi
+    done | sort > ${rgTemp}
+
+# Sort the .license.ignore file as sorting seems to behave differently on different platforms
+licenseIgnoreTemp=${licenseIgnoreTemp:-$(mktemp)}
+cat .license.ignore | sort > ${licenseIgnoreTemp}
+
+DIFFS=$( diff ${diffparms} ${licenseIgnoreTemp} ${rgTemp} || true )
+
+# clean up
+rm -vf ${rgTemp}
+rm -vf ${licenseIgnoreTemp}
+
+if [ -n "${DIFFS}" ]; then
+    echo "New files detected that either need copyright/license identifiers added, "
+    echo "or they need to be added to .license.ignore"
+    echo "NB: The ignore file must be sorted alphabetically!"
+
+    echo "Diff:"
+    echo "${DIFFS}"
+    exit 1
+fi