Skip to content

Commit

Permalink
Merge pull request #205 from silas-x/master
Browse files Browse the repository at this point in the history
feat: security txt and build integrity
  • Loading branch information
binyebarwe authored Dec 23, 2023
2 parents 9344744 + 2f2eace commit fd32b05
Show file tree
Hide file tree
Showing 3 changed files with 64 additions and 2 deletions.
59 changes: 59 additions & 0 deletions .github/workflows/release-verifiable-build.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
name: Verifiable Release

on:
push:
tags:
['v*']

env:
APP_NAME: 'openbook_v2'
SOLANA_VERSION: '1.16.1'
ANCHOR_VERSION: '0.28.0'

jobs:
build:
name: Verifiable Release Artifacts
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
with:
submodules: 'recursive'

- name: Cache dependencies
uses: Swatinem/rust-cache@v2

- name: Setup Anchor
run: |
cargo install --git https://github.com/coral-xyz/anchor --rev 4e5280be46d859ba1c57fabe4c3916bec742fd69 anchor-cli --locked --force
- name: Verifiable Build
run: |
anchor build --verifiable --docker-image backpackapp/build:v${{ env.ANCHOR_VERSION }} --solana-version ${{ env.SOLANA_VERSION }} -- --features enable-gpl
- name: Generate Checksum
run: |
echo "CHECKSUM=$(sha256sum ./target/verifiable/${{ env.APP_NAME }}.so | head -c 64)" >> $GITHUB_ENV
mv ./target/verifiable/${{ env.APP_NAME }}.so ./target/verifiable/${{ env.APP_NAME }}-${{ github.ref_name }}.so
# Complete supply chain inventory used for release
- name: Generate SBOM
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
format: 'cyclonedx'
output: '${{ env.APP_NAME }}-${{ github.ref_name }}-sbom.json'

- name: Update Release
id: create_release
uses: softprops/action-gh-release@v1
with:
tag_name: ${{ github.ref_name }}
name: ${{ github.ref_name }}
body: |
OpenBook V2 release: ${{ github.ref_name }}
Build sha256: ${{ env.CHECKSUM }}
GitHub commit: ${{ github.sha }}
files: |
./target/verifiable/${{ env.APP_NAME }}-${{ github.ref_name }}.so
./${{ env.APP_NAME }}-${{ github.ref_name }}-sbom.json
1 change: 1 addition & 0 deletions programs/openbook-v2/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ arbitrary = { version = "~1.0", features = ["derive"], optional = true }
raydium-amm-v3 = { git = "https://github.com/raydium-io/raydium-clmm.git", features = ["cpi"] }
arrayref = "0.3.6"
bytemuck = { version = "^1.7.2", features = ["derive", "min_const_generics"] }
default-env = "0.1.1"
derivative = "2.2.0"
fixed = { workspace = true, features = ["serde", "borsh", "debug-assert-in-release"] }
itertools = "0.10.3"
Expand Down
6 changes: 4 additions & 2 deletions programs/openbook-v2/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -624,7 +624,7 @@ pub struct PlaceTakeOrderArgs {

// Add security details to explorer.solana.com
#[cfg(not(feature = "no-entrypoint"))]
use solana_security_txt::security_txt;
use {default_env::default_env, solana_security_txt::security_txt};

#[cfg(not(feature = "no-entrypoint"))]
security_txt! {
Expand All @@ -634,5 +634,7 @@ security_txt! {
policy: "https://github.com/openbook-dex/openbook-v2/blob/master/SECURITY.md",
preferred_languages: "en",
source_code: "https://github.com/openbook-dex/openbook-v2",
auditors: "https://github.com/openbook-dex/openbook-v2/blob/master/audit/openbook_audit.pdf"
auditors: "https://github.com/openbook-dex/openbook-v2/blob/master/audit/openbook_audit.pdf",
source_revision: default_env!("GITHUB_SHA", "Unknown source revision"),
source_release: default_env!("GITHUB_REF_NAME", "Unknown source release")
}

0 comments on commit fd32b05

Please sign in to comment.