Run cargo audit on committed Cargo.lock

The current audit action regenerates the lock file which may hide
vulnerabilities in our binaries.

Ensure binaries are built with committed lock file by adding the
`--locked` flag. Note the `--locked` flag is currently documented in a
confusing way in `cargo --help`.

A fix for that has been merged into cargo recently:

rust-lang/cargo#13665

Author: sveitser

.github/workflows/audit.yml

@@ -26,6 +26,13 @@ jobs:
         uses: ./.github/actions/install-capnp
 
       # See https://github.com/rustsec/audit-check for docs
-      - uses: rustsec/audit-check@v1
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+      # TODO: re-enable if https://github.com/rustsec/audit-check/pull/20 is merged
+      # - uses: rustsec/audit-check@v1
+      #   with:
+      #     token: ${{ secrets.GITHUB_TOKEN }}
+
+      # Currently the rustsec/audit-check action regenerates the Cargo.lock
+      # file. Our binaries are built using the committed lock file.
+      # Re-generating the lock file can hide vulnerabilities. We therefore run
+      # cargo audit directly which respects our lock file.
+      - run: cargo audit

.github/workflows/build.yml

@@ -53,7 +53,7 @@ jobs:
       - name: Build
         # Build in release without `testing` feature, this should work without `hotshot_example` config.
         run: |
-          cargo build --release --workspace
+          cargo build --locked --release --workspace
 
       - name: Upload artifacts
         uses: actions/upload-artifact@v3
@@ -98,7 +98,7 @@ jobs:
 
       - name: Build
         run: |
-          cargo build --release --workspace
+          cargo build --locked --release --workspace
 
       - name: Upload artifacts
         uses: actions/upload-artifact@v3

.github/workflows/build_static.yml

@@ -68,7 +68,7 @@ jobs:
       - name: Compile all executables
         # timeout-minutes: 120
         run: |
-          nix develop $DEVSHELL --accept-flake-config --option sandbox relaxed -c cargo build --release
+          nix develop $DEVSHELL --accept-flake-config --option sandbox relaxed -c cargo build --locked --release
 
       - name: Upload artifacts
         uses: actions/upload-artifact@v3

.github/workflows/contracts.yml

@@ -73,7 +73,7 @@ jobs:
 
       - name: Build diff-test
         run: |
-          nix develop --accept-flake-config -c cargo build --bin diff-test --release
+          nix develop --accept-flake-config -c cargo build --locked --bin diff-test --release
 
       - name: Run tests (quick version for PR)
         if: ${{ github.event_name == 'pull_request' }}
@@ -85,4 +85,3 @@ jobs:
         if: ${{ github.event_name != 'pull_request' }}
         run: |
           nix develop --accept-flake-config -c forge test -vvv
-          

.github/workflows/test-demo-native.yml

@@ -47,7 +47,7 @@ jobs:
         uses: ./.github/actions/install-capnp
 
       - name: Build
-        run: cargo build --release
+        run: cargo build --locked --release
 
       - name: Test Demo
         run: |

.github/workflows/test.yml

@@ -32,7 +32,7 @@ jobs:
       - name: Install Foundry
         uses: foundry-rs/foundry-toolchain@v1
         with:
-            version: nightly-2cb875799419c907cc3709e586ece2559e6b340e # Not using the default version because likely of this bug https://github.com/foundry-rs/foundry/issues/7120
+          version: nightly-2cb875799419c907cc3709e586ece2559e6b340e # Not using the default version because likely of this bug https://github.com/foundry-rs/foundry/issues/7120
 
       - name: Install just command runner
         run: |
@@ -55,7 +55,7 @@ jobs:
         run: |
           export RUSTFLAGS="$RUSTFLAGS --cfg hotshot_example"
           export PATH="$PWD/target/release:$PATH"
-          cargo build --bin diff-test --release
+          cargo build --locked --bin diff-test --release
           cargo test --release --workspace --all-features --no-run
           cargo test --release --workspace --all-features --verbose -- --test-threads 1 --nocapture
         timeout-minutes: 30