cryptogarageinc · k-matsuzawa · May 2, 2025 · May 2, 2025
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,12 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directories:
+      - '.github/**/*'
+    schedule:
+      interval: weekly
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -13,7 +13,11 @@ env:
 
 jobs:
   check_image_env:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
+    timeout-minutes: 120
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - name: stop CI
         if: ${{ github.event_name != 'pull_request' }}
@@ -28,11 +32,17 @@ jobs:
           while true; do echo "Waiting for job to be cancelled"; sleep 5; done
 
   build_and_push_elements_image:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     needs: check_image_env
+    timeout-minutes: 120
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - name: checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: "false"
 
       - name: Get the version
         id: get_version
@@ -52,7 +62,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0
         with:
           # list of Docker images to use as base name for tags
           images: name=${{ steps.image_path.outputs.IMAGE_PATH }}
@@ -63,29 +73,29 @@ jobs:
             type=sha
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2.10.0
 
       - name: Login to Docker Hub
         if: "github.event_name != 'pull_request' && !contains( steps.image_path.outputs.IMAGE_PATH, 'ghcr.io/' )"
-        uses: docker/login-action@v2
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
         with:
           username: ${{ secrets.REGISTRY_USERNAME }}
           password: ${{ secrets.REGISTRY_TOKEN }}
 
       - name: Login to GitHub Container Registry
         if: "github.event_name != 'pull_request' && contains( steps.image_path.outputs.IMAGE_PATH, 'ghcr.io/' )"
-        uses: docker/login-action@v2
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
         with:
           registry: ghcr.io
           username: ${{ secrets.REGISTRY_USERNAME }}
           password: ${{ secrets.REGISTRY_TOKEN }}
 
       - name: Build only
         if: ${{ github.event_name == 'pull_request' }}
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1
         with:
           context: .
           platforms: linux/amd64
@@ -95,7 +105,7 @@ jobs:
 
       - name: Build and push
         if: ${{ github.event_name != 'pull_request' }}
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1
         with:
           context: .
           platforms: linux/amd64,linux/arm64
@@ -105,19 +115,25 @@ jobs:
 
       - name: Run Trivy vulnerability scanner
         if: ${{ github.event_name != 'pull_request' }}
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # 0.30.0
         with:
           image-ref: ${{ steps.image_path.outputs.IMAGE_PATH }}:${{ steps.get_version.outputs.VERSION }}
           format: table
           exit-code: 1
           severity: CRITICAL,HIGH
 
   build_and_push_bitcoin_image:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     needs: check_image_env
+    timeout-minutes: 120
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - name: checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: "false"
 
       - name: Get the version
         id: get_version
@@ -137,7 +153,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0
         with:
           # list of Docker images to use as base name for tags
           images: name=${{ steps.image_path.outputs.IMAGE_PATH }}
@@ -151,29 +167,29 @@ jobs:
             type=sha,suffix=-bitcoin
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2.10.0
 
       - name: Login to Docker Hub
         if: "github.event_name != 'pull_request' && !contains( steps.image_path.outputs.IMAGE_PATH, 'ghcr.io/' )"
-        uses: docker/login-action@v2
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
         with:
           username: ${{ secrets.REGISTRY_USERNAME }}
           password: ${{ secrets.REGISTRY_TOKEN }}
 
       - name: Login to GitHub Container Registry
         if: "github.event_name != 'pull_request' && contains( steps.image_path.outputs.IMAGE_PATH, 'ghcr.io/' )"
-        uses: docker/login-action@v2
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
         with:
           registry: ghcr.io
           username: ${{ secrets.REGISTRY_USERNAME }}
           password: ${{ secrets.REGISTRY_TOKEN }}
 
       - name: Build only
         if: ${{ github.event_name == 'pull_request' }}
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1
         with:
           context: .
           file: ./Dockerfile_bitcoin
@@ -184,7 +200,7 @@ jobs:
 
       - name: Build and push
         if: ${{ github.event_name != 'pull_request' }}
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1
         with:
           context: .
           file: ./Dockerfile_bitcoin
@@ -195,7 +211,7 @@ jobs:
 
       - name: Run Trivy vulnerability scanner
         if: ${{ github.event_name != 'pull_request' }}
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # 0.30.0
         with:
           image-ref: ${{ steps.image_path.outputs.IMAGE_PATH }}:${{ steps.get_version.outputs.VERSION }}-bitcoin
           format: table

diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
@@ -1,53 +1,74 @@
 name: CI
 
-on: [push, pull_request]
+on:
+  push:
+    branches:
+      - main
+      - master
+      - new-index
+  pull_request:
+    types: [opened, reopened, synchronize]
 
 jobs:
   test:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
+    timeout-minutes: 20
+    permissions:
+      contents: read
+      pull-requests: write
     env:
       CARGO_TERM_COLOR: always
 
     steps:
-    - uses: actions/checkout@v2
+      - name: setup
+        run: sudo apt install -y libfuse2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: "false"
 
-    - name: Cache cargo registry
-      uses: actions/cache@v1
-      with:
-        path: ~/.cargo/registry
-        key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
+      - name: Cache cargo registry
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        with:
+          path: ~/.cargo/registry
+          key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
 
-    - name: Cache cargo index
-      uses: actions/cache@v1
-      with:
-        path: ~/.cargo/git
-        key: ${{ runner.os }}-cargo-index-${{ hashFiles('**/Cargo.lock') }}
+      - name: Cache cargo index
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        with:
+          path: ~/.cargo/git
+          key: ${{ runner.os }}-cargo-index-${{ hashFiles('**/Cargo.lock') }}
 
-    - name: Cache cargo build
-      uses: actions/cache@v1
-      with:
-        path: target
-        key: ${{ runner.os }}-cargo-build-target-${{ hashFiles('**/Cargo.lock') }}
+      - name: Cache cargo build
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        with:
+          path: target
+          key: ${{ runner.os }}-cargo-build-target-${{ hashFiles('**/Cargo.lock') }}
 
-    #- name: Check formatting
-    #  run: cargo fmt -- --check
+      #- name: Check formatting
+      #  run: cargo fmt -- --check
 
-    - name: Setup Rust toolchain
-      run: rustup default 1.75.0
+      - name: Setup Rust toolchain
+        run: rustup default 1.75.0
 
-    - name: Check for errors
-      run: cargo check
+      - name: Check for errors
+        run: cargo check
 
-    - name: Tests (Bitcoin mode, REST+Electrum)
-      run: RUST_LOG=debug cargo test
+      - name: Tests (Bitcoin mode, REST+Electrum)
+        run: RUST_LOG=debug cargo test
 
-    - name: Tests (Liquid mode, REST)
-      run: RUST_LOG=debug cargo test --features liquid
+      - name: Tests (Liquid mode, REST)
+        run: RUST_LOG=debug cargo test --features liquid
 
   nix:
     runs-on: ubuntu-latest
+    timeout-minutes: 30
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
-      - uses: actions/checkout@v3
-      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: "false"
+      - uses: DeterminateSystems/nix-installer-action@21a544727d0c62386e78b4befe52d19ad12692e3 # v17
       - run: nix build .
         continue-on-error: true
diff --git a/.hadolint.yml b/.hadolint.yml
@@ -0,0 +1,5 @@
+# Hadolint configuration file
+
+# configure ignore rules
+# see https://github.com/hadolint/hadolint#rules for a list of available rules.
+ignored: [DL3003, DL3018]
diff --git a/.yamlfmt b/.yamlfmt
@@ -0,0 +1,18 @@
+# https://github.com/google/yamlfmt/blob/v0.9.0/docs/config-file.md#configuration
+line_ending: 'lf'
+doublestar: true
+include:
+  - '.github/**/*.{yaml,yml}'
+  - './.yamlfmt'
+  - './*.{yaml,yml}'
+
+formatter:
+  # 使用するフォーマッター
+  type: basic
+  # フォーマッターの設定 ( https://github.com/google/yamlfmt/blob/v0.9.0/docs/config-file.md#basic-formatter )
+  indent: 2
+  retain_line_breaks: true
+  max_line_length: 0
+  scan_folded_as_literal: true
+  drop_merge_tag: true
+  pad_line_comments: 1
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Dockerfile b/Dockerfile
@@ -15,6 +15,6 @@ RUN if [ "$TARGETARCH" = "arm64" ]; then \
     cargo build --release --features liquid --bin electrs
 
 FROM alpine:3.19 AS electrs
-RUN apk add gcc libstdc++
+RUN apk add --update --no-cache gcc libstdc++
 COPY --from=electrs_builder /app/target/release/electrs /bin
 CMD ["sh", "-c", "electrs -vvvv --network=liquidregtest"]
diff --git a/Dockerfile_bitcoin b/Dockerfile_bitcoin
@@ -15,6 +15,6 @@ RUN if [ "$TARGETARCH" = "arm64" ]; then \
     cargo build --release --bin electrs
 
 FROM alpine:3.19 AS electrsbtc
-RUN apk add gcc libstdc++
+RUN apk add --update --no-cache gcc libstdc++
 COPY --from=electrs_builder /app/target/release/electrs /bin
 CMD ["sh", "-c", "electrs -vvvv --network=regtest"]
diff --git a/Taskfile.yml b/Taskfile.yml
@@ -0,0 +1,24 @@
+version: "3"
+tasks:
+  lint:
+    deps:
+      - task: :gha-lint
+      - task: :hadolint
+  gha-lint:
+    vars:
+      PINACT_VERSION: v2.2.1
+      ACTIONLINT_VERSION: v1.7.7
+      GHALINT_VERSION: v1.3.0
+    cmds:
+      - go run github.com/suzuki-shunsuke/pinact/v2/cmd/pinact@{{.PINACT_VERSION}} run
+      - go run github.com/rhysd/actionlint/cmd/actionlint@{{.ACTIONLINT_VERSION}}
+      - go run github.com/suzuki-shunsuke/ghalint/cmd/ghalint@{{.GHALINT_VERSION}} run
+  hadolint:
+    cmds:
+      - docker run --rm -i -v {{.TASK_DIR}}/.hadolint.yml:/.config/hadolint.yaml ghcr.io/hadolint/hadolint < Dockerfile
+      - docker run --rm -i -v {{.TASK_DIR}}/.hadolint.yml:/.config/hadolint.yaml ghcr.io/hadolint/hadolint < Dockerfile_bitcoin
+  format:
+    vars:
+      YAMLFMT_VERSION: v0.15.0
+    cmds:
+      - go run github.com/google/yamlfmt/cmd/yamlfmt@{{.YAMLFMT_VERSION}}