Sync main with upstream ZcashFoundation/frost

.github/dependabot.yml

@@ -3,12 +3,15 @@ updates:
 - package-ecosystem: github-actions
   directory: "/"
   schedule:
-    interval: daily
+    interval: monthly
     timezone: America/New_York
   open-pull-requests-limit: 10
 - package-ecosystem: cargo
   directory: "/"
+  # Update only the lockfile. We shouldn't update Cargo.toml unless it's for
+  # a security issue, or if we need a new feature of the dependency.
+  versioning-strategy: lockfile-only
   schedule:
-    interval: daily
+    interval: monthly
     timezone: America/New_York
   open-pull-requests-limit: 10

.github/workflows/coverage.yaml

@@ -6,7 +6,7 @@
     branches:
       - main
   pull_request:
     path:
       - '**/*.rs'
       - '**/*.txt'
       - '**/Cargo.toml'
@@ -23,16 +23,13 @@
       RUST_BACKTRACE: full
 
     steps:
-      - uses: actions/checkout@v4.2.2
+      - uses: actions/checkout@v6.0.2
         with:
           persist-credentials: false
 
-      - uses: actions-rs/toolchain@v1.0.7
+      - uses: dtolnay/rust-toolchain@stable
         with:
-          toolchain: stable
-          override: true
-          profile: minimal
-          components: llvm-tools-preview
+          components: llvm-tools
 
       - name: Install cargo-llvm-cov cargo command
         run: cargo install cargo-llvm-cov
@@ -44,4 +41,4 @@
         run: cargo llvm-cov report --lcov --ignore-filename-regex '.*(tests).*|benches.rs|gencode|helpers.rs|interoperability_tests.rs' --output-path lcov.info
 
       - name: Upload coverage report to Codecov
-        uses: codecov/codecov-action@v5.1.2
+        uses: codecov/codecov-action@v6.0.0

.github/workflows/docs.yml

@@ -15,14 +15,20 @@ on:
     paths:
       # doc source files
       - 'book/**'
-      - '**/firebase.json'
-      - 'katex-header.html'
+      # source files; some md files include code snippets that we want to keep up to date
+      - 'frost-*/**'
       # workflow definitions
       - '.github/workflows/docs.yml'
   push:
     branches:
       - main
 
+# Sets permissions for GitHub Pages deployment
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
 env:
   RUST_LOG: info
   RUST_BACKTRACE: full
@@ -31,56 +37,51 @@ env:
 
 jobs:
   build:
-    name: Build and Deploy Docs (+beta)
+    name: Build Docs (+beta)
     timeout-minutes: 45
     runs-on: ubuntu-latest
     steps:
       - name: Checkout the source code
-        uses: actions/checkout@v4.2.2
+        uses: actions/checkout@v6.0.2
         with:
           persist-credentials: false
 
       - name: Install latest beta
-        uses: actions-rs/toolchain@v1
-        with:
-          toolchain: beta
-          components: rust-docs
-          override: true
+        uses: dtolnay/rust-toolchain@beta
 
       - uses: Swatinem/rust-cache@v2
 
       - name: Setup mdBook
         uses: peaceiris/actions-mdbook@v2.0.0
         with:
-          mdbook-version: '0.4.18'
+          mdbook-version: '0.5.2'
 
       # TODO: actions-mdbook does not yet have an option to install mdbook-mermaid https://github.com/peaceiris/actions-mdbook/issues/426
       - name: Install plugins
         run: |
           cargo install mdbook-mermaid
-          cargo install mdbook-admonish
 
       - name: Build FROST book
         run: |
           mdbook build book/
 
-      - name: Deploy FROST book to Firebase preview channel
-        uses: FirebaseExtended/action-hosting-deploy@v0
-        if: ${{ github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' }}
-        with:
-          entrypoint: "book/"
-          expires: 14d
-          firebaseServiceAccount: ${{ secrets.GCP_SA_KEY }}
-          repoToken: ${{ secrets.GITHUB_TOKEN }}
-          projectId: ${{ vars.FIREBASE_PROJECT_ID }}
-
-      - name: Deploy FROST book to Firebase live channel
-        uses: FirebaseExtended/action-hosting-deploy@v0
+      - name: Upload artifact
+        uses: actions/upload-pages-artifact@v4
         if: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
         with:
-          channelId: live
-          entrypoint: "book/"
-          firebaseServiceAccount: ${{ secrets.GCP_SA_KEY }}
-          repoToken: ${{ secrets.GITHUB_TOKEN }}
-          projectId: ${{ vars.FIREBASE_PROJECT_ID }}
+          path: 'book/book'
+
+  deploy:
+    name: Deploy to GitHub Pages
+    if: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
+    needs: build
+    timeout-minutes: 10
+    runs-on: ubuntu-latest
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v5
 

.github/workflows/main.yml

@@ -9,27 +9,30 @@ on:
       - main
 
 jobs:
-
   build_default:
     name: build with default features
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4.2.2
-      - uses: actions-rs/toolchain@v1.0.7
-        with:
-          toolchain: beta
-          override: true
-      - uses: actions-rs/cargo@v1.0.3
-        with:
-          command: build
+      - uses: actions/checkout@v6.0.2
+      - uses: dtolnay/rust-toolchain@beta
+      - run: cargo build
+
+  build_latest:
+    name: build with latest versions of dependencies
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v6.0.2
+      - uses: dtolnay/rust-toolchain@stable
+      - run: cargo update && cargo build --all-features
 
   build_msrv:
-    name: build with MSRV (1.66.1)
+    name: build with MSRV (1.81)
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4.2.2
+      - uses: actions/checkout@v6.0.2
       # Re-resolve Cargo.lock with minimal versions.
       # This only works with nightly. We pin to a specific version because
       # newer versions use lock file version 4, but the MSRV cargo does not
@@ -40,7 +43,7 @@ jobs:
       - run: cargo update -Z minimal-versions
       # Now check that `cargo build` works with respect to the oldest possible
       # deps and the stated MSRV
-      - uses: dtolnay/rust-toolchain@1.66.1
+      - uses: dtolnay/rust-toolchain@1.81
       - run: cargo build --all-features
 
   # TODO: this is filling up the disk space in CI. See if there is a way to
@@ -51,7 +54,7 @@ jobs:
   #   runs-on: ubuntu-latest
 
   #   steps:
-  #     - uses: actions/checkout@v4.2.2
+  #     - uses: actions/checkout@v6.0.2
   #     - uses: dtolnay/rust-toolchain@stable
   #     - run: cargo install cargo-all-features
   #     # We check and then test because some test dependencies could help
@@ -71,7 +74,7 @@ jobs:
       matrix:
         crate: [ristretto255, ed25519, p256, secp256k1, secp256k1-tr, rerandomized]
     steps:
-    - uses: actions/checkout@v4.2.2
+    - uses: actions/checkout@v6.0.2
     - uses: dtolnay/rust-toolchain@master
       with:
         toolchain: stable
@@ -84,29 +87,22 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4.2.2
-      - uses: actions-rs/toolchain@v1.0.7
-        with:
-          toolchain: beta
-          override: true
-      - uses: actions-rs/cargo@v1.0.3
-        with:
-          command: test
-          args: --release --all-features
+      - uses: actions/checkout@v6.0.2
+      - uses: dtolnay/rust-toolchain@beta
+      - run: cargo test --release --all-features
 
   clippy:
     name: Clippy
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4.2.2
+      - uses: actions/checkout@v6.0.2
         with:
           persist-credentials: false
 
-      - uses: actions-rs/toolchain@v1.0.7
+      - uses: dtolnay/rust-toolchain@stable
         with:
-          toolchain: stable
-          override: true
+          components: clippy
 
       - name: Check workflow permissions
         id: check_permissions
@@ -117,12 +113,9 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Run clippy action to produce annotations
-        uses: actions-rs/clippy-check@v1.0.7
+        uses: clechasseur/rs-clippy-check@v5
         if: ${{ steps.check_permissions.outputs.has-permission }}
         with:
-          # GitHub displays the clippy job and its results as separate entries
-          name: Clippy (stable) Results
-          token: ${{ secrets.GITHUB_TOKEN }}
           args: --all-features --all-targets -- -D warnings
 
       - name: Run clippy manually without annotations
@@ -134,44 +127,34 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4.2.2
+      - uses: actions/checkout@v6.0.2
         with:
           persist-credentials: false
 
-      - uses: actions-rs/toolchain@v1.0.7
+      - uses: dtolnay/rust-toolchain@stable
         with:
-          toolchain: stable
           components: rustfmt
-          override: true
 
       - uses: Swatinem/rust-cache@v2
 
-      - uses: actions-rs/cargo@v1.0.3
-        with:
-          command: fmt
-          args: --all -- --check
+      - run: cargo fmt --all -- --check
 
   gencode:
     name: Check if automatically generated code is up to date
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4.2.2
+      - uses: actions/checkout@v6.0.2
         with:
           persist-credentials: false
 
-      - uses: actions-rs/toolchain@v1.0.7
+      - uses: dtolnay/rust-toolchain@stable
         with:
-          toolchain: stable
           components: rustfmt
-          override: true
 
       - uses: Swatinem/rust-cache@v2
 
-      - uses: actions-rs/cargo@v1.0.3
-        with:
-          command: run
-          args: --bin gencode -- --check
+      - run: cargo run --bin gencode -- --check
 
   docs:
     name: Check Rust doc
@@ -180,27 +163,20 @@ jobs:
       RUSTDOCFLAGS: -D warnings
 
     steps:
-      - uses: actions/checkout@v4.2.2
+      - uses: actions/checkout@v6.0.2
         with:
           persist-credentials: false
 
-      - uses: actions-rs/toolchain@v1.0.7
-        with:
-          toolchain: stable
-          profile: minimal
-          override: true
+      - uses: dtolnay/rust-toolchain@stable
 
-      - uses: actions-rs/cargo@v1.0.3
-        with:
-          command: doc
-          args: --no-deps --document-private-items --all-features
+      - run: cargo doc --no-deps --document-private-items --all-features
 
   actionlint:
     runs-on: ubuntu-latest
     continue-on-error: true
     steps:
-      - uses: actions/checkout@v4.2.2
-      - uses: reviewdog/action-actionlint@v1.63.0
+      - uses: actions/checkout@v6.0.2
+      - uses: reviewdog/action-actionlint@v1.72.0
         with:
           level: warning
-          fail_on_error: false
+          fail_level: none

.github/workflows/release-drafter.yml

@@ -8,9 +8,12 @@ on:
 jobs:
   update_release_draft:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: read
     steps:
       # Drafts your next Release notes as Pull Requests are merged into main
-      - uses: release-drafter/release-drafter@v6
+      - uses: release-drafter/release-drafter@v7
         with:
           # (Optional) specify config name to use, relative to .github/. Default: release-drafter.yml
           config-name: release-drafter.yml

.gitignore

@@ -1,6 +1,5 @@
 /target
 **/*.rs.bk
-Cargo.lock
 *~
 **/.DS_Store
 .vscode/*

.mergify.yml

@@ -9,7 +9,6 @@ queue_rules:
       # which are the same as the GitHub main branch protection rules
       # https://docs.mergify.com/conditions/#about-branch-protection
       - base=main
-    allow_inplace_checks: true
     batch_size: 2
     # Wait for a few minutes to embark 2 tickets together in a merge train
     batch_max_wait_time: "3 minutes"