ci: warn on outdated top level dependencies (#757)

* mark: 0xaatif/outdated

* run: cargo init scripts

* feat: cargo xtask outdated

* ci: lint outdated

* chore: update description

* fix(ci): pin kurtosis version

.cargo/config.toml

@@ -2,3 +2,6 @@
 # https://github.com/rust-lang/rust/pull/124129
 # https://github.com/dtolnay/linkme/pull/88
 rustflags = ["-Z", "linker-features=-lld"]
+
+[alias]
+xtask = ["run", "--package=xtask", "--"]

.github/workflows/jerigon-native.yml

@@ -52,7 +52,7 @@ jobs:
         run: |
           echo "deb [trusted=yes] https://apt.fury.io/kurtosis-tech/ /" | sudo tee /etc/apt/sources.list.d/kurtosis.list
           sudo apt update
-          sudo apt install kurtosis-cli
+          sudo apt install kurtosis-cli=1.3.1
 
       #It is much easier to use cast tool in scripts so install foundry
       - name: Install Foundry

.github/workflows/jerigon-zero.yml

@@ -52,7 +52,7 @@ jobs:
         run: |
           echo "deb [trusted=yes] https://apt.fury.io/kurtosis-tech/ /" | sudo tee /etc/apt/sources.list.d/kurtosis.list
           sudo apt update
-          sudo apt install kurtosis-cli
+          sudo apt install kurtosis-cli=1.3.1
 
       #It is much easier to use cast tool in scripts so install foundry
       - name: Install Foundry

.github/workflows/lint.yml

@@ -66,3 +66,13 @@ jobs:
         with:
           tool: taplo-cli
       - run: taplo fmt --check
+  outdated:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ./.github/actions/rust
+      - uses: taiki-e/install-action@v2
+        with:
+          tool: cargo-outdated
+      - run: cargo xtask outdated

Cargo.toml

@@ -5,6 +5,7 @@ members = [
   "evm_arithmetization",
   "mpt_trie",
   "proc_macro",
+  "scripts",
   "smt_trie",
   "trace_decoder",
   "zero",

scripts/Cargo.toml

@@ -0,0 +1,23 @@
+[package]
+name = "xtask"
+version = "0.0.0"
+edition.workspace = true
+license.workspace = true
+repository.workspace = true
+homepage.workspace = true
+keywords.workspace = true
+categories.workspace = true
+publish = false
+
+[dependencies]
+anyhow.workspace = true
+clap = { workspace = true, features = ["derive"] }
+serde = { workspace = true, features = ["derive"] }
+serde_json.workspace = true
+
+[lints]
+workspace = true
+
+[[bin]]
+name = "xtask"
+path = "xtask.rs"

scripts/xtask.rs

@@ -0,0 +1,69 @@
+//! General purpose scripts for development
+
+use std::process::{Command, Stdio};
+
+use anyhow::{ensure, Context as _};
+use clap::Parser;
+use serde::Deserialize;
+
+#[derive(Parser)]
+enum Args {
+    /// Run `cargo-outdated`, printing warnings compatible with GitHub's CI.
+    ///
+    /// If a direct dependency listed in our Cargo.lock is behind the latest
+    /// available on crates-io, a warning will be emitted.
+    ///
+    /// Note that we only warn on our _direct_ dependencies,
+    /// not the entire supply chain.
+    Outdated,
+}
+
+#[derive(Deserialize)]
+struct Outdated<'a> {
+    crate_name: &'a str,
+    dependencies: Vec<Dependency<'a>>,
+}
+
+#[derive(Deserialize)]
+struct Dependency<'a> {
+    name: &'a str,
+    project: &'a str,
+    latest: &'a str,
+}
+
+fn main() -> anyhow::Result<()> {
+    match Args::parse() {
+        Args::Outdated => {
+            let output = Command::new("cargo")
+                .args(["outdated", "--root-deps-only", "--format=json"])
+                .stderr(Stdio::inherit())
+                .stdout(Stdio::piped())
+                .output()
+                .context("couldn't exec `cargo`")?;
+            ensure!(
+                output.status.success(),
+                "command failed with {}",
+                output.status
+            );
+            for Outdated {
+                crate_name,
+                dependencies,
+            } in serde_json::Deserializer::from_slice(&output.stdout)
+                .into_iter::<Outdated<'_>>()
+                .collect::<Result<Vec<_>, _>>()
+                .context("failed to parse output from `cargo outdated`")?
+            {
+                for Dependency {
+                    name,
+                    project,
+                    latest,
+                } in dependencies
+                {
+                    // https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#setting-a-warning-message
+                    println!("::warning title=outdated-dependency::dependency {name} of crate {crate_name} is at version {project}, but the latest is {latest}")
+                }
+            }
+        }
+    }
+    Ok(())
+}