feat: bump up wasmd base version from v0.29.0 to v0.50.0

.github/workflows/codeql-analizer.yml

@@ -19,7 +19,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3.1.0
+        uses: actions/checkout@v4.1.1
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL

.golangci.yml

@@ -1,63 +1,148 @@
 run:
-  tests: false
+  tests: true
+  timeout: 15m
+  sort-results: true
+  allow-parallel-runners: true
+  exclude-dir: testutil/testdata
+  skip-files:
+    - server/grpc/gogoreflection/fix_registration.go
+    - ".*\\.pb\\.go$"
+    - ".*\\.pb\\.gw\\.\\.go$"
+    - ".*\\.pulsar\\.go$"
 
 linters:
   disable-all: true
   enable:
-    - bodyclose
-    - deadcode
-    - depguard
-    - dogsled
     - errcheck
+    - dogsled
+    - exportloopref
     - goconst
     - gocritic
-    - gofmt
-    - goimports
-    - revive
+    - gci
+    - gofumpt
     - gosec
     - gosimple
     - govet
     - ineffassign
     - misspell
     - nakedret
-    - prealloc
-    - exportloopref
+    - nolintlint
     - staticcheck
-    - structcheck
+    - revive
     - stylecheck
     - typecheck
+#    - thelper # too many positives with table tests that have custom setup(*testing.T)
     - unconvert
     - unused
-    - varcheck
 
 issues:
   exclude-rules:
-    - text: "Use of weak random number generator"
+    - text: 'Use of weak random number generator'
       linters:
         - gosec
-    - text: "ST1003:"
+    - text: 'ST1003:'
+      linters:
+        - stylecheck
+    # FIXME: Disabled until golangci-lint updates stylecheck with this fix:
+    # https://github.com/dominikh/go-tools/issues/389
+    - text: 'ST1016:'
       linters:
         - stylecheck
+    - path: 'migrations'
+      text: 'SA1019:'
+      linters:
+        - staticcheck
+    - text: 'SA1019: codec.NewAminoCodec is deprecated' # TODO remove once migration path is set out
+      linters:
+        - staticcheck
+    - text: 'SA1019: legacybech32.MustMarshalPubKey' # TODO remove once ready to remove from the sdk
+      linters:
+        - staticcheck
+    - text: 'SA1019: legacybech32.MarshalPubKey' # TODO remove once ready to remove from the sdk
+      linters:
+        - staticcheck
+    - text: 'SA1019: legacybech32.UnmarshalPubKey' # TODO remove once ready to remove from the sdk
+      linters:
+        - staticcheck
+    - text: 'SA1019: params.SendEnabled is deprecated' # TODO remove once ready to remove from the sdk
+      linters:
+        - staticcheck
+    - text: 'leading space'
+      linters:
+        - nolintlint
+  max-issues-per-linter: 10000
+  max-same-issues: 10000
 
 linters-settings:
+  gci:
+    custom-order: true
+    sections:
+      - standard # Standard section: captures all standard packages.
+      - default # Default section: contains all imports that could not be matched to another section type.
+      - prefix(cosmossdk.io)
+      - prefix(github.com/cosmos/cosmos-sdk)
+      - prefix(github.com/CosmWasm/wasmd)
+  revive:
+    rules:
+      - name: redefines-builtin-id
+        disabled: true
+
+  gosec:
+    # To select a subset of rules to run.
+    # Available rules: https://github.com/securego/gosec#available-rules
+    # Default: [] - means include all rules
+    includes:
+      #  - G101 # Look for hard coded credentials
+      - G102 # Bind to all interfaces
+      - G103 # Audit the use of unsafe block
+      - G104 # Audit errors not checked
+      - G106 # Audit the use of ssh.InsecureIgnoreHostKey
+      - G107 # Url provided to HTTP request as taint input
+      - G108 # Profiling endpoint automatically exposed on /debug/pprof
+      - G109 # Potential Integer overflow made by strconv.Atoi result conversion to int16/32
+      - G110 # Potential DoS vulnerability via decompression bomb
+      - G111 # Potential directory traversal
+      - G112 # Potential slowloris attack
+      - G113 # Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772)
+      - G114 # Use of net/http serve function that has no support for setting timeouts
+      - G201 # SQL query construction using format string
+      - G202 # SQL query construction using string concatenation
+      - G203 # Use of unescaped data in HTML templates
+      - G204 # Audit use of command execution
+      - G301 # Poor file permissions used when creating a directory
+      - G302 # Poor file permissions used with chmod
+      - G303 # Creating tempfile using a predictable path
+      - G304 # File path provided as taint input
+      - G305 # File traversal when extracting zip/tar archive
+      - G306 # Poor file permissions used when writing to a new file
+      - G307 # Deferring a method which returns an error
+      - G401 # Detect the usage of DES, RC4, MD5 or SHA1
+      - G402 # Look for bad TLS connection settings
+      - G403 # Ensure minimum RSA key length of 2048 bits
+      - G404 # Insecure random number source (rand)
+      - G501 # Import blocklist: crypto/md5
+      - G502 # Import blocklist: crypto/des
+      - G503 # Import blocklist: crypto/rc4
+      - G504 # Import blocklist: net/http/cgi
+      - G505 # Import blocklist: crypto/sha1
+      - G601 # Implicit memory aliasing of items from a range statement
+  misspell:
+    locale: US
+  gofumpt:
+    extra-rules: true
   dogsled:
-    max-blank-identifiers: 3
-  errcheck:
-    # report about assignment of errors to blank identifier: `num, _ := strconv.Atoi(numStr)`;
-    # default is false: such cases aren't reported by default.
-    check-blank: true
+    max-blank-identifiers: 6
   maligned:
-    # print struct with more effective memory layout or not, false by default
     suggest-new: true
-  golint:
-    # minimal confidence for issues, default is 0.8
-    min-confidence: 0
-  prealloc:
-    # XXX: we don't recommend using this linter before doing performance profiling.
-    # For most programs usage of prealloc will be a premature optimization.
-
-    # Report preallocation suggestions only on simple loops that have no returns/breaks/continues/gotos in them.
-    # True by default.
-    simple: false
-    range-loops: true # Report preallocation suggestions on range loops, true by default
-    for-loops: true # Report preallocation suggestions on for loops, false by default
+  nolintlint:
+    allow-unused: false
+    allow-leading-space: true
+    require-explanation: false
+    require-specific: false
+  gosimple:
+    checks: ['all']
+  gocritic:
+    disabled-checks:
+      - regexpMust
+      - appendAssign
+      - ifElseChain

.mergify.yml

@@ -0,0 +1,30 @@
+queue_rules:
+  - name: default
+    conditions:
+      - "#approved-reviews-by>0"
+
+pull_request_rules:
+  - name: backport patches to main branch
+    conditions:
+      - base=releases/v0.4x
+      - label=backport/main
+    actions:
+      backport:
+        branches:
+          - main
+  - name: backport patches to sdk45 release branch
+    conditions:
+      - base=main
+      - label=backport/v0.3x
+    actions:
+      backport:
+        branches:
+          - releases/v0.3x
+  - name: backport patches to sdk47 release branch
+    conditions:
+      - base=main
+      - label=backport/v0.4x
+    actions:
+      backport:
+        branches:
+          - releases/v0.4x

.sonarcloud.properties

@@ -0,0 +1,5 @@
+# see https://docs.sonarcloud.io/advanced-setup/automatic-analysis/
+sonar.sources=.
+sonar.exclusions=**/tests/**,**/benchmarks/**,**/ibctesting/**,**/wasmtesting/**,**/simulation/**,**/testdata/**,**/*.pb.go,**/*.pb.gw.go,**/*.test.go,**/test_*.go,**/*_fixtures.go,**/mock_*.go,**/*_mock.go
+
+sonar.tests=.

CODING_GUIDELINES.md

@@ -0,0 +1,51 @@
+# Coding Guidelines
+
+This document is an extension to [CONTRIBUTING](./CONTRIBUTING.md) and provides more details about the coding guidelines and requirements.
+
+## API & Design
+
+* Code must be well structured:
+    * packages must have a limited responsibility (different concerns can go to different packages),
+    * types must be easy to compose,
+    * think about maintainbility and testability.
+* "Depend upon abstractions, [not] concretions".
+* Try to limit the number of methods you are exposing. It's easier to expose something later than to hide it.
+* Follow agreed-upon design patterns and naming conventions.
+* publicly-exposed functions are named logically, have forward-thinking arguments and return types.
+* Avoid global variables and global configurators.
+* Favor composable and extensible designs.
+* Minimize code duplication.
+* Limit third-party dependencies.
+
+Performance:
+
+* Avoid unnecessary operations or memory allocations.
+
+Security:
+
+* Pay proper attention to exploits involving:
+    * gas usage
+    * transaction verification and signatures
+    * malleability
+    * code must be always deterministic
+* Thread safety. If some functionality is not thread-safe, or uses something that is not thread-safe, then clearly indicate the risk on each level.
+
+## Best practices
+
+* Use [goimports](https://pkg.go.dev/golang.org/x/tools/cmd/goimports) as your code formatter.
+
+* Always wrap returned errors. 
+    * Doing `if err != nil { return err }` does not include each callers' context. Pushing errors up the stack without context makes it harder to test and debug. Additionally, a short context description makes it easier for the reader to understand the code. Example:
+
+        ```go
+        if !coins.IsZero() { 
+            if err := k.bank.TransferCoins(ctx, caller, contractAddress, coins); err != nil { 
+                return nil, err 
+            } 
+        } 
+        ```
+
+    * It would be an improvement to return  `return nil, sdkerror.Wrap(err, "lock contract coins")`
+    * Please notice that fmt.Errorf is not used, because the error handling predates fmt.Errorf and errors.Is 
+
+* Limit the use of aliases, when not used during the refactoring process.

CONTRIBUTING.md

@@ -143,7 +143,7 @@ In order for imports to properly compile in your IDE, you may need to manually s
 
 For example, in vscode your `.vscode/settings.json` should look like:
 
-```
+```json
 {
     "protoc": {
         "options": [

Dockerfile

@@ -1,6 +1,6 @@
 # docker build . -t finschia/wasmd:latest
 # docker run --rm -it finschia/wasmd:latest /bin/sh
-FROM golang:1.20-alpine AS go-builder
+FROM golang:1.21-alpine3.17 AS go-builder
 ARG arch=x86_64
 
 # this comes from standard alpine nightly file
@@ -16,8 +16,8 @@ WORKDIR /code
 COPY . /code/
 
 # See https://github.com/Finschia/wasmvm/releases
-ADD https://github.com/Finschia/wasmvm/releases/download/v1.0.0-0.10.0/libwasmvm_static.x86_64.a /lib/libwasmvm_static.x86_64.a
 ADD https://github.com/Finschia/wasmvm/releases/download/v1.0.0-0.10.0/libwasmvm_static.aarch64.a /lib/libwasmvm_static.aarch64.a
+ADD https://github.com/Finschia/wasmvm/releases/download/v1.0.0-0.10.0/libwasmvm_static.x86_64.a /lib/libwasmvm_static.x86_64.a
 RUN sha256sum /lib/libwasmvm_static.aarch64.a | grep bc3db72ba32f34ad88ceb1d20479411bd7f50ccd6a5ca50cc8ca462a561e6189
 RUN sha256sum /lib/libwasmvm_static.x86_64.a | grep 352fa5de5f9dba66f0a38082541d3e63e21394fee3e577ea35e0906294c61276
 
@@ -30,7 +30,7 @@ RUN echo "Ensuring binary is statically linked ..." \
   && (file /code/build/wasmd | grep "statically linked")
 
 # --------------------------------------------------------
-FROM alpine:3.15
+FROM alpine:3.17
 
 COPY --from=go-builder /code/build/wasmd /usr/bin/wasmd