Audit Fixes

.github/actions/install-cairo/action.yml

@@ -8,7 +8,7 @@ inputs:
   #   required: false
   scarb_version:
     description: Scarb release version
-    default: "v2.8.2"
+    default: "v2.9.2"
     required: false
   use_musl_libc:
     description: "C library implementation"

.github/workflows/changesets.yml

@@ -17,6 +17,7 @@ jobs:
           # This makes Actions fetch all Git history so that Changesets can generate changelogs with the correct commits
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
+          persist-credentials: false
       # Install nix
       - name: Install Nix
         uses: cachix/install-nix-action@3715ab1a11cac9e991980d7b4a28d80c7ebdd8f9 # nix:v2.24.6

.github/workflows/contracts.yml

@@ -14,6 +14,8 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
 
       - name: Install Nix
         uses: cachix/install-nix-action@3715ab1a11cac9e991980d7b4a28d80c7ebdd8f9 # nix:v2.24.6
@@ -32,6 +34,8 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
 
       - name: Install Nix
         uses: cachix/install-nix-action@3715ab1a11cac9e991980d7b4a28d80c7ebdd8f9 # nix:v2.24.6

.github/workflows/examples.yml

@@ -14,6 +14,8 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
 
       - name: Install Nix
         uses: cachix/install-nix-action@3715ab1a11cac9e991980d7b4a28d80c7ebdd8f9 # nix:v2.24.6

.github/workflows/golangci-lint.yml

@@ -10,6 +10,8 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
       - name: Install Nix
         uses: cachix/install-nix-action@3715ab1a11cac9e991980d7b4a28d80c7ebdd8f9 # nix:v2.24.6
         with:
@@ -32,6 +34,8 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
       - name: Install Nix
         uses: cachix/install-nix-action@3715ab1a11cac9e991980d7b4a28d80c7ebdd8f9 # nix:v2.24.6
         with:
@@ -58,6 +62,8 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
       - name: Setup GitHub Token
         id: setup-github-token
         uses: smartcontractkit/.github/actions/setup-github-token@9e7cc0779934cae4a9028b8588c9adb64d8ce68c # [email protected]
@@ -95,6 +101,8 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
       - name: Setup GitHub Token
         id: setup-github-token
         uses: smartcontractkit/.github/actions/setup-github-token@9e7cc0779934cae4a9028b8588c9adb64d8ce68c # [email protected]

.github/workflows/integration-tests-publish.yml

@@ -30,6 +30,8 @@ jobs:
         continue-on-error: true
       - name: Checkout the repo
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
       - name: Setup GitHub Token
         id: setup-github-token
         uses: smartcontractkit/.github/actions/setup-github-token@9e7cc0779934cae4a9028b8588c9adb64d8ce68c # [email protected]

.github/workflows/integration-tests-smoke.yml

@@ -75,7 +75,9 @@ jobs:
       - name: Set core reference if workflow dispatch
         if: steps.check-image.outputs.exists == 'false' && github.event_name == 'workflow_dispatch'
         run: |
-          echo "CUSTOM_CORE_REF=${{ github.event.inputs.cl_branch_ref }}" >> "${GITHUB_ENV}"
+          echo "CUSTOM_CORE_REF=${CL_REF}" >> "${GITHUB_ENV}"
+        env:
+          CL_REF: ${{ github.event.inputs.cl_branch_ref }}
       - name: Build Image ${{ matrix.image.name }}
         if: steps.check-image.outputs.exists == 'false'
         uses: smartcontractkit/chainlink-github-actions/chainlink-testing-framework/build-image@fc3e0df622521019f50d772726d6bf8dc919dd38 # v2.3.19
@@ -124,6 +126,7 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           ref: ${{ github.sha }}
+          persist-credentials: false
       - name: Build Image
         uses: ./.github/actions/build-test-image
         with:
@@ -168,6 +171,8 @@ jobs:
         continue-on-error: true
       - name: Checkout the repo
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
       - name: Install Nix
         uses: cachix/install-nix-action@3715ab1a11cac9e991980d7b4a28d80c7ebdd8f9 # nix:v2.24.6
         with:
@@ -193,7 +198,7 @@ jobs:
           [Network]
           selected_networks=["SIMULATED"]
           [Common]
-          internal_docker_repo = "${{ env.INTERNAL_DOCKER_REPO }}"
+          internal_docker_repo = "${INTERNAL_DOCKER_REPO}"
           stateful_db = false
           EOF
           # shellcheck disable=SC2002
@@ -205,6 +210,7 @@ jobs:
       - name: Run Tests ${{ matrix.image.name }}
         uses: smartcontractkit/.github/actions/ctf-run-tests@002596f65dc8eb807f5c8729dc1080921f7d0b24 # 0.2.1
         with:
+          cl_internal_docker_repo: ${{ env.INTERNAL_DOCKER_REPO }}
           aws_registries: ${{ secrets.QA_AWS_ACCOUNT_NUMBER }}
           test_command_to_run: nix develop -c sh -c "make test=${{ matrix.image.test-name }} test-integration-smoke-ci"
           test_download_vendor_packages_command: cd integration-tests && nix develop -c go mod download

.github/workflows/integration-tests-soak.yml

@@ -53,6 +53,8 @@ jobs:
         continue-on-error: true
       - name: Checkout the repo
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
       - name: Install Nix
         uses: cachix/install-nix-action@3715ab1a11cac9e991980d7b4a28d80c7ebdd8f9 # nix:v2.24.6
         with:

.github/workflows/integration_gauntlet.yml

@@ -15,13 +15,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
       - name: Install Nix
         uses: cachix/install-nix-action@3715ab1a11cac9e991980d7b4a28d80c7ebdd8f9 # nix:v2.24.6
         with:
           nix_path: nixpkgs=channel:nixos-unstable
           extra_nix_config: "sandbox = false"
       - name: Cache Nix
-        uses: cachix/cachix-action@v15
+        uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc
         with:
           name: chainlink-cosmos
           authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
@@ -49,6 +51,8 @@ jobs:
           this-job-name: Run Integration Gauntlet Tests
       - name: Checkout sources
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
 
       - name: Install Nix
         uses: cachix/install-nix-action@3715ab1a11cac9e991980d7b4a28d80c7ebdd8f9 # nix:v2.24.6

.github/workflows/lint.yml

@@ -14,6 +14,8 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
 
       - name: Install Nix
         uses: cachix/install-nix-action@3715ab1a11cac9e991980d7b4a28d80c7ebdd8f9 # nix:v2.24.6

.github/workflows/monitoring-build-push-ecr.yml

@@ -18,6 +18,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
 
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2

.github/workflows/relayer.yml

@@ -35,6 +35,8 @@ jobs:
           test-results-file: '{"testType":"go","filePath":"/tmp/gotest.log"}'
       - name: Checkout sources
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
       - name: Install Nix
         uses: cachix/install-nix-action@3715ab1a11cac9e991980d7b4a28d80c7ebdd8f9 # nix:v2.24.6
         with:
@@ -65,6 +67,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        with:
+          persist-credentials: false
       - name: Set up Go
         uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:

.github/workflows/release/starknet-gauntlet-cli.yml

@@ -11,6 +11,8 @@ jobs:
       # Checkout this repository
       - name: Checkout Repo
         uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        with:
+          persist-credentials: false
       # Install nix
       - name: Install Nix
         uses: cachix/install-nix-action@3715ab1a11cac9e991980d7b4a28d80c7ebdd8f9 # nix:v2.24.6

.github/workflows/release/starknet-relayer.yml

@@ -11,6 +11,8 @@ jobs:
       # Checkout this repository
       - name: Checkout Repo
         uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        with:
+          persist-credentials: false
       # Store starknet version
       - name: Set Env Variables
         run: echo "STARKNET_RELAYER=$(npm info @chainlink/starknet-relayer version)" >> $GITHUB_ENV

.github/workflows/sonar-scan.yml

@@ -10,13 +10,14 @@ jobs:
     if: always()
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           ref: ${{ github.event.pull_request.head.sha || github.event.merge_group.head_sha }}
+          persist-credentials: false
 
       - name: Wait for Workflows
         id: wait
-        uses: smartcontractkit/chainlink-github-actions/utils/wait-for-workflows@main
+        uses: smartcontractkit/chainlink-github-actions/utils/wait-for-workflows@fb7d3b28c16da25950f4a5d8b15d23b2491dbd8d
         with:
           max-timeout: "1200"
           polling-interval: "30"
@@ -33,10 +34,10 @@ jobs:
     if: always()
     steps:
       - name: Checkout the repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           fetch-depth: 0 # fetches all history for all tags and branches to provide more metadata for sonar reports
-
+          persist-credentials: false
       - name: Download Golangci unit tests reports
         uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6
         with:
@@ -95,16 +96,20 @@ jobs:
 
       - name: Update ESLint report symlinks
         continue-on-error: true
-        run: sed -i 's+/home/runner/work/feeds-manager/feeds-manager/+/github/workspace/+g' ${{ steps.sonarqube_report_paths.outputs.sonarqube_eslint_report_paths }}
+        run: sed -i 's+/home/runner/work/feeds-manager/feeds-manager/+/github/workspace/+g' "${ SONAR_ESLINT_REPORT_PATHS }"
 
       - name: SonarQube Scan
         uses: sonarsource/sonarqube-scan-action@86fe81775628f1c6349c28baab87881a2170f495 # v2.1.0
         with:
           args: >
-            -Dsonar.go.tests.reportPaths=${{ steps.sonarqube_report_paths.outputs.sonarqube_tests_report_paths }}
-            -Dsonar.go.coverage.reportPaths=${{ steps.sonarqube_report_paths.outputs.sonarqube_coverage_report_paths }}
-            -Dsonar.go.golangci-lint.reportPaths=${{ steps.sonarqube_report_paths.outputs.sonarqube_golangci_report_paths }}
-            -Dsonar.eslint.reportPaths=${{ steps.sonarqube_report_paths.outputs.sonarqube_eslint_report_paths }}
+            -Dsonar.go.tests.reportPaths="${SONAR_TESTS_REPORT_PATHS}"
+            -Dsonar.go.coverage.reportPaths="${SONAR_COVERAGE_REPORT_PATHS}"
+            -Dsonar.go.golangci-lint.reportPaths="${SONAR_GOLANGCI_REPORT_PATHS}"
+            -Dsonar.eslint.reportPaths="${SONAR_ESLINT_REPORT_PATHS}"
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
           SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+          SONAR_ESLINT_REPORT_PATHS: ${{ steps.sonarqube_report_paths.outputs.sonarqube_eslint_report_paths }}
+          SONAR_GOLANGCI_REPORT_PATHS: ${{ steps.sonarqube_report_paths.outputs.sonarqube_golangci_report_paths }}
+          SONAR_COVERAGE_REPORT_PATHS: ${{ steps.sonarqube_report_paths.outputs.sonarqube_coverage_report_paths }}
+          SONAR_TESTS_REPORT_PATHS: ${{ steps.sonarqube_report_paths.outputs.sonarqube_tests_report_paths }}

.github/workflows/static-analysis.yml

@@ -0,0 +1,26 @@
+name: Static Analysis
+
+on:
+  push:
+    branches:
+      - develop
+      - main
+  pull_request:
+
+jobs:
+  zizmor_analyzer:
+    name: Zizmor
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@3715ab1a11cac9e991980d7b4a28d80c7ebdd8f9 # nix:v2.24.6
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+
+      - name: Check Zizmor
+        run: nix develop -c zizmor .

.golangci.yml

@@ -3,7 +3,7 @@ run:
 linters:
   enable:
     - exhaustive
-    - exportloopref
+    - copyloopvar
     - revive
     - goimports
     - gosec

.tool-versions

@@ -9,7 +9,7 @@ mockery 2.22.1
 golangci-lint 1.62.2
 actionlint 1.6.12
 shellcheck 0.8.0
-scarb 2.8.2
+scarb 2.9.2
 postgres 15.1
 starknet-foundry 0.31.0