From 59cdff75cf5e91f3014b6d17fb80884083625aa3 Mon Sep 17 00:00:00 2001 From: Erik Burton Date: Tue, 24 Dec 2024 09:11:25 -0500 Subject: [PATCH] fix: potential CI injections (#15720) * fix: persist-credentials false for actions/checkout * fix: possible template injection in CI --- .github/actions/golangci-lint/action.yml | 2 + .../goreleaser-build-sign-publish/README.md | 2 + .../workflows/automation-ondemand-tests.yml | 35 +++++++---- .github/workflows/bash-scripts.yml | 4 ++ .../workflows/build-publish-develop-pr.yml | 20 +++++-- .../workflows/build-publish-goreleaser.yml | 4 ++ .github/workflows/build-publish.yml | 6 ++ .github/workflows/chain-selectors-check.yml | 2 + .github/workflows/changeset.yml | 3 + .github/workflows/changesets-preview-pr.yml | 2 + .github/workflows/ci-core-partial.yml | 8 +++ .github/workflows/ci-core.yml | 17 +++++- .github/workflows/ci-protobuf.yml | 2 + .../workflows/client-compatibility-tests.yml | 50 +++++++++++----- .github/workflows/codeql-analysis.yml | 3 + .github/workflows/crib-integration-test.yml | 4 ++ .github/workflows/delete-caches.yml | 4 +- .github/workflows/delete-deployments.yml | 2 + .github/workflows/dependency-check.yml | 2 + .github/workflows/flakeguard.yml | 60 +++++++++++++------ .github/workflows/go-mod-cache.yml | 2 + .../workflows/integration-in-memory-tests.yml | 2 + .../workflows/integration-tests-publish.yml | 2 + .github/workflows/integration-tests.yml | 16 ++++- .github/workflows/lint-gh-workflows.yml | 2 + .../on-demand-vrfv2-performance-test.yml | 10 +++- .../workflows/on-demand-vrfv2-smoke-tests.yml | 10 +++- .../on-demand-vrfv2plus-performance-test.yml | 10 +++- .../on-demand-vrfv2plus-smoke-tests.yml | 10 +++- .github/workflows/operator-ui-ci.yml | 2 + .../workflows/solidity-foundry-artifacts.yml | 11 +++- .github/workflows/solidity-foundry.yml | 10 ++++ .github/workflows/solidity-hardhat.yml | 4 ++ .github/workflows/solidity-traceability.yml | 4 ++ .github/workflows/solidity-wrappers.yml | 4 ++ .github/workflows/solidity.yml | 18 ++++++ ...evelop-from-smartcontractkit-chainlink.yml | 1 + 37 files changed, 279 insertions(+), 71 deletions(-) diff --git a/.github/actions/golangci-lint/action.yml b/.github/actions/golangci-lint/action.yml index 22a35682c2d..8fa3e1775d0 100644 --- a/.github/actions/golangci-lint/action.yml +++ b/.github/actions/golangci-lint/action.yml @@ -26,12 +26,14 @@ runs: # Only do a full checkout on merge_groups if: github.event_name == 'merge_group' with: + persist-credentials: false fetch-depth: 0 - name: Checkout repo uses: actions/checkout@v4.2.1 if: github.event_name != 'merge_group' with: + persist-credentials: false fetch-depth: 1 - name: Setup Go diff --git a/.github/actions/goreleaser-build-sign-publish/README.md b/.github/actions/goreleaser-build-sign-publish/README.md index afea60e1203..9b520c1741a 100644 --- a/.github/actions/goreleaser-build-sign-publish/README.md +++ b/.github/actions/goreleaser-build-sign-publish/README.md @@ -24,6 +24,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Configure aws credentials uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: diff --git a/.github/workflows/automation-ondemand-tests.yml b/.github/workflows/automation-ondemand-tests.yml index eef02dcddb2..ee917da0e56 100644 --- a/.github/workflows/automation-ondemand-tests.yml +++ b/.github/workflows/automation-ondemand-tests.yml @@ -52,45 +52,56 @@ jobs: outputs: test_list: ${{ steps.set-tests.outputs.test_list }} require_chainlink_image_versions_in_qa_ecr: ${{ steps.determine-chainlink-image-check.outputs.require_chainlink_image_versions_in_qa_ecr }} + env: + GH_INPUTS_CHAINLINK_IMAGE: ${{ inputs.chainlinkImage }} + GH_INPUTS_CHAINLINK_IMAGE_UPDATE: ${{ inputs.chainlinkImageUpdate }} + GH_INPUTS_CHAINLINK_VERSION: ${{ inputs.chainlinkVersion }} + GH_INPUTS_CHAINLINK_VERSION_UPDATE: ${{ inputs.chainlinkVersionUpdate }} steps: - name: Determine build to use id: determine-build shell: bash run: | - if [[ "${{ inputs.chainlinkImage }}" == "QA_ECR" ]]; then + if [[ "$GH_INPUTS_CHAINLINK_IMAGE" == "QA_ECR" ]]; then echo "image='{{ env.QA_CHAINLINK_IMAGE }}'" >> $GITHUB_ENV else - echo "image=${{ inputs.chainlinkImage }}" >> $GITHUB_ENV + echo "image=$GH_INPUTS_CHAINLINK_IMAGE" >> $GITHUB_ENV fi - if [[ "${{ inputs.chainlinkImageUpdate }}" == "QA_ECR" ]]; then + if [[ "$GH_INPUTS_CHAINLINK_IMAGE_UPDATE" == "QA_ECR" ]]; then echo "upgrade_image='{{ env.QA_CHAINLINK_IMAGE }}'" >> $GITHUB_ENV else - echo "upgrade_image=${{ inputs.chainlinkImageUpdate }}" >> $GITHUB_ENV + echo "upgrade_image=$GH_INPUTS_CHAINLINK_IMAGE_UPDATE" >> $GITHUB_ENV fi - if [[ -z "${{ inputs.chainlinkVersion }}" ]] && [[ "${{ inputs.chainlinkImage }}" == "QA_ECR" ]]; then + if [[ -z "$GH_INPUTS_CHAINLINK_VERSION" ]] && [[ "$CHAINLINK_IMAGE" == "QA_ECR" ]]; then echo "version=${{ github.sha }}" >> $GITHUB_ENV else - echo "version=${{ inputs.chainlinkVersion }}" >> $GITHUB_ENV + echo "version=$GH_INPUTS_CHAINLINK_VERSION" >> $GITHUB_ENV fi - if [[ -z "${{ inputs.chainlinkVersionUpdate }}" ]] && [[ "${{ inputs.chainlinkImageUpdate }}" == "QA_ECR" ]]; then + if [[ -z "$GH_INPUTS_CHAINLINK_VERSION_UPDATE" ]] && [[ "$GH_INPUTS_CHAINLINK_IMAGE_UPDATE" == "QA_ECR" ]]; then echo "upgrade_version=${{ github.sha }}" >> $GITHUB_ENV else - echo "upgrade_version=${{ inputs.chainlinkVersionUpdate }}" >> $GITHUB_ENV + echo "upgrade_version=$GH_INPUTS_CHAINLINK_VERSION_UPDATE" >> $GITHUB_ENV fi - name: Check if chainlink image check required id: determine-chainlink-image-check shell: bash + env: + CHAINLKINK_IMAGE: ${{ github.event.inputs.chainlinkImage }} + CHAINLINK_IMAGE_UPDATE: ${{ github.event.inputs.chainlinkImageUpdate }} run: | chainlink_image_versions="" - if [ "${{ github.event.inputs.chainlinkImage }}" = "QA_ECR" ]; then + if [ "$CHAINLKINK_IMAGE" = "QA_ECR" ]; then chainlink_image_versions+="${{ env.version }}," fi - if [ "${{ github.event.inputs.chainlinkImageUpdate }}" = "QA_ECR" ]; then + if [ "$CHAINLINK_IMAGE_UPDATE" = "QA_ECR" ]; then chainlink_image_versions+="${{ env.upgrade_version }}" fi echo "require_chainlink_image_versions_in_qa_ecr=$chainlink_image_versions" >> $GITHUB_OUTPUT - name: Set tests to run id: set-tests + env: + GH_EVENT_INPUTS_ENABLE_REORG: ${{ github.event.inputs.enableReorg }} + GH_EVENT_INPUTS_ENABLE_CHAOS: ${{ github.event.inputs.enableChaos }} run: | # Always run upgrade tests @@ -118,7 +129,7 @@ jobs: EOF # Run reorg tests if enabled - if [[ "${{ github.event.inputs.enableReorg }}" == 'true' ]]; then + if [[ "$GH_EVENT_INPUTS_ENABLE_REORG" == 'true' ]]; then cat >> test_list.yaml <> test_list.yaml <> $GITHUB_OUTPUT elif [ "$GITHUB_EVENT_NAME" = "workflow_dispatch" ]; then - if [ -n "${{ github.event.inputs.base64TestList }}" ]; then + if [ -n "$GH_EVENT_INPUTS_BASE64_TEST_LIST" ]; then echo "Base64-ed Test Input provided, ignoring EVM implementations" else - echo "Will test following EVM implementations: ${{ github.event.inputs.evmImplementations }}" - echo "evm_implementations=${{ github.event.inputs.evmImplementations }}" >> $GITHUB_OUTPUT + echo "Will test following EVM implementations: $GH_EVENT_INPUTS_EVM_IMPLEMENTATIONS" + echo "evm_implementations=$GH_EVENT_INPUTS_EVM_IMPLEMENTATIONS" >> $GITHUB_OUTPUT fi else echo "Will test all EVM implementations" @@ -196,6 +202,12 @@ jobs: fi - name: Select Chainlink version id: select-chainlink-version + env: + GH_EVENT_INPUTS_CHAINLINK_VERSION: ${{ github.event.inputs.chainlinkVersion }} + GH_EVENT_PULL_REQUEST_HEAD_SHA: ${{ github.event.pull_request.head.sha }} + GH_EVENT_MERGE_GROUP_HEAD_SHA: ${{ github.event.merge_group.head_sha }} + GH_REF_NAME: ${{ github.ref_name }} + GH_SHA: ${{ github.sha }} run: | PATH=$PATH:$(go env GOPATH)/bin export PATH @@ -209,9 +221,9 @@ jobs: cl_ref_path="releases" elif [ "$GITHUB_EVENT_NAME" = "workflow_dispatch" ]; then echo "Fetching Chainlink version from input" - if [ -n "${{ github.event.inputs.chainlinkVersion }}" ]; then + if [ -n "$GH_EVENT_INPUTS_CHAINLINK_VERSION" ]; then echo "Chainlink version provided in input" - chainlink_version="${{ github.event.inputs.chainlinkVersion }}" + chainlink_version="$GH_EVENT_INPUTS_CHAINLINK_VERSION" if [[ "$chainlink_version" =~ ^[0-9a-f]{40}$ ]]; then cl_ref_path="commit" chainlink_image_version=$chainlink_version @@ -222,23 +234,23 @@ jobs: fi else echo "Chainlink version not provided in input. Using latest commit SHA." - chainlink_version=${{ github.sha }} + chainlink_version=$GH_SHA chainlink_image_version=$chainlink_version cl_ref_path="commit" fi elif [ "$GITHUB_EVENT_NAME" = "pull_request" ]; then echo "Fetching Chainlink version from PR's head commit" - chainlink_version="${{ github.event.pull_request.head.sha }}" + chainlink_version="$GH_EVENT_PULL_REQUEST_HEAD_SHA" chainlink_image_version=$chainlink_version cl_ref_path="commit" elif [ "$GITHUB_EVENT_NAME" = "merge_queue" ]; then echo "Fetching Chainlink version from merge queue's head commit" - chainlink_version="${{ github.event.merge_group.head_sha }}" + chainlink_version="$GH_EVENT_MERGE_GROUP_HEAD_SHA" chainlink_image_version=$chainlink_version cl_ref_path="commit" elif [ "$GITHUB_REF_TYPE" = "tag" ]; then echo "Fetching Chainlink version from tag" - chainlink_version="${{ github.ref_name }}" + chainlink_version="$GH_REF_NAME" # strip the 'v' from the version, because we tag our Docker images without it chainlink_image_version="${chainlink_version#v}" cl_ref_path="releases" @@ -253,13 +265,16 @@ jobs: echo "cl_ref_path=$cl_ref_path" >> $GITHUB_OUTPUT - name: Get image count id: get-image-count + env: + GH_EVENT_INPUTS_BASE64_TEST_LIST: ${{ github.event.inputs.base64TestList }} + GH_EVENT_INPUTS_LATEST_VERSIONS_NUMBER: ${{ github.event.inputs.latestVersionsNumber }} run: | if [ "$GITHUB_EVENT_NAME" = "workflow_dispatch" ]; then echo "Fetching latest image count from input" - if [ -n "${{ github.event.inputs.base64TestList }}" ]; then + if [ -n "$GH_EVENT_INPUTS_BASE64_TEST_LIST" ]; then echo "Base64-ed Test Input provided, ignoring latest image count" else - image_count="${{ github.event.inputs.latestVersionsNumber }}" + image_count="$GH_EVENT_INPUTS_LATEST_VERSIONS_NUMBER" echo "image_count=$image_count" >> $GITHUB_OUTPUT fi else @@ -326,6 +341,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false ref: ${{ needs.select-versions.outputs.chainlink_version }} - name: Build Chainlink Image uses: ./.github/actions/build-chainlink-image @@ -595,6 +611,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink ref: ${{ needs.select-versions.outputs.chainlink_version }} - name: Setup GAP for Grafana @@ -851,6 +868,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false ref: ${{ needs.select-versions.outputs.chainlink_version }} - name: Get test results for ${{ matrix.product }} id: get-product-results diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index d90139e5292..c0294645465 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -23,6 +23,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: changes @@ -55,6 +56,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Set up Go if: ${{ matrix.type.language == 'go' && matrix.type.should-run == 'true' }} diff --git a/.github/workflows/crib-integration-test.yml b/.github/workflows/crib-integration-test.yml index a6f995d57ba..4592bdbb70a 100644 --- a/.github/workflows/crib-integration-test.yml +++ b/.github/workflows/crib-integration-test.yml @@ -20,6 +20,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27 with: @@ -93,6 +95,8 @@ jobs: product-image: ${{ secrets.AWS_SDLC_ECR_HOSTNAME }}/chainlink product-image-tag: develop - uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Set up Go uses: ./.github/actions/setup-go with: diff --git a/.github/workflows/delete-caches.yml b/.github/workflows/delete-caches.yml index 64b9e799665..aa714d38815 100644 --- a/.github/workflows/delete-caches.yml +++ b/.github/workflows/delete-caches.yml @@ -21,7 +21,9 @@ jobs: PR_NUMBER: ${{ github.event.pull_request.number }} steps: - name: Check out code - uses: actions/checkout@v4.1.2 + uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Setup gh-actions-cache extension env: diff --git a/.github/workflows/delete-deployments.yml b/.github/workflows/delete-deployments.yml index 547b29bceec..ff24db42229 100644 --- a/.github/workflows/delete-deployments.yml +++ b/.github/workflows/delete-deployments.yml @@ -12,6 +12,8 @@ jobs: steps: - name: Checkout repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Clean up integration environment uses: ./.github/actions/delete-deployments diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml index 4b2a2f32f79..0b09747f509 100644 --- a/.github/workflows/dependency-check.yml +++ b/.github/workflows/dependency-check.yml @@ -26,6 +26,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Set up Go if: needs.changes.outputs.src == 'true' diff --git a/.github/workflows/flakeguard.yml b/.github/workflows/flakeguard.yml index 93f380606b0..e1c7bbb5f36 100644 --- a/.github/workflows/flakeguard.yml +++ b/.github/workflows/flakeguard.yml @@ -91,8 +91,9 @@ jobs: git_base_sha: ${{ steps.get_commit_sha.outputs.git_base_sha }} steps: - name: Checkout repository - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + uses: actions/checkout@v4.2.1 with: + persist-credentials: false fetch-depth: 0 ref: ${{ env.GIT_HEAD_REF }} @@ -140,11 +141,14 @@ jobs: env: # Needed to run go test -list CL_DATABASE_URL: postgresql://postgres@localhost:5432/chainlink_test?sslmode=disable + GH_INPUTS_PROJECT_PATH: ${{ inputs.projectPath }} + GH_INPUTS_FIND_BY_TEST_FILES_DIFF: ${{ inputs.findByTestFilesDiff }} + GH_INPUTS_FIND_BY_AFFECTED_PACKAGES: ${{ inputs.findByAffectedPackages }} run: | PATH=$PATH:$(go env GOPATH)/bin export PATH - PACKAGES=$(flakeguard find --find-by-test-files-diff=${{ inputs.findByTestFilesDiff }} --find-by-affected-packages=${{ inputs.findByAffectedPackages }} --base-ref=origin/${{ env.GIT_BASE_REF }} --project-path=${{ inputs.projectPath }}) + PACKAGES=$(flakeguard find --find-by-test-files-diff=$GH_INPUTS_FIND_BY_TEST_FILES_DIFF --find-by-affected-packages=$GH_INPUTS_FIND_BY_AFFECTED_PACKAGES --base-ref=origin/${{ env.GIT_BASE_REF }} --project-path=${GH_INPUTS_PROJECT_PATH}) echo $PACKAGES echo "packages=$PACKAGES" >> $GITHUB_OUTPUT @@ -155,19 +159,22 @@ jobs: env: # Needed to run go test -list CL_DATABASE_URL: postgresql://postgres@localhost:5432/chainlink_test?sslmode=disable + GH_INPUTS_PROJECT_PATH: ${{ inputs.projectPath }} run: | PATH=$PATH:$(go env GOPATH)/bin export PATH - TEST_FILES=$(flakeguard find --only-show-changed-test-files=true --base-ref=origin/${{ env.GIT_BASE_REF }} --project-path=${{ inputs.projectPath }}) + TEST_FILES=$(flakeguard find --only-show-changed-test-files=true --base-ref=origin/${{ env.GIT_BASE_REF }} --project-path=${GH_INPUTS_PROJECT_PATH}) echo $TEST_FILES echo "test_files=$TEST_FILES" >> $GITHUB_OUTPUT - name: Split test packages into groups id: split-packages shell: bash + env: + GH_INPUTS_RUN_ALL_TESTS: ${{ inputs.runAllTests }} run: | - if [[ "${{ inputs.runAllTests }}" == "true" ]]; then + if [[ "$GH_INPUTS_RUN_ALL_TESTS" == "true" ]]; then # Use ALL_TESTS_RUNNER for a specified number of groups, each with "./..." to run all tests ALL_TESTS_RUNNER_COUNT=${{ env.ALL_TESTS_RUNNER_COUNT }} @@ -235,8 +242,9 @@ jobs: DB_URL: postgresql://postgres:postgres@localhost:5432/chainlink_test?sslmode=disable steps: - name: Checkout repository - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + uses: actions/checkout@v4.2.1 with: + persist-credentials: false ref: ${{ env.GIT_HEAD_REF }} - name: Setup NodeJS @@ -280,8 +288,10 @@ jobs: - name: Go mod tidy shell: bash + env: + GH_INPUTS_PROJECT_PATH: ${{ inputs.projectPath }} run: | - cd ${{ inputs.projectPath }} + cd $GH_INPUTS_PROJECT_PATH go mod tidy - name: Generate random id @@ -294,9 +304,11 @@ jobs: - name: Run tests with flakeguard shell: bash - run: flakeguard run --project-path=${{ inputs.projectPath }} --test-packages=${{ matrix.testPackages }} --run-count=${{ env.TEST_REPEAT_COUNT }} --max-pass-ratio=${{ inputs.maxPassRatio }} --race=${{ env.RUN_WITH_RACE }} --shuffle=${{ env.RUN_WITH_SHUFFLE }} --shuffle-seed=${{ env.SHUFFLE_SEED }} --skip-tests=${{ env.SKIPPED_TESTS }} --output-json=test-result.json --omit-test-outputs-on-success=${{ env.OMIT_TEST_OUTPUTS_ON_SUCCESS }} env: + GH_INPUTS_PROJECT_PATH: ${{ inputs.projectPath }} + GH_INPUTS_MAX_PASS_RATIO: ${{ inputs.maxPassRatio }} CL_DATABASE_URL: ${{ env.DB_URL }} + run: flakeguard run --project-path=$GH_INPUTS_PROJECT_PATH} --test-packages=${{ matrix.testPackages }} --run-count=${{ env.TEST_REPEAT_COUNT }} --max-pass-ratio=$GH_INPUTS_MAX_PASS_RATIO --race=${{ env.RUN_WITH_RACE }} --shuffle=${{ env.RUN_WITH_SHUFFLE }} --shuffle-seed=${{ env.SHUFFLE_SEED }} --skip-tests=${{ env.SKIPPED_TESTS }} --output-json=test-result.json --omit-test-outputs-on-success=${{ env.OMIT_TEST_OUTPUTS_ON_SUCCESS }} - name: Upload test result as artifact if: always() @@ -315,8 +327,9 @@ jobs: test_results: ${{ steps.results.outputs.results }} steps: - name: Checkout repository - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + uses: actions/checkout@v4.2.1 with: + persist-credentials: false ref: ${{ env.GIT_HEAD_REF }} - name: Setup Go uses: ./.github/actions/setup-go @@ -325,11 +338,13 @@ jobs: - name: Set Pretty Project Path id: set_project_path_pretty + env: + GH_INPUTS_PROJECT_PATH: ${{ inputs.projectPath }} run: | - if [ "${{ inputs.projectPath }}" = "." ]; then + if [ "$GH_INPUTS_PROJECT_PATH" = "." ]; then echo "path=github.com/${{ github.repository }}" >> $GITHUB_OUTPUT else - echo "path=github.com/${{ github.repository }}/${{ inputs.projectPath }}" >> $GITHUB_OUTPUT + echo "path=github.com/${{ github.repository }}/${GH_INPUTS_PROJECT_PATH}" >> $GITHUB_OUTPUT fi - name: Download all test result artifacts @@ -346,6 +361,9 @@ jobs: - name: Aggregate Flakeguard Results id: results shell: bash + env: + GH_INPUTS_REPO_URL: ${{ inputs.repoUrl }} + GH_INPUTS_MAX_PASS_RATIO: ${{ inputs.maxPassRatio }} run: | set -e # Exit immediately if a command exits with a non-zero status. @@ -362,8 +380,8 @@ jobs: --output-path ./flakeguard-report \ --repo-path "${{ github.workspace }}" \ --codeowners-path "${{ github.workspace }}/.github/CODEOWNERS" \ - --max-pass-ratio "${{ inputs.maxPassRatio }}" \ - --repo-url "${{ inputs.repoUrl }}" \ + --max-pass-ratio "$GH_INPUTS_MAX_PASS_RATIO" \ + --repo-url "$GH_INPUTS_REPO_URL" \ --base-sha "${{ needs.get-tests.outputs.git_base_sha }}" \ --head-sha "${{ needs.get-tests.outputs.git_head_sha }}" \ --github-workflow-name "${{ github.workflow }}" \ @@ -409,6 +427,10 @@ jobs: if: success() || failure() env: GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} + GH_INPUTS_MAX_PASS_RATIO: ${{ inputs.maxPassRatio }} + GH_EVENT_NAME: ${{ github.event_name }} + GH_EVENT_PULL_REQUEST_BASE_REF: ${{ github.event.pull_request.base.ref }} + GH_EVENT_PULL_REQUEST_HEAD_SHA: ${{ github.event.pull_request.head.sha }} run: | set -e # Exit immediately if a command exits with a non-zero status. @@ -417,7 +439,7 @@ jobs: export PATH # Check if the event is a pull request - if [ "${{ github.event_name }}" = "pull_request" ]; then + if [ "$GH_EVENT_NAME" = "pull_request" ]; then flakeguard generate-report \ --aggregated-results-path ./flakeguard-report/all-test-results.json \ --summary-path ./flakeguard-report/all-test-summary.json \ @@ -426,12 +448,12 @@ jobs: --github-run-id "${{ github.run_id }}" \ --failed-tests-artifact-name "failed-test-results-with-logs.json" \ --generate-pr-comment \ - --base-branch "${{ github.event.pull_request.base.ref }}" \ + --base-branch "$GH_EVENT_PULL_REQUEST_BASE_REF" \ --current-branch "${{ github.head_ref }}" \ - --current-commit-sha "${{ github.event.pull_request.head.sha }}" \ + --current-commit-sha "$GH_EVENT_PULL_REQUEST_HEAD_SHA" \ --repo-url "https://github.com/${{ github.repository }}" \ --action-run-id "${{ github.run_id }}" \ - --max-pass-ratio "${{ inputs.maxPassRatio }}" + --max-pass-ratio "$GH_INPUTS_MAX_PASS_RATIO" else flakeguard generate-report \ --aggregated-results-path ./flakeguard-report/all-test-results.json \ @@ -440,12 +462,12 @@ jobs: --github-repository "${{ github.repository }}" \ --github-run-id "${{ github.run_id }}" \ --failed-tests-artifact-name "failed-test-results-with-logs.json" \ - --base-branch "${{ github.event.pull_request.base.ref }}" \ + --base-branch "$GH_EVENT_PULL_REQUEST_BASE_REF" \ --current-branch "${{ github.head_ref }}" \ - --current-commit-sha "${{ github.event.pull_request.head.sha }}" \ + --current-commit-sha "$GH_EVENT_PULL_REQUEST_HEAD_SHA" \ --repo-url "https://github.com/${{ github.repository }}" \ --action-run-id "${{ github.run_id }}" \ - --max-pass-ratio "${{ inputs.maxPassRatio }}" + --max-pass-ratio "$GH_INPUTS_MAX_PASS_RATIO" fi - name: Add Github Summary diff --git a/.github/workflows/go-mod-cache.yml b/.github/workflows/go-mod-cache.yml index 3caac1eff3f..e90e6a9f285 100644 --- a/.github/workflows/go-mod-cache.yml +++ b/.github/workflows/go-mod-cache.yml @@ -31,6 +31,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Setup Go uses: ./.github/actions/setup-go diff --git a/.github/workflows/integration-in-memory-tests.yml b/.github/workflows/integration-in-memory-tests.yml index 341d66f641e..e124b12eb28 100644 --- a/.github/workflows/integration-in-memory-tests.yml +++ b/.github/workflows/integration-in-memory-tests.yml @@ -33,6 +33,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink ref: ${{ inputs.cl_ref }} - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 @@ -134,6 +135,7 @@ jobs: if: ${{ github.event_name == 'pull_request' }} uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink ref: ${{ inputs.cl_ref }} diff --git a/.github/workflows/integration-tests-publish.yml b/.github/workflows/integration-tests-publish.yml index df07cc1e231..523974b4aed 100644 --- a/.github/workflows/integration-tests-publish.yml +++ b/.github/workflows/integration-tests-publish.yml @@ -23,6 +23,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Setup Other Tags If Not Workflow Dispatch id: tags @@ -68,6 +69,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false ref: ${{ github.sha }} - name: Build Chainlink Image uses: ./.github/actions/build-chainlink-image diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index e79956cc253..33bb7721d77 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -54,6 +54,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink ref: ${{ inputs.cl_ref }} - name: Check Merge Group Condition @@ -88,6 +89,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink ref: ${{ inputs.cl_ref }} - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 @@ -140,6 +142,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink ref: ${{ inputs.cl_ref || github.event.pull_request.head.sha || github.event.merge_group.head_sha }} - name: Setup Github Token @@ -386,6 +389,7 @@ jobs: if: ${{ github.event_name == 'pull_request' }} uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink ref: ${{ inputs.cl_ref }} @@ -405,6 +409,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink ref: ${{ inputs.cl_ref || github.event.pull_request.head.sha || github.event.merge_group.head_sha }} - name: Download All Artifacts @@ -429,6 +434,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink ref: ${{ inputs.cl_ref || github.event.pull_request.head.sha || github.event.merge_group.head_sha }} - name: Setup Go @@ -449,6 +455,7 @@ jobs: - name: Checkout solana uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink-solana ref: develop fetch-depth: 0 @@ -476,6 +483,7 @@ jobs: - name: Checkout the solana repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink-solana ref: ${{ needs.get_solana_sha.outputs.sha }} - name: Get ProjectSerum Version @@ -524,6 +532,7 @@ jobs: - name: Checkout the solana repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink-solana ref: ${{ needs.get_solana_sha.outputs.sha }} - name: Build contracts @@ -558,6 +567,7 @@ jobs: if: (needs.changes.outputs.core_changes == 'true' || github.event_name == 'workflow_dispatch') && needs.solana-test-image-exists.outputs.exists == 'false' uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink-solana ref: ${{ needs.get_solana_sha.outputs.sha }} - name: Download Artifacts @@ -606,6 +616,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink-solana ref: ${{ needs.get_solana_sha.outputs.sha }} - name: Run Setup @@ -646,10 +657,13 @@ jobs: yarn --cwd ./gauntlet build yarn --cwd ./gauntlet gauntlet - name: Generate config overrides + env: + GH_INPUTS_EVM_REF: ${{ inputs.evm-ref }} + GH_SHA: ${{ github.sha }} run: | # https://github.com/smartcontractkit/chainlink-testing-framework/lib/blob/main/config/README.md cat << EOF > config.toml [ChainlinkImage] - version="${{ inputs.evm-ref || github.sha }}" + version="${{ env.evm-ref || env.GH_SHA }}" [Common] user="${{ github.actor }}" internal_docker_repo = "${{ secrets.QA_AWS_ACCOUNT_NUMBER }}.dkr.ecr.${{ secrets.QA_AWS_REGION }}.amazonaws.com" diff --git a/.github/workflows/lint-gh-workflows.yml b/.github/workflows/lint-gh-workflows.yml index 9897c023576..a3aaacb1abe 100644 --- a/.github/workflows/lint-gh-workflows.yml +++ b/.github/workflows/lint-gh-workflows.yml @@ -8,5 +8,7 @@ jobs: steps: - name: Check out Code uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Run actionlint uses: reviewdog/action-actionlint@c6ee1eb0a5d47b2af53a203652b5dac0b6c4016e # v1.43.0 diff --git a/.github/workflows/on-demand-vrfv2-performance-test.yml b/.github/workflows/on-demand-vrfv2-performance-test.yml index f9aeaa0fa1f..2f3ea12cbe2 100644 --- a/.github/workflows/on-demand-vrfv2-performance-test.yml +++ b/.github/workflows/on-demand-vrfv2-performance-test.yml @@ -34,13 +34,17 @@ jobs: runs-on: ubuntu-latest outputs: test_list: ${{ steps.set-tests.outputs.test_list }} + env: + GH_INPUTS_TEST_LIST_REGEX: ${{ inputs.test_list_regex }} + GH_INPUTS_TEST_CONFIG_OVERRIDE_PATH: ${{ inputs.test_config_override_path }} + GH_INPUTS_PERFORMANCE_TEST_TYPE: ${{ inputs.performanceTestType }} steps: - name: Generate Test List JSON id: set-tests run: | - TEST_CMD='cd integration-tests/load && go test -v -count=1 -timeout 24h -run "${{ inputs.test_list_regex }}" ./vrfv2' - TEST_CONFIG_OVERRIDE_PATH=${{ inputs.test_config_override_path }} - TEST_TYPE=${{ inputs.performanceTestType }} + TEST_CMD='cd integration-tests/load && go test -v -count=1 -timeout 24h -run "$GH_INPUTS_TEST_LIST_REGEX" ./vrfv2' + TEST_CONFIG_OVERRIDE_PATH=$GH_INPUTS_TEST_CONFIG_OVERRIDE_PATH + TEST_TYPE=$GH_INPUTS_PERFORMANCE_TEST_TYPE TEST_LIST=$(jq -n -c \ --arg test_cmd "$TEST_CMD" \ diff --git a/.github/workflows/on-demand-vrfv2-smoke-tests.yml b/.github/workflows/on-demand-vrfv2-smoke-tests.yml index ad616dea744..db242c1aae2 100644 --- a/.github/workflows/on-demand-vrfv2-smoke-tests.yml +++ b/.github/workflows/on-demand-vrfv2-smoke-tests.yml @@ -41,13 +41,17 @@ jobs: steps: - name: Generate Test List JSON id: set-tests + env: + GH_INPUTS_TEST_SUITE: ${{ inputs.test_suite }} + GH_INPUTS_TEST_LIST_REGEX: ${{ inputs.test_list_regex }} + GH_INPUTS_TEST_CONFIG_OVERRIDE_PATH: ${{ inputs.test_config_override_path }} run: | - if [[ "${{ inputs.test_suite }}" == "All Tests" ]]; then + if [[ "$GH_INPUTS_TEST_SUITE" == "All Tests" ]]; then TEST_CMD="cd integration-tests/smoke && go test vrfv2_test.go -test.parallel=1 -timeout 3h -count=1 -json -v" else - TEST_CMD='cd integration-tests/smoke && go test -test.run "${{ inputs.test_list_regex }}" -test.parallel=1 -timeout 2h -count=1 -json -v' + TEST_CMD='cd integration-tests/smoke && go test -test.run "$GH_INPUTS_TEST_LIST_REGEX" -test.parallel=1 -timeout 2h -count=1 -json -v' fi - TEST_CONFIG_OVERRIDE_PATH=${{ inputs.test_config_override_path }} + TEST_CONFIG_OVERRIDE_PATH=$GH_INPUTS_TEST_CONFIG_OVERRIDE_PATH TEST_LIST=$(jq -n -c \ --arg test_cmd "$TEST_CMD" \ diff --git a/.github/workflows/on-demand-vrfv2plus-performance-test.yml b/.github/workflows/on-demand-vrfv2plus-performance-test.yml index b3a820e25a0..66878c552fd 100644 --- a/.github/workflows/on-demand-vrfv2plus-performance-test.yml +++ b/.github/workflows/on-demand-vrfv2plus-performance-test.yml @@ -34,13 +34,17 @@ jobs: runs-on: ubuntu-latest outputs: test_list: ${{ steps.set-tests.outputs.test_list }} + env: + GH_INPUTS_TEST_LIST_REGEX: ${{ inputs.test_list_regex }} + GH_INPUTS_TEST_CONFIG_OVERRIDE_PATH: ${{ inputs.test_config_override_path }} + GH_INPUTS_PERFORMANCE_TEST_TYPE: ${{ inputs.performanceTestType }} steps: - name: Generate Test List JSON id: set-tests run: | - TEST_CMD='cd integration-tests/load && go test -v -count=1 -timeout 24h -run "${{ inputs.test_list_regex }}" ./vrfv2plus' - TEST_CONFIG_OVERRIDE_PATH=${{ inputs.test_config_override_path }} - TEST_TYPE=${{ inputs.performanceTestType }} + TEST_CMD='cd integration-tests/load && go test -v -count=1 -timeout 24h -run "$GH_INPUTS_TEST_LIST_REGEX" ./vrfv2plus' + TEST_CONFIG_OVERRIDE_PATH=$GH_INPUTS_TEST_CONFIG_OVERRIDE_PATH + TEST_TYPE=$GH_INPUTS_PERFORMANCE_TEST_TYPE TEST_LIST=$(jq -n -c \ --arg test_cmd "$TEST_CMD" \ diff --git a/.github/workflows/on-demand-vrfv2plus-smoke-tests.yml b/.github/workflows/on-demand-vrfv2plus-smoke-tests.yml index 8561034b103..51c80af9bfa 100644 --- a/.github/workflows/on-demand-vrfv2plus-smoke-tests.yml +++ b/.github/workflows/on-demand-vrfv2plus-smoke-tests.yml @@ -41,13 +41,17 @@ jobs: steps: - name: Generate Test List JSON id: set-tests + env: + GH_INPUTS_TEST_SUITE: ${{ inputs.test_suite }} + GH_INPUTS_TEST_LIST_REGEX: ${{ inputs.test_list_regex }} + GH_INPUTS_TEST_CONFIG_OVERRIDE_PATH: ${{ inputs.test_config_override_path }} run: | - if [[ "${{ inputs.test_suite }}" == "All Tests" ]]; then + if [[ "$GH_INPUTS_TEST_SUITE" == "All Tests" ]]; then TEST_CMD="cd integration-tests/smoke && go test vrfv2plus_test.go -test.parallel=1 -timeout 3h -count=1 -json -v" else - TEST_CMD='cd integration-tests/smoke && go test -test.run "${{ inputs.test_list_regex }}" -test.parallel=1 -timeout 2h -count=1 -json -v' + TEST_CMD='cd integration-tests/smoke && go test -test.run "$GH_INPUTS_TEST_LIST_REGEX" -test.parallel=1 -timeout 2h -count=1 -json -v' fi - TEST_CONFIG_OVERRIDE_PATH=${{ inputs.test_config_override_path }} + TEST_CONFIG_OVERRIDE_PATH=$GH_INPUTS_TEST_CONFIG_OVERRIDE_PATH TEST_LIST=$(jq -n -c \ --arg test_cmd "$TEST_CMD" \ diff --git a/.github/workflows/operator-ui-ci.yml b/.github/workflows/operator-ui-ci.yml index 9bce18f8cff..7ea1cd8327b 100644 --- a/.github/workflows/operator-ui-ci.yml +++ b/.github/workflows/operator-ui-ci.yml @@ -33,6 +33,8 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Get operator-ui tag id: get-operator-ui-tag diff --git a/.github/workflows/solidity-foundry-artifacts.yml b/.github/workflows/solidity-foundry-artifacts.yml index dbf31a4b442..460e3dfa7be 100644 --- a/.github/workflows/solidity-foundry-artifacts.yml +++ b/.github/workflows/solidity-foundry-artifacts.yml @@ -50,6 +50,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false ref: ${{ env.head_ref }} - name: Find modified contracts uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 @@ -86,8 +87,10 @@ jobs: - name: Transform modified files id: changes-transform shell: bash + env: + GH_INPUTS_PRODUCT: ${{ inputs.product }} run: | - if [ "${{ inputs.product }}" = "shared" ]; then + if [ "$GH_INPUTS_PRODUCT" = "shared" ]; then echo "::debug:: Product is shared, transforming changes" if [[ "${{ steps.changes-dorny.outputs.product }}" == "true" && "${{ steps.changes-dorny.outputs.other_shared }}" == "true" ]]; then echo "::debug:: Changes were found in 'shared' folder and in 'interfaces' and root folders" @@ -128,6 +131,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Extract Foundry version id: extract-foundry-version @@ -137,8 +142,10 @@ jobs: - name: Should skip code coverage report id: skip-code-coverage + env: + GH_INPUTS_PRODUCT: ${{ inputs.product }} run: | - if [[ "${{ inputs.product }}" = "automation" || "${{ inputs.product }}" = "vrf" || "${{ inputs.product }}" = "functions" ]]; then + if [[ "$GH_INPUTS_PRODUCT" = "automation" || "$GH_INPUTS_PRODUCT" = "vrf" || "$GH_INPUTS_PRODUCT" = "functions" ]]; then echo "generate_code_coverage=false" >> $GITHUB_OUTPUT else echo "generate_code_coverage=true" >> $GITHUB_OUTPUT diff --git a/.github/workflows/solidity-foundry.yml b/.github/workflows/solidity-foundry.yml index 5c6889beaf8..618ab046e28 100644 --- a/.github/workflows/solidity-foundry.yml +++ b/.github/workflows/solidity-foundry.yml @@ -48,6 +48,8 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Extract Foundry version id: extract-foundry-version @@ -69,6 +71,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Detect changes uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: changes @@ -154,6 +158,7 @@ jobs: || needs.changes.outputs.non_src_changes == 'true' }} uses: actions/checkout@v4.2.1 with: + persist-credentials: false submodules: recursive # Only needed because we use the NPM versions of packages @@ -327,10 +332,13 @@ jobs: steps: - name: Checkout this repository uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Checkout .github repository uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/.github ref: b6e37806737eef87e8c9137ceeb23ef0bff8b1db # validate-solidity-artifacts@0.1.0 path: ./dot_github @@ -415,6 +423,7 @@ jobs: if: needs.changes.outputs.sol_mod_only == 'true' uses: actions/checkout@v4.2.1 with: + persist-credentials: false ref: ${{ github.base_ref }} - name: Download Slither scripts @@ -608,6 +617,7 @@ jobs: if: ${{ (contains(fromJson(needs.changes.outputs.all_changes), matrix.product.name) || needs.changes.outputs.non_src_changes == 'true') && matrix.product.setup.run-forge-fmt }} uses: actions/checkout@v4.2.1 with: + persist-credentials: false submodules: recursive - name: Setup NodeJS diff --git a/.github/workflows/solidity-hardhat.yml b/.github/workflows/solidity-hardhat.yml index 6f27f8ca2f8..e2da95eae6e 100644 --- a/.github/workflows/solidity-hardhat.yml +++ b/.github/workflows/solidity-hardhat.yml @@ -20,6 +20,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: changes with: @@ -40,6 +42,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Setup NodeJS uses: ./.github/actions/setup-nodejs - name: Setup Hardhat diff --git a/.github/workflows/solidity-traceability.yml b/.github/workflows/solidity-traceability.yml index caa233ea8bb..a894175f6f3 100644 --- a/.github/workflows/solidity-traceability.yml +++ b/.github/workflows/solidity-traceability.yml @@ -23,6 +23,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Filter paths uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 @@ -59,6 +61,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false ref: ${{ github.event.pull_request.head.sha }} - name: Assume role capable of dispatching action @@ -94,6 +97,7 @@ jobs: - name: Checkout .Github repository uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/.github ref: 6781e048ecc1aadf7d605722c32e8068a5f829ce # jira-tracing@0.3.0 path: ./dot_github diff --git a/.github/workflows/solidity-wrappers.yml b/.github/workflows/solidity-wrappers.yml index b2acdf6ca5e..941a3e2f196 100644 --- a/.github/workflows/solidity-wrappers.yml +++ b/.github/workflows/solidity-wrappers.yml @@ -24,6 +24,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Detect changes id: ch uses: ./.github/actions/detect-solidity-file-changes @@ -41,6 +43,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Setup Go uses: ./.github/actions/setup-go diff --git a/.github/workflows/solidity.yml b/.github/workflows/solidity.yml index 605b3f2e325..c162380940f 100644 --- a/.github/workflows/solidity.yml +++ b/.github/workflows/solidity.yml @@ -17,6 +17,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Detect readonly solidity file changes id: ch uses: ./.github/actions/detect-solidity-readonly-file-changes @@ -29,6 +31,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Detect changes id: ch uses: ./.github/actions/detect-solidity-file-changes @@ -44,6 +48,8 @@ jobs: pre-release-version: ${{ steps.release-tag-check.outputs.pre-release-version }} steps: - uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Check release tag id: release-tag-check uses: smartcontractkit/chainlink-github-actions/release/release-tag-check@5dd916d08c03cb5f9a97304f4f174820421bb946 # v2.3.11 @@ -62,6 +68,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Setup NodeJS uses: ./.github/actions/setup-nodejs - name: Run Prepublish test @@ -77,11 +85,13 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false path: chainlink - name: Checkout diff-so-fancy uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: so-fancy/diff-so-fancy ref: a673cb4d2707f64d92b86498a2f5f71c8e2643d5 # v1.4.3 path: diff-so-fancy @@ -128,6 +138,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Setup NodeJS uses: ./.github/actions/setup-nodejs - name: Run pnpm lint @@ -148,6 +160,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Setup NodeJS uses: ./.github/actions/setup-nodejs - name: Run prettier check @@ -162,6 +176,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Setup NodeJS uses: ./.github/actions/setup-nodejs @@ -191,6 +207,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Setup NodeJS uses: ./.github/actions/setup-nodejs diff --git a/.github/workflows/sync-develop-from-smartcontractkit-chainlink.yml b/.github/workflows/sync-develop-from-smartcontractkit-chainlink.yml index e635ce40922..061db3ae7f3 100644 --- a/.github/workflows/sync-develop-from-smartcontractkit-chainlink.yml +++ b/.github/workflows/sync-develop-from-smartcontractkit-chainlink.yml @@ -12,6 +12,7 @@ jobs: steps: - uses: actions/checkout@v4.2.1 with: + persist-credentials: false ref: develop if: env.GITHUB_REPOSITORY != 'smartcontractkit/chainlink' - name: Sync