From 457ee7f80f5c131f16db860bd1a95977006ee001 Mon Sep 17 00:00:00 2001 From: Erik Burton Date: Mon, 16 Dec 2024 12:54:44 -0800 Subject: [PATCH 1/2] fix: persist-credentials false for actions/checkout --- .github/actions/golangci-lint/action.yml | 2 ++ .../goreleaser-build-sign-publish/README.md | 2 ++ .github/workflows/bash-scripts.yml | 2 ++ .github/workflows/build-publish-develop-pr.yml | 3 +++ .github/workflows/build-publish-goreleaser.yml | 4 ++++ .github/workflows/build-publish.yml | 6 ++++++ .github/workflows/chain-selectors-check.yml | 2 ++ .github/workflows/changeset.yml | 3 +++ .github/workflows/changesets-preview-pr.yml | 2 ++ .github/workflows/ci-core-partial.yml | 8 ++++++++ .github/workflows/ci-core.yml | 9 +++++++++ .github/workflows/ci-protobuf.yml | 2 ++ .github/workflows/ci-scripts.yml | 4 ++++ .github/workflows/client-compatibility-tests.yml | 4 ++++ .github/workflows/codeql-analysis.yml | 3 +++ .github/workflows/crib-integration-test.yml | 4 ++++ .github/workflows/delete-caches.yml | 4 +++- .github/workflows/delete-deployments.yml | 2 ++ .github/workflows/dependency-check.yml | 2 ++ .github/workflows/flakeguard.yml | 9 ++++++--- .github/workflows/go-mod-cache.yml | 2 ++ .../workflows/integration-in-memory-tests.yml | 2 ++ .github/workflows/integration-tests-publish.yml | 2 ++ .github/workflows/integration-tests.yml | 12 ++++++++++++ .github/workflows/lint-gh-workflows.yml | 2 ++ .github/workflows/operator-ui-ci.yml | 2 ++ .github/workflows/solidity-foundry-artifacts.yml | 3 +++ .github/workflows/solidity-foundry.yml | 10 ++++++++++ .github/workflows/solidity-hardhat.yml | 4 ++++ .github/workflows/solidity-tracability.yml | 4 ++++ .github/workflows/solidity-wrappers.yml | 4 ++++ .github/workflows/solidity.yml | 16 ++++++++++++++++ ...c-develop-from-smartcontractkit-chainlink.yml | 1 + 33 files changed, 137 insertions(+), 4 deletions(-) diff --git a/.github/actions/golangci-lint/action.yml b/.github/actions/golangci-lint/action.yml index 20ad2689deb..c6cd381ba49 100644 --- a/.github/actions/golangci-lint/action.yml +++ b/.github/actions/golangci-lint/action.yml @@ -26,11 +26,13 @@ runs: # Only do a full checkout on merge_groups if: github.event_name == 'merge_group' with: + persist-credentials: false fetch-depth: 0 - name: Checkout repo uses: actions/checkout@v4.2.1 if: github.event_name != 'merge_group' with: + persist-credentials: false fetch-depth: 1 - name: Setup Go uses: ./.github/actions/setup-go diff --git a/.github/actions/goreleaser-build-sign-publish/README.md b/.github/actions/goreleaser-build-sign-publish/README.md index afea60e1203..9b520c1741a 100644 --- a/.github/actions/goreleaser-build-sign-publish/README.md +++ b/.github/actions/goreleaser-build-sign-publish/README.md @@ -24,6 +24,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Configure aws credentials uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: diff --git a/.github/workflows/bash-scripts.yml b/.github/workflows/bash-scripts.yml index a55bd1f1574..5040fe9326a 100644 --- a/.github/workflows/bash-scripts.yml +++ b/.github/workflows/bash-scripts.yml @@ -26,6 +26,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Run ShellCheck if: needs.changes.outputs.bash-scripts-src == 'true' uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0 diff --git a/.github/workflows/build-publish-develop-pr.yml b/.github/workflows/build-publish-develop-pr.yml index 92d9e0445a6..359e1c238f1 100644 --- a/.github/workflows/build-publish-develop-pr.yml +++ b/.github/workflows/build-publish-develop-pr.yml @@ -38,6 +38,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.1 with: + persist-credentials: false ref: ${{ env.CHECKOUT_REF }} - name: Get image tag @@ -86,6 +87,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.1 with: + persist-credentials: false ref: ${{ env.CHECKOUT_REF }} fetch-depth: 0 @@ -124,6 +126,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.1 with: + persist-credentials: false ref: ${{ env.CHECKOUT_REF }} - name: Configure aws credentials diff --git a/.github/workflows/build-publish-goreleaser.yml b/.github/workflows/build-publish-goreleaser.yml index 8e61b84c4ad..9f8f774acc0 100644 --- a/.github/workflows/build-publish-goreleaser.yml +++ b/.github/workflows/build-publish-goreleaser.yml @@ -15,6 +15,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Check for VERSION file bump on tags # Avoids checking VERSION file bump on forks. if: ${{ github.repository == 'smartcontractkit/chainlink' }} @@ -38,6 +40,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.1 with: + persist-credentials: false fetch-depth: 0 - name: Configure aws credentials @@ -96,6 +99,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.1 with: + persist-credentials: false fetch-depth: 0 - name: Configure aws credentials diff --git a/.github/workflows/build-publish.yml b/.github/workflows/build-publish.yml index 2889ee5e5ea..06ba1daead1 100644 --- a/.github/workflows/build-publish.yml +++ b/.github/workflows/build-publish.yml @@ -18,6 +18,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Check git tag type id: check-git-tag-type shell: bash @@ -67,6 +69,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Build, sign and publish chainlink image id: build-sign-publish @@ -99,6 +103,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Notify Slack uses: smartcontractkit/.github/actions/slack-notify-git-ref@31e00facdd8f57a2bc7868b5e4c8591bf2aa3727 # slack-notify-git-ref@0.1.2 with: diff --git a/.github/workflows/chain-selectors-check.yml b/.github/workflows/chain-selectors-check.yml index 01803fb8e36..1c59bff9f67 100644 --- a/.github/workflows/chain-selectors-check.yml +++ b/.github/workflows/chain-selectors-check.yml @@ -18,6 +18,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Setup Go uses: ./.github/actions/setup-go diff --git a/.github/workflows/changeset.yml b/.github/workflows/changeset.yml index d6d269326c7..cb11e21fb7a 100644 --- a/.github/workflows/changeset.yml +++ b/.github/workflows/changeset.yml @@ -31,6 +31,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.1 with: + persist-credentials: false fetch-depth: 0 - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 @@ -95,6 +96,7 @@ jobs: - name: Checkout .Github repository uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/.github ref: 9aed33e5298471f20a3d630d711b96ae5538728c # jira-tracing@0.2.0 path: ./dot_github @@ -170,6 +172,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.1 with: + persist-credentials: false fetch-depth: 0 - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 diff --git a/.github/workflows/changesets-preview-pr.yml b/.github/workflows/changesets-preview-pr.yml index 0a65f53b693..c32b8c54c63 100644 --- a/.github/workflows/changesets-preview-pr.yml +++ b/.github/workflows/changesets-preview-pr.yml @@ -18,6 +18,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: change diff --git a/.github/workflows/ci-core-partial.yml b/.github/workflows/ci-core-partial.yml index 35f689090e8..a1bd5bfd5e8 100644 --- a/.github/workflows/ci-core-partial.yml +++ b/.github/workflows/ci-core-partial.yml @@ -28,6 +28,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: match-some @@ -59,6 +60,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Setup NodeJS uses: ./.github/actions/setup-nodejs @@ -134,6 +137,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false # fetches all history for all tags and branches to provide more metadata for sonar reports fetch-depth: 0 @@ -191,6 +195,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Setup Go uses: ./.github/actions/setup-go @@ -235,6 +241,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Setup Go uses: ./.github/actions/setup-go diff --git a/.github/workflows/ci-core.yml b/.github/workflows/ci-core.yml index 726b6b14074..8d5fa9a9b67 100644 --- a/.github/workflows/ci-core.yml +++ b/.github/workflows/ci-core.yml @@ -41,6 +41,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: match-some @@ -106,6 +107,8 @@ jobs: needs: [filter, run-frequency] steps: - uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Golang Lint uses: ./.github/actions/golangci-lint if: ${{ needs.filter.outputs.should-run-golangci == 'true' }} @@ -152,6 +155,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Change Modtime of Files (cache optimization) shell: bash @@ -298,6 +303,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Setup node uses: actions/setup-node@v4.0.4 @@ -382,6 +389,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false fetch-depth: 0 # fetches all history for all tags and branches to provide more metadata for sonar reports - name: Download all workflow run artifacts @@ -502,6 +510,7 @@ jobs: exit 0 - uses: actions/checkout@v4.2.1 with: + persist-credentials: false fetch-depth: 0 - name: Setup Go uses: ./.github/actions/setup-go diff --git a/.github/workflows/ci-protobuf.yml b/.github/workflows/ci-protobuf.yml index 3931ed8d302..1ea44a0ea78 100644 --- a/.github/workflows/ci-protobuf.yml +++ b/.github/workflows/ci-protobuf.yml @@ -9,6 +9,8 @@ jobs: steps: - name: Checkout repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Setup buf uses: bufbuild/buf-setup-action@35c243d7f2a909b1d4e40399b348a7fdab27d78d # v1.34.0 diff --git a/.github/workflows/ci-scripts.yml b/.github/workflows/ci-scripts.yml index 5683641f26b..9d25f8cc777 100644 --- a/.github/workflows/ci-scripts.yml +++ b/.github/workflows/ci-scripts.yml @@ -17,6 +17,8 @@ jobs: pull-requests: read steps: - uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Golang Lint uses: ./.github/actions/golangci-lint with: @@ -30,6 +32,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Setup Go uses: ./.github/actions/setup-go with: diff --git a/.github/workflows/client-compatibility-tests.yml b/.github/workflows/client-compatibility-tests.yml index 5f986ccf16c..1894a6c394b 100644 --- a/.github/workflows/client-compatibility-tests.yml +++ b/.github/workflows/client-compatibility-tests.yml @@ -50,6 +50,7 @@ jobs: - name: Checkout code uses: actions/checkout@v4.2.1 with: + persist-credentials: false fetch-depth: 0 - name: Check for go.mod changes id: changes @@ -326,6 +327,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false ref: ${{ needs.select-versions.outputs.chainlink_version }} - name: Build Chainlink Image uses: ./.github/actions/build-chainlink-image @@ -595,6 +597,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink ref: ${{ needs.select-versions.outputs.chainlink_version }} - name: Setup GAP for Grafana @@ -851,6 +854,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false ref: ${{ needs.select-versions.outputs.chainlink_version }} - name: Get test results for ${{ matrix.product }} id: get-product-results diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index d90139e5292..c0294645465 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -23,6 +23,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: changes @@ -55,6 +56,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Set up Go if: ${{ matrix.type.language == 'go' && matrix.type.should-run == 'true' }} diff --git a/.github/workflows/crib-integration-test.yml b/.github/workflows/crib-integration-test.yml index 5dd24167ab0..62c51bd8436 100644 --- a/.github/workflows/crib-integration-test.yml +++ b/.github/workflows/crib-integration-test.yml @@ -20,6 +20,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27 with: @@ -91,6 +93,8 @@ jobs: product-image: ${{ secrets.AWS_SDLC_ECR_HOSTNAME }}/chainlink product-image-tag: develop - uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Set up Go uses: ./.github/actions/setup-go with: diff --git a/.github/workflows/delete-caches.yml b/.github/workflows/delete-caches.yml index 64b9e799665..aa714d38815 100644 --- a/.github/workflows/delete-caches.yml +++ b/.github/workflows/delete-caches.yml @@ -21,7 +21,9 @@ jobs: PR_NUMBER: ${{ github.event.pull_request.number }} steps: - name: Check out code - uses: actions/checkout@v4.1.2 + uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Setup gh-actions-cache extension env: diff --git a/.github/workflows/delete-deployments.yml b/.github/workflows/delete-deployments.yml index 547b29bceec..ff24db42229 100644 --- a/.github/workflows/delete-deployments.yml +++ b/.github/workflows/delete-deployments.yml @@ -12,6 +12,8 @@ jobs: steps: - name: Checkout repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Clean up integration environment uses: ./.github/actions/delete-deployments diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml index 4b2a2f32f79..0b09747f509 100644 --- a/.github/workflows/dependency-check.yml +++ b/.github/workflows/dependency-check.yml @@ -26,6 +26,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Set up Go if: needs.changes.outputs.src == 'true' diff --git a/.github/workflows/flakeguard.yml b/.github/workflows/flakeguard.yml index 3951c356a3b..daea97fb055 100644 --- a/.github/workflows/flakeguard.yml +++ b/.github/workflows/flakeguard.yml @@ -84,8 +84,9 @@ jobs: git_base_sha: ${{ steps.get_commit_sha.outputs.git_base_sha }} steps: - name: Checkout repository - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + uses: actions/checkout@v4.2.1 with: + persist-credentials: false fetch-depth: 0 ref: ${{ env.GIT_HEAD_REF }} @@ -227,8 +228,9 @@ jobs: DB_URL: postgresql://postgres:postgres@localhost:5432/chainlink_test?sslmode=disable steps: - name: Checkout repository - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + uses: actions/checkout@v4.2.1 with: + persist-credentials: false ref: ${{ env.GIT_HEAD_REF }} - name: Setup NodeJS @@ -307,8 +309,9 @@ jobs: test_results: ${{ steps.results.outputs.results }} steps: - name: Checkout repository - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + uses: actions/checkout@v4.2.1 with: + persist-credentials: false ref: ${{ env.GIT_HEAD_REF }} - name: Set Pretty Project Path diff --git a/.github/workflows/go-mod-cache.yml b/.github/workflows/go-mod-cache.yml index 3caac1eff3f..e90e6a9f285 100644 --- a/.github/workflows/go-mod-cache.yml +++ b/.github/workflows/go-mod-cache.yml @@ -31,6 +31,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Setup Go uses: ./.github/actions/setup-go diff --git a/.github/workflows/integration-in-memory-tests.yml b/.github/workflows/integration-in-memory-tests.yml index 341d66f641e..e124b12eb28 100644 --- a/.github/workflows/integration-in-memory-tests.yml +++ b/.github/workflows/integration-in-memory-tests.yml @@ -33,6 +33,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink ref: ${{ inputs.cl_ref }} - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 @@ -134,6 +135,7 @@ jobs: if: ${{ github.event_name == 'pull_request' }} uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink ref: ${{ inputs.cl_ref }} diff --git a/.github/workflows/integration-tests-publish.yml b/.github/workflows/integration-tests-publish.yml index df07cc1e231..523974b4aed 100644 --- a/.github/workflows/integration-tests-publish.yml +++ b/.github/workflows/integration-tests-publish.yml @@ -23,6 +23,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Setup Other Tags If Not Workflow Dispatch id: tags @@ -68,6 +69,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false ref: ${{ github.sha }} - name: Build Chainlink Image uses: ./.github/actions/build-chainlink-image diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index 27bdfa52243..726f4b31a1d 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -52,6 +52,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink ref: ${{ inputs.cl_ref }} - name: Check Merge Group Condition @@ -86,6 +87,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink ref: ${{ inputs.cl_ref }} - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 @@ -136,6 +138,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink ref: ${{ inputs.cl_ref }} - name: Setup Go @@ -178,6 +181,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink ref: ${{ inputs.cl_ref || github.event.pull_request.head.sha || github.event.merge_group.head_sha }} - name: Setup Github Token @@ -428,6 +432,7 @@ jobs: if: ${{ github.event_name == 'pull_request' }} uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink ref: ${{ inputs.cl_ref }} @@ -447,6 +452,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink ref: ${{ inputs.cl_ref || github.event.pull_request.head.sha || github.event.merge_group.head_sha }} - name: Download All Artifacts @@ -471,6 +477,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink ref: ${{ inputs.cl_ref || github.event.pull_request.head.sha || github.event.merge_group.head_sha }} - name: Setup Go @@ -491,6 +498,7 @@ jobs: - name: Checkout solana uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink-solana ref: develop fetch-depth: 0 @@ -518,6 +526,7 @@ jobs: - name: Checkout the solana repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink-solana ref: ${{ needs.get_solana_sha.outputs.sha }} - name: Get ProjectSerum Version @@ -566,6 +575,7 @@ jobs: - name: Checkout the solana repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink-solana ref: ${{ needs.get_solana_sha.outputs.sha }} - name: Build contracts @@ -600,6 +610,7 @@ jobs: if: (needs.changes.outputs.core_changes == 'true' || github.event_name == 'workflow_dispatch') && needs.solana-test-image-exists.outputs.exists == 'false' uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink-solana ref: ${{ needs.get_solana_sha.outputs.sha }} - name: Download Artifacts @@ -648,6 +659,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/chainlink-solana ref: ${{ needs.get_solana_sha.outputs.sha }} - name: Run Setup diff --git a/.github/workflows/lint-gh-workflows.yml b/.github/workflows/lint-gh-workflows.yml index 9897c023576..a3aaacb1abe 100644 --- a/.github/workflows/lint-gh-workflows.yml +++ b/.github/workflows/lint-gh-workflows.yml @@ -8,5 +8,7 @@ jobs: steps: - name: Check out Code uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Run actionlint uses: reviewdog/action-actionlint@c6ee1eb0a5d47b2af53a203652b5dac0b6c4016e # v1.43.0 diff --git a/.github/workflows/operator-ui-ci.yml b/.github/workflows/operator-ui-ci.yml index 9bce18f8cff..7ea1cd8327b 100644 --- a/.github/workflows/operator-ui-ci.yml +++ b/.github/workflows/operator-ui-ci.yml @@ -33,6 +33,8 @@ jobs: - name: Checkout repository uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Get operator-ui tag id: get-operator-ui-tag diff --git a/.github/workflows/solidity-foundry-artifacts.yml b/.github/workflows/solidity-foundry-artifacts.yml index 5a971f65174..3c2b34bfd2c 100644 --- a/.github/workflows/solidity-foundry-artifacts.yml +++ b/.github/workflows/solidity-foundry-artifacts.yml @@ -51,6 +51,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false ref: ${{ env.head_ref }} - name: Find modified contracts uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 @@ -129,6 +130,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Extract Foundry version id: extract-foundry-version diff --git a/.github/workflows/solidity-foundry.yml b/.github/workflows/solidity-foundry.yml index f94ef29a3b8..4f3a0aedd7e 100644 --- a/.github/workflows/solidity-foundry.yml +++ b/.github/workflows/solidity-foundry.yml @@ -49,6 +49,8 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Extract Foundry version id: extract-foundry-version @@ -70,6 +72,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Detect changes uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: changes @@ -157,6 +161,7 @@ jobs: || needs.changes.outputs.non_src_changes == 'true' }} uses: actions/checkout@v4.2.1 with: + persist-credentials: false submodules: recursive # Only needed because we use the NPM versions of packages @@ -330,10 +335,13 @@ jobs: steps: - name: Checkout this repository uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Checkout .github repository uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/.github ref: b6e37806737eef87e8c9137ceeb23ef0bff8b1db # validate-solidity-artifacts@0.1.0 path: ./dot_github @@ -418,6 +426,7 @@ jobs: if: needs.changes.outputs.sol_mod_only == 'true' uses: actions/checkout@v4.2.1 with: + persist-credentials: false ref: ${{ github.base_ref }} - name: Download Slither scripts @@ -611,6 +620,7 @@ jobs: if: ${{ (contains(fromJson(needs.changes.outputs.all_changes), matrix.product.name) || needs.changes.outputs.non_src_changes == 'true') && matrix.product.setup.run-forge-fmt }} uses: actions/checkout@v4.2.1 with: + persist-credentials: false submodules: recursive - name: Setup NodeJS diff --git a/.github/workflows/solidity-hardhat.yml b/.github/workflows/solidity-hardhat.yml index 7283e17e13f..c310aacc515 100644 --- a/.github/workflows/solidity-hardhat.yml +++ b/.github/workflows/solidity-hardhat.yml @@ -20,6 +20,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: changes with: @@ -40,6 +42,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Setup NodeJS uses: ./.github/actions/setup-nodejs - name: Setup Hardhat diff --git a/.github/workflows/solidity-tracability.yml b/.github/workflows/solidity-tracability.yml index f0b1166807f..1cfce2a4688 100644 --- a/.github/workflows/solidity-tracability.yml +++ b/.github/workflows/solidity-tracability.yml @@ -23,6 +23,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Filter paths uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 @@ -59,6 +61,7 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false ref: ${{ github.event.pull_request.head.sha }} - name: Assume role capable of dispatching action @@ -94,6 +97,7 @@ jobs: - name: Checkout .Github repository uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: smartcontractkit/.github ref: 6781e048ecc1aadf7d605722c32e8068a5f829ce # jira-tracing@0.3.0 path: ./dot_github diff --git a/.github/workflows/solidity-wrappers.yml b/.github/workflows/solidity-wrappers.yml index b2acdf6ca5e..941a3e2f196 100644 --- a/.github/workflows/solidity-wrappers.yml +++ b/.github/workflows/solidity-wrappers.yml @@ -24,6 +24,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Detect changes id: ch uses: ./.github/actions/detect-solidity-file-changes @@ -41,6 +43,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Setup Go uses: ./.github/actions/setup-go diff --git a/.github/workflows/solidity.yml b/.github/workflows/solidity.yml index 605b3f2e325..1219ced127e 100644 --- a/.github/workflows/solidity.yml +++ b/.github/workflows/solidity.yml @@ -29,6 +29,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Detect changes id: ch uses: ./.github/actions/detect-solidity-file-changes @@ -44,6 +46,8 @@ jobs: pre-release-version: ${{ steps.release-tag-check.outputs.pre-release-version }} steps: - uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Check release tag id: release-tag-check uses: smartcontractkit/chainlink-github-actions/release/release-tag-check@5dd916d08c03cb5f9a97304f4f174820421bb946 # v2.3.11 @@ -62,6 +66,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Setup NodeJS uses: ./.github/actions/setup-nodejs - name: Run Prepublish test @@ -77,11 +83,13 @@ jobs: - name: Checkout the repo uses: actions/checkout@v4.2.1 with: + persist-credentials: false path: chainlink - name: Checkout diff-so-fancy uses: actions/checkout@v4.2.1 with: + persist-credentials: false repository: so-fancy/diff-so-fancy ref: a673cb4d2707f64d92b86498a2f5f71c8e2643d5 # v1.4.3 path: diff-so-fancy @@ -128,6 +136,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Setup NodeJS uses: ./.github/actions/setup-nodejs - name: Run pnpm lint @@ -148,6 +158,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Setup NodeJS uses: ./.github/actions/setup-nodejs - name: Run prettier check @@ -162,6 +174,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Setup NodeJS uses: ./.github/actions/setup-nodejs @@ -191,6 +205,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Setup NodeJS uses: ./.github/actions/setup-nodejs diff --git a/.github/workflows/sync-develop-from-smartcontractkit-chainlink.yml b/.github/workflows/sync-develop-from-smartcontractkit-chainlink.yml index e635ce40922..061db3ae7f3 100644 --- a/.github/workflows/sync-develop-from-smartcontractkit-chainlink.yml +++ b/.github/workflows/sync-develop-from-smartcontractkit-chainlink.yml @@ -12,6 +12,7 @@ jobs: steps: - uses: actions/checkout@v4.2.1 with: + persist-credentials: false ref: develop if: env.GITHUB_REPOSITORY != 'smartcontractkit/chainlink' - name: Sync From ebeeb0cd04725109c0e6cb62e4602e1938cd8e2a Mon Sep 17 00:00:00 2001 From: Erik Burton Date: Mon, 16 Dec 2024 13:37:51 -0800 Subject: [PATCH 2/2] fix: possible template injection in CI --- .../workflows/automation-ondemand-tests.yml | 35 ++++++++----- .github/workflows/bash-scripts.yml | 2 + .../workflows/build-publish-develop-pr.yml | 17 ++++--- .github/workflows/ci-core.yml | 8 ++- .../workflows/client-compatibility-tests.yml | 46 +++++++++++------ .github/workflows/flakeguard.yml | 51 +++++++++++++------ .github/workflows/integration-tests.yml | 5 +- .../on-demand-vrfv2-performance-test.yml | 10 ++-- .../workflows/on-demand-vrfv2-smoke-tests.yml | 10 ++-- .../on-demand-vrfv2plus-performance-test.yml | 10 ++-- .../on-demand-vrfv2plus-smoke-tests.yml | 10 ++-- .../workflows/solidity-foundry-artifacts.yml | 8 ++- .github/workflows/solidity.yml | 2 + 13 files changed, 147 insertions(+), 67 deletions(-) diff --git a/.github/workflows/automation-ondemand-tests.yml b/.github/workflows/automation-ondemand-tests.yml index eef02dcddb2..ee917da0e56 100644 --- a/.github/workflows/automation-ondemand-tests.yml +++ b/.github/workflows/automation-ondemand-tests.yml @@ -52,45 +52,56 @@ jobs: outputs: test_list: ${{ steps.set-tests.outputs.test_list }} require_chainlink_image_versions_in_qa_ecr: ${{ steps.determine-chainlink-image-check.outputs.require_chainlink_image_versions_in_qa_ecr }} + env: + GH_INPUTS_CHAINLINK_IMAGE: ${{ inputs.chainlinkImage }} + GH_INPUTS_CHAINLINK_IMAGE_UPDATE: ${{ inputs.chainlinkImageUpdate }} + GH_INPUTS_CHAINLINK_VERSION: ${{ inputs.chainlinkVersion }} + GH_INPUTS_CHAINLINK_VERSION_UPDATE: ${{ inputs.chainlinkVersionUpdate }} steps: - name: Determine build to use id: determine-build shell: bash run: | - if [[ "${{ inputs.chainlinkImage }}" == "QA_ECR" ]]; then + if [[ "$GH_INPUTS_CHAINLINK_IMAGE" == "QA_ECR" ]]; then echo "image='{{ env.QA_CHAINLINK_IMAGE }}'" >> $GITHUB_ENV else - echo "image=${{ inputs.chainlinkImage }}" >> $GITHUB_ENV + echo "image=$GH_INPUTS_CHAINLINK_IMAGE" >> $GITHUB_ENV fi - if [[ "${{ inputs.chainlinkImageUpdate }}" == "QA_ECR" ]]; then + if [[ "$GH_INPUTS_CHAINLINK_IMAGE_UPDATE" == "QA_ECR" ]]; then echo "upgrade_image='{{ env.QA_CHAINLINK_IMAGE }}'" >> $GITHUB_ENV else - echo "upgrade_image=${{ inputs.chainlinkImageUpdate }}" >> $GITHUB_ENV + echo "upgrade_image=$GH_INPUTS_CHAINLINK_IMAGE_UPDATE" >> $GITHUB_ENV fi - if [[ -z "${{ inputs.chainlinkVersion }}" ]] && [[ "${{ inputs.chainlinkImage }}" == "QA_ECR" ]]; then + if [[ -z "$GH_INPUTS_CHAINLINK_VERSION" ]] && [[ "$CHAINLINK_IMAGE" == "QA_ECR" ]]; then echo "version=${{ github.sha }}" >> $GITHUB_ENV else - echo "version=${{ inputs.chainlinkVersion }}" >> $GITHUB_ENV + echo "version=$GH_INPUTS_CHAINLINK_VERSION" >> $GITHUB_ENV fi - if [[ -z "${{ inputs.chainlinkVersionUpdate }}" ]] && [[ "${{ inputs.chainlinkImageUpdate }}" == "QA_ECR" ]]; then + if [[ -z "$GH_INPUTS_CHAINLINK_VERSION_UPDATE" ]] && [[ "$GH_INPUTS_CHAINLINK_IMAGE_UPDATE" == "QA_ECR" ]]; then echo "upgrade_version=${{ github.sha }}" >> $GITHUB_ENV else - echo "upgrade_version=${{ inputs.chainlinkVersionUpdate }}" >> $GITHUB_ENV + echo "upgrade_version=$GH_INPUTS_CHAINLINK_VERSION_UPDATE" >> $GITHUB_ENV fi - name: Check if chainlink image check required id: determine-chainlink-image-check shell: bash + env: + CHAINLKINK_IMAGE: ${{ github.event.inputs.chainlinkImage }} + CHAINLINK_IMAGE_UPDATE: ${{ github.event.inputs.chainlinkImageUpdate }} run: | chainlink_image_versions="" - if [ "${{ github.event.inputs.chainlinkImage }}" = "QA_ECR" ]; then + if [ "$CHAINLKINK_IMAGE" = "QA_ECR" ]; then chainlink_image_versions+="${{ env.version }}," fi - if [ "${{ github.event.inputs.chainlinkImageUpdate }}" = "QA_ECR" ]; then + if [ "$CHAINLINK_IMAGE_UPDATE" = "QA_ECR" ]; then chainlink_image_versions+="${{ env.upgrade_version }}" fi echo "require_chainlink_image_versions_in_qa_ecr=$chainlink_image_versions" >> $GITHUB_OUTPUT - name: Set tests to run id: set-tests + env: + GH_EVENT_INPUTS_ENABLE_REORG: ${{ github.event.inputs.enableReorg }} + GH_EVENT_INPUTS_ENABLE_CHAOS: ${{ github.event.inputs.enableChaos }} run: | # Always run upgrade tests @@ -118,7 +129,7 @@ jobs: EOF # Run reorg tests if enabled - if [[ "${{ github.event.inputs.enableReorg }}" == 'true' ]]; then + if [[ "$GH_EVENT_INPUTS_ENABLE_REORG" == 'true' ]]; then cat >> test_list.yaml <> test_list.yaml <> $GITHUB_OUTPUT elif [ "$GITHUB_EVENT_NAME" = "workflow_dispatch" ]; then - if [ -n "${{ github.event.inputs.base64TestList }}" ]; then + if [ -n "$GH_EVENT_INPUTS_BASE64_TEST_LIST" ]; then echo "Base64-ed Test Input provided, ignoring EVM implementations" else - echo "Will test following EVM implementations: ${{ github.event.inputs.evmImplementations }}" - echo "evm_implementations=${{ github.event.inputs.evmImplementations }}" >> $GITHUB_OUTPUT + echo "Will test following EVM implementations: $GH_EVENT_INPUTS_EVM_IMPLEMENTATIONS" + echo "evm_implementations=$GH_EVENT_INPUTS_EVM_IMPLEMENTATIONS" >> $GITHUB_OUTPUT fi else echo "Will test all EVM implementations" @@ -197,6 +202,12 @@ jobs: fi - name: Select Chainlink version id: select-chainlink-version + env: + GH_EVENT_INPUTS_CHAINLINK_VERSION: ${{ github.event.inputs.chainlinkVersion }} + GH_EVENT_PULL_REQUEST_HEAD_SHA: ${{ github.event.pull_request.head.sha }} + GH_EVENT_MERGE_GROUP_HEAD_SHA: ${{ github.event.merge_group.head_sha }} + GH_REF_NAME: ${{ github.ref_name }} + GH_SHA: ${{ github.sha }} run: | PATH=$PATH:$(go env GOPATH)/bin export PATH @@ -210,9 +221,9 @@ jobs: cl_ref_path="releases" elif [ "$GITHUB_EVENT_NAME" = "workflow_dispatch" ]; then echo "Fetching Chainlink version from input" - if [ -n "${{ github.event.inputs.chainlinkVersion }}" ]; then + if [ -n "$GH_EVENT_INPUTS_CHAINLINK_VERSION" ]; then echo "Chainlink version provided in input" - chainlink_version="${{ github.event.inputs.chainlinkVersion }}" + chainlink_version="$GH_EVENT_INPUTS_CHAINLINK_VERSION" if [[ "$chainlink_version" =~ ^[0-9a-f]{40}$ ]]; then cl_ref_path="commit" chainlink_image_version=$chainlink_version @@ -223,23 +234,23 @@ jobs: fi else echo "Chainlink version not provided in input. Using latest commit SHA." - chainlink_version=${{ github.sha }} + chainlink_version=$GH_SHA chainlink_image_version=$chainlink_version cl_ref_path="commit" fi elif [ "$GITHUB_EVENT_NAME" = "pull_request" ]; then echo "Fetching Chainlink version from PR's head commit" - chainlink_version="${{ github.event.pull_request.head.sha }}" + chainlink_version="$GH_EVENT_PULL_REQUEST_HEAD_SHA" chainlink_image_version=$chainlink_version cl_ref_path="commit" elif [ "$GITHUB_EVENT_NAME" = "merge_queue" ]; then echo "Fetching Chainlink version from merge queue's head commit" - chainlink_version="${{ github.event.merge_group.head_sha }}" + chainlink_version="$GH_EVENT_MERGE_GROUP_HEAD_SHA" chainlink_image_version=$chainlink_version cl_ref_path="commit" elif [ "$GITHUB_REF_TYPE" = "tag" ]; then echo "Fetching Chainlink version from tag" - chainlink_version="${{ github.ref_name }}" + chainlink_version="$GH_REF_NAME" # strip the 'v' from the version, because we tag our Docker images without it chainlink_image_version="${chainlink_version#v}" cl_ref_path="releases" @@ -254,13 +265,16 @@ jobs: echo "cl_ref_path=$cl_ref_path" >> $GITHUB_OUTPUT - name: Get image count id: get-image-count + env: + GH_EVENT_INPUTS_BASE64_TEST_LIST: ${{ github.event.inputs.base64TestList }} + GH_EVENT_INPUTS_LATEST_VERSIONS_NUMBER: ${{ github.event.inputs.latestVersionsNumber }} run: | if [ "$GITHUB_EVENT_NAME" = "workflow_dispatch" ]; then echo "Fetching latest image count from input" - if [ -n "${{ github.event.inputs.base64TestList }}" ]; then + if [ -n "$GH_EVENT_INPUTS_BASE64_TEST_LIST" ]; then echo "Base64-ed Test Input provided, ignoring latest image count" else - image_count="${{ github.event.inputs.latestVersionsNumber }}" + image_count="$GH_EVENT_INPUTS_LATEST_VERSIONS_NUMBER" echo "image_count=$image_count" >> $GITHUB_OUTPUT fi else diff --git a/.github/workflows/flakeguard.yml b/.github/workflows/flakeguard.yml index daea97fb055..d9e3c895365 100644 --- a/.github/workflows/flakeguard.yml +++ b/.github/workflows/flakeguard.yml @@ -133,11 +133,14 @@ jobs: env: # Needed to run go test -list CL_DATABASE_URL: postgresql://postgres@localhost:5432/chainlink_test?sslmode=disable + GH_INPUTS_PROJECT_PATH: ${{ inputs.projectPath }} + GH_INPUTS_FIND_BY_TEST_FILES_DIFF: ${{ inputs.findByTestFilesDiff }} + GH_INPUTS_FIND_BY_AFFECTED_PACKAGES: ${{ inputs.findByAffectedPackages }} run: | PATH=$PATH:$(go env GOPATH)/bin export PATH - PACKAGES=$(flakeguard find --find-by-test-files-diff=${{ inputs.findByTestFilesDiff }} --find-by-affected-packages=${{ inputs.findByAffectedPackages }} --base-ref=origin/${{ env.GIT_BASE_REF }} --project-path=${{ inputs.projectPath }}) + PACKAGES=$(flakeguard find --find-by-test-files-diff=$GH_INPUTS_FIND_BY_TEST_FILES_DIFF --find-by-affected-packages=$GH_INPUTS_FIND_BY_AFFECTED_PACKAGES --base-ref=origin/${{ env.GIT_BASE_REF }} --project-path=${GH_INPUTS_PROJECT_PATH}) echo $PACKAGES echo "packages=$PACKAGES" >> $GITHUB_OUTPUT @@ -148,19 +151,22 @@ jobs: env: # Needed to run go test -list CL_DATABASE_URL: postgresql://postgres@localhost:5432/chainlink_test?sslmode=disable + GH_INPUTS_PROJECT_PATH: ${{ inputs.projectPath }} run: | PATH=$PATH:$(go env GOPATH)/bin export PATH - TEST_FILES=$(flakeguard find --only-show-changed-test-files=true --base-ref=origin/${{ env.GIT_BASE_REF }} --project-path=${{ inputs.projectPath }}) + TEST_FILES=$(flakeguard find --only-show-changed-test-files=true --base-ref=origin/${{ env.GIT_BASE_REF }} --project-path=${GH_INPUTS_PROJECT_PATH}) echo $TEST_FILES echo "test_files=$TEST_FILES" >> $GITHUB_OUTPUT - name: Split test packages into groups id: split-packages shell: bash + env: + GH_INPUTS_RUN_ALL_TESTS: ${{ inputs.runAllTests }} run: | - if [[ "${{ inputs.runAllTests }}" == "true" ]]; then + if [[ "$GH_INPUTS_RUN_ALL_TESTS" == "true" ]]; then # Use ALL_TESTS_RUNNER for a specified number of groups, each with "./..." to run all tests ALL_TESTS_RUNNER_COUNT=${{ env.ALL_TESTS_RUNNER_COUNT }} @@ -274,8 +280,10 @@ jobs: - name: Go mod tidy shell: bash + env: + GH_INPUTS_PROJECT_PATH: ${{ inputs.projectPath }} run: | - cd ${{ inputs.projectPath }} + cd $GH_INPUTS_PROJECT_PATH go mod tidy - name: Generate random id @@ -288,9 +296,11 @@ jobs: - name: Run tests with flakeguard shell: bash - run: flakeguard run --project-path=${{ inputs.projectPath }} --test-packages=${{ matrix.testPackages }} --run-count=${{ env.TEST_REPEAT_COUNT }} --max-pass-ratio=${{ inputs.maxPassRatio }} --race=${{ env.RUN_WITH_RACE }} --shuffle=${{ env.RUN_WITH_SHUFFLE }} --shuffle-seed=${{ env.SHUFFLE_SEED }} --skip-tests=${{ env.SKIPPED_TESTS }} --output-json=test-result.json --omit-test-outputs-on-success=${{ env.OMIT_TEST_OUTPUTS_ON_SUCCESS }} env: + GH_INPUTS_PROJECT_PATH: ${{ inputs.projectPath }} + GH_INPUTS_MAX_PASS_RATIO: ${{ inputs.maxPassRatio }} CL_DATABASE_URL: ${{ env.DB_URL }} + run: flakeguard run --project-path=$GH_INPUTS_PROJECT_PATH} --test-packages=${{ matrix.testPackages }} --run-count=${{ env.TEST_REPEAT_COUNT }} --max-pass-ratio=$GH_INPUTS_MAX_PASS_RATIO --race=${{ env.RUN_WITH_RACE }} --shuffle=${{ env.RUN_WITH_SHUFFLE }} --shuffle-seed=${{ env.SHUFFLE_SEED }} --skip-tests=${{ env.SKIPPED_TESTS }} --output-json=test-result.json --omit-test-outputs-on-success=${{ env.OMIT_TEST_OUTPUTS_ON_SUCCESS }} - name: Upload test result as artifact if: always() @@ -316,11 +326,13 @@ jobs: - name: Set Pretty Project Path id: set_project_path_pretty + env: + GH_INPUTS_PROJECT_PATH: ${{ inputs.projectPath }} run: | - if [ "${{ inputs.projectPath }}" = "." ]; then + if [ "$GH_INPUTS_PROJECT_PATH" = "." ]; then echo "path=github.com/${{ github.repository }}" >> $GITHUB_OUTPUT else - echo "path=github.com/${{ github.repository }}/${{ inputs.projectPath }}" >> $GITHUB_OUTPUT + echo "path=github.com/${{ github.repository }}/${GH_INPUTS_PROJECT_PATH}" >> $GITHUB_OUTPUT fi - name: Download all test result artifacts @@ -337,6 +349,9 @@ jobs: - name: Aggregate Flakeguard Results id: results shell: bash + env: + GH_INPUTS_REPO_URL: ${{ inputs.repoUrl }} + GH_INPUTS_MAX_PASS_RATIO: ${{ inputs.maxPassRatio }} run: | set -e # Exit immediately if a command exits with a non-zero status. @@ -353,8 +368,8 @@ jobs: --output-path ./flakeguard-report \ --repo-path "${{ github.workspace }}" \ --codeowners-path "${{ github.workspace }}/.github/CODEOWNERS" \ - --max-pass-ratio "${{ inputs.maxPassRatio }}" \ - --repo-url "${{ inputs.repoUrl }}" \ + --max-pass-ratio "$GH_INPUTS_MAX_PASS_RATIO" \ + --repo-url "$GH_INPUTS_REPO_URL" \ --base-sha "${{ needs.get-tests.outputs.git_base_sha }}" \ --head-sha "${{ needs.get-tests.outputs.git_head_sha }}" \ --github-workflow-name "${{ github.workflow }}" @@ -395,6 +410,10 @@ jobs: shell: bash env: GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} + GH_INPUTS_MAX_PASS_RATIO: ${{ inputs.maxPassRatio }} + GH_EVENT_NAME: ${{ github.event_name }} + GH_EVENT_PULL_REQUEST_BASE_REF: ${{ github.event.pull_request.base.ref }} + GH_EVENT_PULL_REQUEST_HEAD_SHA: ${{ github.event.pull_request.head.sha }} run: | set -e # Exit immediately if a command exits with a non-zero status. @@ -403,7 +422,7 @@ jobs: export PATH # Check if the event is a pull request - if [ "${{ github.event_name }}" = "pull_request" ]; then + if [ "$GH_EVENT_NAME" = "pull_request" ]; then flakeguard generate-report \ --aggregated-results-path ./flakeguard-report/all-test-results.json \ --summary-path ./flakeguard-report/all-test-summary.json \ @@ -412,12 +431,12 @@ jobs: --github-run-id "${{ github.run_id }}" \ --failed-tests-artifact-name "failed-test-results-with-logs.json" \ --generate-pr-comment \ - --base-branch "${{ github.event.pull_request.base.ref }}" \ + --base-branch "$GH_EVENT_PULL_REQUEST_BASE_REF" \ --current-branch "${{ github.head_ref }}" \ - --current-commit-sha "${{ github.event.pull_request.head.sha }}" \ + --current-commit-sha "$GH_EVENT_PULL_REQUEST_HEAD_SHA" \ --repo-url "https://github.com/${{ github.repository }}" \ --action-run-id "${{ github.run_id }}" \ - --max-pass-ratio "${{ inputs.maxPassRatio }}" + --max-pass-ratio "$GH_INPUTS_MAX_PASS_RATIO" else flakeguard generate-report \ --aggregated-results-path ./flakeguard-report/all-test-results.json \ @@ -426,12 +445,12 @@ jobs: --github-repository "${{ github.repository }}" \ --github-run-id "${{ github.run_id }}" \ --failed-tests-artifact-name "failed-test-results-with-logs.json" \ - --base-branch "${{ github.event.pull_request.base.ref }}" \ + --base-branch "$GH_EVENT_PULL_REQUEST_BASE_REF" \ --current-branch "${{ github.head_ref }}" \ - --current-commit-sha "${{ github.event.pull_request.head.sha }}" \ + --current-commit-sha "$GH_EVENT_PULL_REQUEST_HEAD_SHA" \ --repo-url "https://github.com/${{ github.repository }}" \ --action-run-id "${{ github.run_id }}" \ - --max-pass-ratio "${{ inputs.maxPassRatio }}" + --max-pass-ratio "$GH_INPUTS_MAX_PASS_RATIO" fi - name: Add Github Summary diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index 726f4b31a1d..27b3be8a0d4 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -700,10 +700,13 @@ jobs: yarn --cwd ./gauntlet build yarn --cwd ./gauntlet gauntlet - name: Generate config overrides + env: + GH_INPUTS_EVM_REF: ${{ inputs.evm-ref }} + GH_SHA: ${{ github.sha }} run: | # https://github.com/smartcontractkit/chainlink-testing-framework/lib/blob/main/config/README.md cat << EOF > config.toml [ChainlinkImage] - version="${{ inputs.evm-ref || github.sha }}" + version="${{ env.evm-ref || env.GH_SHA }}" [Common] user="${{ github.actor }}" internal_docker_repo = "${{ secrets.QA_AWS_ACCOUNT_NUMBER }}.dkr.ecr.${{ secrets.QA_AWS_REGION }}.amazonaws.com" diff --git a/.github/workflows/on-demand-vrfv2-performance-test.yml b/.github/workflows/on-demand-vrfv2-performance-test.yml index f9aeaa0fa1f..2f3ea12cbe2 100644 --- a/.github/workflows/on-demand-vrfv2-performance-test.yml +++ b/.github/workflows/on-demand-vrfv2-performance-test.yml @@ -34,13 +34,17 @@ jobs: runs-on: ubuntu-latest outputs: test_list: ${{ steps.set-tests.outputs.test_list }} + env: + GH_INPUTS_TEST_LIST_REGEX: ${{ inputs.test_list_regex }} + GH_INPUTS_TEST_CONFIG_OVERRIDE_PATH: ${{ inputs.test_config_override_path }} + GH_INPUTS_PERFORMANCE_TEST_TYPE: ${{ inputs.performanceTestType }} steps: - name: Generate Test List JSON id: set-tests run: | - TEST_CMD='cd integration-tests/load && go test -v -count=1 -timeout 24h -run "${{ inputs.test_list_regex }}" ./vrfv2' - TEST_CONFIG_OVERRIDE_PATH=${{ inputs.test_config_override_path }} - TEST_TYPE=${{ inputs.performanceTestType }} + TEST_CMD='cd integration-tests/load && go test -v -count=1 -timeout 24h -run "$GH_INPUTS_TEST_LIST_REGEX" ./vrfv2' + TEST_CONFIG_OVERRIDE_PATH=$GH_INPUTS_TEST_CONFIG_OVERRIDE_PATH + TEST_TYPE=$GH_INPUTS_PERFORMANCE_TEST_TYPE TEST_LIST=$(jq -n -c \ --arg test_cmd "$TEST_CMD" \ diff --git a/.github/workflows/on-demand-vrfv2-smoke-tests.yml b/.github/workflows/on-demand-vrfv2-smoke-tests.yml index ad616dea744..db242c1aae2 100644 --- a/.github/workflows/on-demand-vrfv2-smoke-tests.yml +++ b/.github/workflows/on-demand-vrfv2-smoke-tests.yml @@ -41,13 +41,17 @@ jobs: steps: - name: Generate Test List JSON id: set-tests + env: + GH_INPUTS_TEST_SUITE: ${{ inputs.test_suite }} + GH_INPUTS_TEST_LIST_REGEX: ${{ inputs.test_list_regex }} + GH_INPUTS_TEST_CONFIG_OVERRIDE_PATH: ${{ inputs.test_config_override_path }} run: | - if [[ "${{ inputs.test_suite }}" == "All Tests" ]]; then + if [[ "$GH_INPUTS_TEST_SUITE" == "All Tests" ]]; then TEST_CMD="cd integration-tests/smoke && go test vrfv2_test.go -test.parallel=1 -timeout 3h -count=1 -json -v" else - TEST_CMD='cd integration-tests/smoke && go test -test.run "${{ inputs.test_list_regex }}" -test.parallel=1 -timeout 2h -count=1 -json -v' + TEST_CMD='cd integration-tests/smoke && go test -test.run "$GH_INPUTS_TEST_LIST_REGEX" -test.parallel=1 -timeout 2h -count=1 -json -v' fi - TEST_CONFIG_OVERRIDE_PATH=${{ inputs.test_config_override_path }} + TEST_CONFIG_OVERRIDE_PATH=$GH_INPUTS_TEST_CONFIG_OVERRIDE_PATH TEST_LIST=$(jq -n -c \ --arg test_cmd "$TEST_CMD" \ diff --git a/.github/workflows/on-demand-vrfv2plus-performance-test.yml b/.github/workflows/on-demand-vrfv2plus-performance-test.yml index b3a820e25a0..66878c552fd 100644 --- a/.github/workflows/on-demand-vrfv2plus-performance-test.yml +++ b/.github/workflows/on-demand-vrfv2plus-performance-test.yml @@ -34,13 +34,17 @@ jobs: runs-on: ubuntu-latest outputs: test_list: ${{ steps.set-tests.outputs.test_list }} + env: + GH_INPUTS_TEST_LIST_REGEX: ${{ inputs.test_list_regex }} + GH_INPUTS_TEST_CONFIG_OVERRIDE_PATH: ${{ inputs.test_config_override_path }} + GH_INPUTS_PERFORMANCE_TEST_TYPE: ${{ inputs.performanceTestType }} steps: - name: Generate Test List JSON id: set-tests run: | - TEST_CMD='cd integration-tests/load && go test -v -count=1 -timeout 24h -run "${{ inputs.test_list_regex }}" ./vrfv2plus' - TEST_CONFIG_OVERRIDE_PATH=${{ inputs.test_config_override_path }} - TEST_TYPE=${{ inputs.performanceTestType }} + TEST_CMD='cd integration-tests/load && go test -v -count=1 -timeout 24h -run "$GH_INPUTS_TEST_LIST_REGEX" ./vrfv2plus' + TEST_CONFIG_OVERRIDE_PATH=$GH_INPUTS_TEST_CONFIG_OVERRIDE_PATH + TEST_TYPE=$GH_INPUTS_PERFORMANCE_TEST_TYPE TEST_LIST=$(jq -n -c \ --arg test_cmd "$TEST_CMD" \ diff --git a/.github/workflows/on-demand-vrfv2plus-smoke-tests.yml b/.github/workflows/on-demand-vrfv2plus-smoke-tests.yml index 8561034b103..51c80af9bfa 100644 --- a/.github/workflows/on-demand-vrfv2plus-smoke-tests.yml +++ b/.github/workflows/on-demand-vrfv2plus-smoke-tests.yml @@ -41,13 +41,17 @@ jobs: steps: - name: Generate Test List JSON id: set-tests + env: + GH_INPUTS_TEST_SUITE: ${{ inputs.test_suite }} + GH_INPUTS_TEST_LIST_REGEX: ${{ inputs.test_list_regex }} + GH_INPUTS_TEST_CONFIG_OVERRIDE_PATH: ${{ inputs.test_config_override_path }} run: | - if [[ "${{ inputs.test_suite }}" == "All Tests" ]]; then + if [[ "$GH_INPUTS_TEST_SUITE" == "All Tests" ]]; then TEST_CMD="cd integration-tests/smoke && go test vrfv2plus_test.go -test.parallel=1 -timeout 3h -count=1 -json -v" else - TEST_CMD='cd integration-tests/smoke && go test -test.run "${{ inputs.test_list_regex }}" -test.parallel=1 -timeout 2h -count=1 -json -v' + TEST_CMD='cd integration-tests/smoke && go test -test.run "$GH_INPUTS_TEST_LIST_REGEX" -test.parallel=1 -timeout 2h -count=1 -json -v' fi - TEST_CONFIG_OVERRIDE_PATH=${{ inputs.test_config_override_path }} + TEST_CONFIG_OVERRIDE_PATH=$GH_INPUTS_TEST_CONFIG_OVERRIDE_PATH TEST_LIST=$(jq -n -c \ --arg test_cmd "$TEST_CMD" \ diff --git a/.github/workflows/solidity-foundry-artifacts.yml b/.github/workflows/solidity-foundry-artifacts.yml index 3c2b34bfd2c..d4d33f37e6d 100644 --- a/.github/workflows/solidity-foundry-artifacts.yml +++ b/.github/workflows/solidity-foundry-artifacts.yml @@ -88,8 +88,10 @@ jobs: - name: Transform modified files id: changes-transform shell: bash + env: + GH_INPUTS_PRODUCT: ${{ inputs.product }} run: | - if [ "${{ inputs.product }}" = "shared" ]; then + if [ "$GH_INPUTS_PRODUCT" = "shared" ]; then echo "::debug:: Product is shared, transforming changes" if [[ "${{ steps.changes-dorny.outputs.product }}" == "true" && "${{ steps.changes-dorny.outputs.other_shared }}" == "true" ]]; then echo "::debug:: Changes were found in 'shared' folder and in 'interfaces' and root folders" @@ -141,8 +143,10 @@ jobs: - name: Should skip code coverage report id: skip-code-coverage + env: + GH_INPUTS_PRODUCT: ${{ inputs.product }} run: | - if [[ "${{ inputs.product }}" = "automation" || "${{ inputs.product }}" = "vrf" || "${{ inputs.product }}" = "functions" ]]; then + if [[ "$GH_INPUTS_PRODUCT" = "automation" || "$GH_INPUTS_PRODUCT" = "vrf" || "$GH_INPUTS_PRODUCT" = "functions" ]]; then echo "generate_code_coverage=false" >> $GITHUB_OUTPUT else echo "generate_code_coverage=true" >> $GITHUB_OUTPUT diff --git a/.github/workflows/solidity.yml b/.github/workflows/solidity.yml index 1219ced127e..c162380940f 100644 --- a/.github/workflows/solidity.yml +++ b/.github/workflows/solidity.yml @@ -17,6 +17,8 @@ jobs: steps: - name: Checkout the repo uses: actions/checkout@v4.2.1 + with: + persist-credentials: false - name: Detect readonly solidity file changes id: ch uses: ./.github/actions/detect-solidity-readonly-file-changes