AtHeartEngineer/linea-monorepo
1
0
Fork 0
mirror of https://github.com/vacp2p/linea-monorepo.git synced 2026-01-06 22:23:55 -05:00
Code Issues Packages Projects Releases Wiki Activity

chore(ci): improve pipelines security (#1188)

Browse Source
This commit is contained in:
Alain Nicolas
2025-06-20 14:44:52 +02:00
committed by GitHub
parent d102593c0a
commit d9d1474782
36 changed files with 186 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/actions/image-tag-and-push/action.yml vendored
View File

@@ -34,7 +34,7 @@ runs:
steps:
- name: Login to Docker Hub
if: ${{ github.ref == 'refs/heads/main' && inputs.last_commit_tag_exists == '0' }}
uses: docker/login-action@v3
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0
with:
username: ${{ inputs.docker_username }}
password: ${{ inputs.docker_password }}

13
.github/workflows/all-tools.yml vendored
View File

@@ -1,5 +1,10 @@
name: All tools CI
permissions:
contents: read
actions: read
packages: write
on:
push:
branches:
@@ -93,7 +98,7 @@ jobs:
submodules: true
- name: Login to Docker Hub
if: ${{ env.DOCKERHUB_USERNAME != '' && env.DOCKERHUB_TOKEN != '' }}
uses: docker/login-action@v3
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -103,17 +108,17 @@ jobs:
# cases. We can later set up self-hosted arm64 github runners if we
# want arm* based images back.
# - name: Set up QEMU
# uses: docker/setup-qemu-action@v3
# uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 #v3.6.0
# with:
# platforms: 'arm64,arm'
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 #v3.11.1
- name: Show the "version" build argument
run: |
echo "We inject the commit tag in the docker image ${{ env.COMMIT_TAG }}"
echo COMMIT_TAG=${{ env.COMMIT_TAG }} >> GITHUB_ENV
- name: Build and push all tools image
uses: docker/build-push-action@v6
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0
with:
context: .
file: ./operations/Dockerfile

4
.github/workflows/bridge-ui-e2e-tests.yml vendored
View File

@@ -1,5 +1,9 @@
name: Run Bridge UI E2E Tests
permissions:
contents: read
actions: read
on:
pull_request:
branches:

15
.github/workflows/bridge-ui-publish.yml vendored
View File

@@ -1,5 +1,10 @@
name: Bridge UI Build and Publish
permissions:
contents: read
actions: read
packages: write
on:
pull_request:
branches:
@@ -43,17 +48,17 @@ jobs:
- name: Login to Docker Repository
if: ${{ env.DOCKERHUB_USERNAME != '' && env.DOCKERHUB_TOKEN != '' }}
uses: docker/login-action@v3
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 #v3.11.1
- name: Docker Image Build and Publish
id: docker-build-publish
uses: docker/build-push-action@v6
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0
with:
context: .
file: ./bridge-ui/Dockerfile
@@ -83,7 +88,7 @@ jobs:
NEXT_PUBLIC_ONRAMPER_API_KEY: ${{ secrets.PUBLIC_ONRAMPER_API_KEY }}
NEXT_PUBLIC_LAYERSWAP_API_KEY: ${{ secrets.PUBLIC_LAYERSWAP_API_KEY }}
NEXT_PUBLIC_ENVIRONMENT: ${{ matrix.environment }}
test-build:
if: github.event.pull_request.head.repo.fork == true
# ~1 min saved vs small
@@ -92,7 +97,7 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup nodejs environment
uses: ./.github/actions/setup-nodejs
with:

5
.github/workflows/build-and-publish.yml vendored
View File

@@ -1,5 +1,10 @@
name: Docker build and publish
permissions:
contents: read
actions: read
packages: write
on:
workflow_call:
inputs:

6
.github/workflows/codecov-external-pr.yml vendored
View File

@@ -64,7 +64,7 @@ jobs:
github-token: ${{ secrets.GITHUB_TOKEN }}
# Gets run id of the precedeing workflow that triggered this workflow_run
run-id: ${{ github.event.workflow_run.id }}
- uses: codecov/codecov-action@v5
- uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 #v5.4.3
if: ${{ steps.coordinator-report-download.outcome == 'success' }}
with:
fail_ci_if_error: true
@@ -94,7 +94,7 @@ jobs:
github-token: ${{ secrets.GITHUB_TOKEN }}
# Gets run id of the precedeing workflow that triggered this workflow_run
run-id: ${{ github.event.workflow_run.id }}
- uses: codecov/codecov-action@v5
- uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 #v5.4.3
if: ${{ steps.smc-report-download.outcome == 'success' }}
with:
fail_ci_if_error: true
@@ -103,4 +103,4 @@ jobs:
os: linux
name: codecov-contracts
verbose: true
token: ${{ secrets.CODECOV_TOKEN }}
token: ${{ secrets.CODECOV_TOKEN }}

2
.github/workflows/codeql.yml vendored
View File

@@ -29,7 +29,7 @@ jobs:
- name: Setup Java
if: matrix.language == 'java-kotlin'
uses: actions/setup-java@v4
uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b #v4.5.0
with:
distribution: temurin
java-version: 21

17
.github/workflows/coordinator-build-and-publish.yml vendored
View File

@@ -1,5 +1,10 @@
name: coordinator-build
permissions:
contents: read
actions: read
packages: write
on:
workflow_call:
inputs:
@@ -81,22 +86,22 @@ jobs:
./gradlew coordinator:app:installDist
- name: Login to Docker Hub
if: ${{ env.DOCKERHUB_USERNAME != '' && env.DOCKERHUB_TOKEN != '' }}
uses: docker/login-action@v3
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 #v3.6.0
- name: Set up Docker Buildx - local
id: buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 #v3.11.1
- name: Docker meta
id: coordinator
uses: docker/metadata-action@v5
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 #v5.7.0
with:
images: ${{ env.IMAGE_NAME }}
- name: Build for testing
uses: docker/build-push-action@v6
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0
if: ${{ env.PUSH_IMAGE == 'false' }}
with:
context: .
@@ -118,7 +123,7 @@ jobs:
name: linea-coordinator
path: linea-coordinator-docker-image.tar.gz
- name: Build & push
uses: docker/build-push-action@v6
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0
if: ${{ env.PUSH_IMAGE == 'true' || github.event_name == 'workflow_dispatch' }}
with:
context: .

8
.github/workflows/coordinator-testing.yml vendored
View File

@@ -1,5 +1,9 @@
name: coordinator-testing
permissions:
contents: read
actions: read
on:
workflow_call:
inputs:
@@ -47,7 +51,7 @@ jobs:
./gradlew -V coordinator:app:buildNeeded
- name: Login to Docker Hub
if: ${{ env.DOCKERHUB_USERNAME != '' && env.DOCKERHUB_TOKEN != '' }}
uses: docker/login-action@v3
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -67,7 +71,7 @@ jobs:
${{ github.workspace }}/build/reports/jacoco/jacocoRootReport/jacocoRootReport.xml
- name: Upload coverage to Codecov
if: ${{ env.CODECOV_TOKEN != '' }}
uses: codecov/codecov-action@v5
uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 #v5.4.3
with:
fail_ci_if_error: true
files: ${{ github.workspace }}/build/reports/jacoco/jacocoRootReport/jacocoRootReport.xml

3
.github/workflows/get-has-changes-requiring-e2e-testing.yml vendored
View File

@@ -1,5 +1,8 @@
name: get-has-changes-requiring-e2e-testing
permissions:
contents: read
on:
workflow_call:
inputs:

7
.github/workflows/github-release-besu-plugin.yml vendored
View File

@@ -1,4 +1,9 @@
name: Github Release for Besu Plugins
permissions:
contents: write
actions: read
on:
workflow_call:
inputs:
@@ -39,7 +44,7 @@ jobs:
fetch-depth: 1
- name: Set up JDK 21
uses: actions/setup-java@v4
uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b #v4.5.0
with:
java-version: '21'
distribution: 'temurin'

6
.github/workflows/linea-sequencer-plugin-release.yml vendored
View File

@@ -1,5 +1,9 @@
name: linea-sequencer-plugin-release
permissions:
contents: write
actions: read
on:
workflow_dispatch:
inputs:
@@ -14,7 +18,7 @@ jobs:
steps:
- uses: actions/checkout@v4
- name: Set up JDK 21
uses: actions/setup-java@v4
uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b #v4.5.0
with:
java-version: 21
distribution: temurin

8
.github/workflows/linea-sequencer-plugin-testing.yml vendored
View File

@@ -1,5 +1,9 @@
name: linea-sequencer-plugin-testing
permissions:
contents: read
actions: read
on:
workflow_call:
@@ -16,7 +20,7 @@ jobs:
- uses: gradle/actions/wrapper-validation@v4
- name: Set up Java
uses: actions/setup-java@v4
uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b #v4.5.0
with:
distribution: temurin
java-version: 21
@@ -53,7 +57,7 @@ jobs:
uses: actions/checkout@v4
- name: Set up JDK 21
uses: actions/setup-java@v4
uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b #v4.5.0
with:
java-version: 21
distribution: temurin

5
.github/workflows/load-test.yml vendored
View File

@@ -1,5 +1,8 @@
name: Load Test Manual Action
permissions:
contents: read
on:
workflow_dispatch:
inputs:
@@ -33,7 +36,7 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- uses: actions/setup-java@v4
- uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b #v4.5.0
with:
distribution: temurin
java-version: 17

2
.github/workflows/main.yml vendored
View File

@@ -10,6 +10,7 @@ permissions:
contents: read
actions: read
security-events: write
packages: write
jobs:
store-image-name-and-tags:
@@ -149,7 +150,6 @@ jobs:
secrets: inherit
code-analysis:
needs: [ filter-commit-changes ]
uses: ./.github/workflows/codeql.yml
testing:

2
.github/workflows/maven-release-all.yml vendored
View File

@@ -33,7 +33,7 @@ jobs:
fetch-depth: 1
- name: Set up JDK 21
uses: actions/setup-java@v4
uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b #v4.5.0
with:
java-version: '21'
distribution: 'temurin'

2
.github/workflows/maven-release.yml vendored
View File

@@ -21,7 +21,7 @@ jobs:
fetch-depth: 1
- name: Set up JDK 21
uses: actions/setup-java@v4
uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b #v4.5.0
with:
java-version: '21'
distribution: 'temurin'

15
.github/workflows/postman-build-and-publish.yml vendored
View File

@@ -1,5 +1,10 @@
name: postman-build
permissions:
contents: read
actions: read
packages: write
on:
workflow_call:
inputs:
@@ -73,22 +78,22 @@ jobs:
submodules: true
- name: Login to Docker Hub
if: ${{ env.DOCKERHUB_USERNAME != '' && env.DOCKERHUB_TOKEN != '' }}
uses: docker/login-action@v3
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 #v3.6.0
with:
platforms: 'arm64,arm'
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 #v3.11.1
- name: Show the "version" build argument
run: |
echo "We inject the commit tag in the docker image ${{ env.COMMIT_TAG }}"
echo COMMIT_TAG=${{ env.COMMIT_TAG }} >> $GITHUB_ENV
- name: Build postman image for testing
uses: docker/build-push-action@v6
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0
if: ${{ env.PUSH_IMAGE == 'false' }}
with:
context: ./
@@ -111,7 +116,7 @@ jobs:
name: linea-postman
path: linea-postman-docker-image.tar.gz
- name: Build and push postman image
uses: docker/build-push-action@v6
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0
if: ${{ env.PUSH_IMAGE == 'true' || github.event_name == 'workflow_dispatch' }}
with:
context: ./

4
.github/workflows/postman-testing.yml vendored
View File

@@ -1,5 +1,9 @@
name: postman-and-SDK-testing
permissions:
contents: read
actions: read
on:
workflow_call:

13
.github/workflows/prover-build-and-publish.yml vendored
View File

@@ -1,5 +1,10 @@
name: Prover build and publish CI
permissions:
contents: read
actions: read
packages: write
on:
workflow_call:
inputs:
@@ -76,18 +81,18 @@ jobs:
submodules: true
- name: Login to Docker Hub
if: ${{ env.DOCKERHUB_USERNAME != '' && env.DOCKERHUB_TOKEN != '' }}
uses: docker/login-action@v3
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 #v3.11.1
- name: Show the "version" build argument
run: |
echo "We inject the commit tag in the docker image ${{ env.COMMIT_TAG }}"
echo COMMIT_TAG=${{ env.COMMIT_TAG }} >> $GITHUB_ENV
- name: Build and push prover image
uses: docker/build-push-action@v6
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0
if: ${{ env.PUSH_IMAGE == 'false' }}
with:
context: .
@@ -114,7 +119,7 @@ jobs:
name: linea-prover
path: linea-prover-docker-image.tar.gz
- name: Build and push prover image
uses: docker/build-push-action@v6
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0
if: ${{ env.PUSH_IMAGE == 'true' || github.event_name == 'workflow_dispatch' }}
with:
context: .

4
.github/workflows/prover-testing.yml vendored
View File

@@ -1,5 +1,9 @@
name: Prover testing CI
permissions:
contents: read
actions: read
on: workflow_call
env:
GOPROXY: "https://proxy.golang.org"

6
.github/workflows/reuse-check-images-tags-and-push.yml vendored
View File

@@ -1,4 +1,10 @@
name: Reusable check images tags and push
permissions:
contents: read
actions: read
packages: write
on:
workflow_call:
inputs:

32
.github/workflows/reuse-linea-besu-package-build-test-push.yml vendored
View File

@@ -4,7 +4,7 @@ on:
inputs:
release_tag_prefix:
required: true
type: string
type: string
run_test:
required: true
type: boolean
@@ -32,7 +32,7 @@ jobs:
if: ${{ inputs.run_test || inputs.run_e2e_test }}
environment: dockerhub
outputs:
linea_besu_package_tag: ${{ steps.assemble.outputs.dockertag }}
linea_besu_package_tag: ${{ steps.assemble.outputs.dockertag }}
expected_traces_api_version: ${{ steps.assemble.outputs.tracer_plugin_version }}
dockerimage: ${{ steps.assemble.outputs.dockerimage }}
steps:
@@ -44,9 +44,9 @@ jobs:
uses: ./.github/actions/linea-besu-package/assemble
with:
release_tag_prefix: ${{ inputs.release_tag_prefix }}
- name: set up docker buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 #v3.11.1
- name: set docker build args
run: |
@@ -54,7 +54,7 @@ jobs:
echo "Building docker image: ${{ steps.assemble.outputs.dockerimage }}"
- name: build the combined manifest
uses: docker/build-push-action@v6
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0
env:
DOCKER_BUILD_SUMMARY: false
with:
@@ -69,7 +69,7 @@ jobs:
push: false
tags: |
consensys/linea-besu-package:${{ steps.assemble.outputs.dockertag }}
- name: Save Docker image as artifact
run: |
docker images
@@ -101,7 +101,7 @@ jobs:
cancel-in-progress: ${{ github.ref != 'refs/heads/main' || github.event_name == 'workflow_dispatch' }}
uses: ./.github/workflows/reuse-linea-besu-package-run-e2e-tests.yml
with:
linea_besu_package_tag: ${{ needs.build-and-upload-artifact.outputs.linea_besu_package_tag }}
linea_besu_package_tag: ${{ needs.build-and-upload-artifact.outputs.linea_besu_package_tag }}
expected_traces_api_version: ${{ inputs.expected_traces_api_ver || needs.build-and-upload-artifact.outputs.expected_traces_api_version }}
e2e-tests-logs-dump: true
secrets: inherit
@@ -126,14 +126,14 @@ jobs:
compile_release_notes: true
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 #v3.6.0
- name: set up docker buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 #v3.11.1
- name: Login to Docker Hub
if: ${{ env.DOCKERHUB_USERNAME != '' && env.DOCKERHUB_TOKEN != '' }}
uses: docker/login-action@v3
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -144,7 +144,7 @@ jobs:
echo "Building docker image: ${{ steps.assemble.outputs.dockerimage }}"
- name: build and push the combined manifest
uses: docker/build-push-action@v6
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0
env:
DOCKER_BUILD_SUMMARY: false
with:
@@ -152,7 +152,7 @@ jobs:
platforms: linux/arm64,linux/amd64
provenance: false
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
build-args: |
VERSION=${{ steps.assemble.outputs.dockertag }}
VCS_REF=${{ github.sha }}
@@ -188,12 +188,12 @@ jobs:
- name: Conventional Changelog Action
if: ${{ github.event_name == 'workflow_dispatch' }}
id: change_log
uses: TriPSs/conventional-changelog-action@v5
uses: TriPSs/conventional-changelog-action@3c4970b6573374889b897403d2f1278c395ea0df #v5.4.0
with:
git-path: ./linea-besu-package/
git-push: false
output-file: "false"
- name: Append Changelog Action to release note
if: ${{ github.event_name == 'workflow_dispatch' }}
id: append_change_log
@@ -206,7 +206,7 @@ jobs:
- name: release - publish artifacts and release notes
id: release_publish
uses: softprops/action-gh-release@v2
uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 #v2.3.2
with:
name: Linea Besu Package ${{ steps.assemble.outputs.releasetag }}
tag_name: linea-besu-package-${{ steps.assemble.outputs.releasetag }}

6
.github/workflows/reuse-linea-besu-package-run-e2e-tests.yml vendored
View File

@@ -49,7 +49,7 @@ jobs:
steps:
- name: Setup upterm session
if: ${{ inputs.e2e-tests-with-ssh }}
uses: lhotari/action-upterm@v1
uses: lhotari/action-upterm@b0357f23233f5ea6d58947c0c402e0631bab7334 #v1
- name: Checkout
uses: actions/checkout@v4
- name: Setup nodejs environment
@@ -58,7 +58,7 @@ jobs:
pnpm-install-options: '-F contracts -F e2e --frozen-lockfile --prefer-offline'
- name: Login to Docker Hub
if: ${{ env.DOCKERHUB_USERNAME != '' && env.DOCKERHUB_TOKEN != '' }}
uses: docker/login-action@v3
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -83,7 +83,7 @@ jobs:
echo "BESU_PACKAGE_TAG=${{ env.BESU_PACKAGE_TAG }}"
echo "$(grep expected-traces-api-version config/coordinator/coordinator-config-v2.toml)"
- name: Spin up fresh environment with besu tracing with retry
uses: nick-fields/retry@v3
uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 #v3.0.2
with:
max_attempts: 10
retry_on: error

13
.github/workflows/reuse-run-e2e-tests.yml vendored
View File

@@ -1,4 +1,9 @@
name: Reusable run e2e tests
permissions:
contents: read
actions: read
on:
workflow_dispatch:
inputs:
@@ -71,7 +76,7 @@ jobs:
steps:
- name: Setup upterm session
if: ${{ inputs.e2e-tests-with-ssh }}
uses: lhotari/action-upterm@v1
uses: lhotari/action-upterm@b0357f23233f5ea6d58947c0c402e0631bab7334 #v1
- name: Checkout
uses: actions/checkout@v4
- name: Setup nodejs environment
@@ -80,7 +85,7 @@ jobs:
pnpm-install-options: '-F contracts -F e2e --frozen-lockfile --prefer-offline'
- name: Login to Docker Hub
if: ${{ env.DOCKERHUB_USERNAME != '' && env.DOCKERHUB_TOKEN != '' }}
uses: docker/login-action@v3
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -89,7 +94,7 @@ jobs:
mkdir -p tmp/local/traces/v2/conflated
chmod -R a+rw tmp/local/
- name: Pull all images with retry
uses: nick-fields/retry@v3
uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 #v3.0.2
with:
max_attempts: 10
retry_on: error
@@ -110,7 +115,7 @@ jobs:
gunzip -c $GITHUB_WORKSPACE/linea-transaction-exclusion-api/linea-transaction-exclusion-api-docker-image.tar.gz | docker load
shell: bash
- name: Spin up fresh environment with besu tracing with retry
uses: nick-fields/retry@v3
uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 #v3.0.2
with:
max_attempts: 10
retry_on: error

4
.github/workflows/reuse-store-image-name-and-tags.yml vendored
View File

@@ -1,4 +1,8 @@
name: Reusable store image name and tags
permissions:
contents: read
on:
workflow_call:
outputs:

8
.github/workflows/run-smc-tests.yml vendored
View File

@@ -1,5 +1,9 @@
name: Smart contracts test
permissions:
contents: read
actions: read
on:
workflow_call:
inputs:
@@ -47,7 +51,7 @@ jobs:
# Required for hardhat commands due to @nomicfoundation/hardhat-foundry package
- name: Install Foundry
uses: foundry-rs/foundry-toolchain@v1
uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de #v1.4.0
- name: Compile kzg.node
run: npx node-gyp --directory=contracts/node_modules/c-kzg rebuild # explicitly running rebuild to get the .node file
@@ -65,7 +69,7 @@ jobs:
- name: Upload coverage to Codecov
if: ${{ env.CODECOV_TOKEN != '' }}
uses: codecov/codecov-action@v5
uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 #v5.4.3
with:
fail_ci_if_error: true
files: ./contracts/coverage/coverage-final.json

6
.github/workflows/security-report-to-csv.yml vendored
View File

@@ -1,4 +1,10 @@
name: Export Security Report to CSV
permissions:
contents: read
actions: read
security-events: read
on: workflow_dispatch
jobs:
data_gathering:

3
.github/workflows/slack-notify-external-contributions.yml vendored
View File

@@ -1,5 +1,8 @@
name: Notify Slack on external issue creation
permissions:
contents: read
on:
issues:
types: [ opened ]

10
.github/workflows/staterecovery-testing.yml vendored
View File

@@ -1,5 +1,9 @@
name: staterecovery-testing
permissions:
contents: read
actions: read
on:
workflow_call:
inputs:
@@ -51,7 +55,7 @@ jobs:
./gradlew besu-plugins:state-recovery:besu-plugin:shadowJar
- name: Login to Docker Hub
if: ${{ env.DOCKERHUB_USERNAME != '' && env.DOCKERHUB_TOKEN != '' }}
uses: docker/login-action@v3
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -61,7 +65,7 @@ jobs:
./gradlew besu-plugins:state-recovery:test-cases:integrationTest
# - name: Setup upterm session
# if: ${{ inputs.e2e-tests-with-ssh }}
# uses: lhotari/action-upterm@v1
# uses: lhotari/action-upterm@b0357f23233f5ea6d58947c0c402e0631bab7334 #v1
# Stack fails to start in CI - Disable for now
# - name: Run E2E tests
# timeout-minutes: 15
@@ -82,7 +86,7 @@ jobs:
# ${{ github.workspace }}/build/reports/jacoco/jacocoRootReport/jacocoRootReport.xml
# - name: Upload coverage to Codecov Staterecovery
# if: ${{ env.CODECOV_TOKEN != '' }}
# uses: codecov/codecov-action@v5
# uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 #v5.4.3
# with:
# fail_ci_if_error: true
# files: ${{ github.workspace }}/build/reports/jacoco/jacocoRootReport/jacocoRootReport.xml

4
.github/workflows/testing.yml vendored
View File

@@ -1,5 +1,9 @@
name: Testing CI
permissions:
contents: read
actions: read
on:
workflow_call:
inputs:

14
.github/workflows/transaction-exclusion-api-build-and-publish.yml vendored
View File

@@ -68,7 +68,7 @@ jobs:
echo "TAGS=${{ env.IMAGE_NAME }}:${{ env.COMMIT_TAG }},${{ env.IMAGE_NAME }}:${{ env.DEVELOP_TAG }}" >> $GITHUB_ENV
- name: Checkout
uses: actions/checkout@v4
- uses: actions/setup-java@v4
- uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b #v4.5.0
with:
distribution: temurin
java-version: 21
@@ -79,22 +79,22 @@ jobs:
./gradlew transaction-exclusion-api:app:installDist
- name: Login to Docker Hub
if: ${{ env.DOCKERHUB_USERNAME != '' && env.DOCKERHUB_TOKEN != '' }}
uses: docker/login-action@v3
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 #v3.6.0
- name: Set up Docker Buildx - local
id: buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 #v3.11.1
- name: Docker meta
id: transaction-exclusion-api
uses: docker/metadata-action@v5
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 #v5.7.0
with:
images: ${{ env.IMAGE_NAME }}
- name: Build for testing
uses: docker/build-push-action@v6
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0
if: ${{ env.PUSH_IMAGE == 'false' }}
with:
context: .
@@ -116,7 +116,7 @@ jobs:
name: linea-transaction-exclusion-api
path: linea-transaction-exclusion-api-docker-image.tar.gz
- name: Build & push
uses: docker/build-push-action@v6
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0
if: ${{ env.PUSH_IMAGE == 'true' || github.event_name == 'workflow_dispatch' }}
with:
context: .

8
.github/workflows/transaction-exclusion-api-testing.yml vendored
View File

@@ -1,5 +1,9 @@
name: transaction-exclusion-api-testing
permissions:
contents: read
actions: read
on:
workflow_call:
secrets:
@@ -30,7 +34,7 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v4
- uses: actions/setup-java@v4
- uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b #v4.5.0
with:
distribution: temurin
java-version: 21
@@ -46,7 +50,7 @@ jobs:
./gradlew transaction-exclusion-api:app:buildNeeded
- name: Login to Docker Hub
if: ${{ env.DOCKERHUB_USERNAME != '' && env.DOCKERHUB_TOKEN != '' }}
uses: docker/login-action@v3
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

3
.github/workflows/valid-audit-pr-has-tags.yml vendored
View File

@@ -1,5 +1,8 @@
name: Check For Audit Tags On PR
permissions:
contents: read
on:
pull_request:
branches:

2
operations/src/commands/eth-transfer.ts
View File

@@ -148,7 +148,7 @@ export default class EthTransfer extends Command {
type: 2,
chainId,
maxFeePerGas: fees.maxFeePerGas,
maxPriorityFeePerGas: fees.maxPriorityFeePerGas,
maxPriorityFeePerGas: fees.maxPriorityFeePerGas ?? null,
nonce: nonce,
};

2
operations/src/commands/synctx.ts
View File

@@ -179,7 +179,7 @@ export default class Synctx extends Command {
const toAddress = tx.to ? await ethers.resolveAddress(tx.to) : undefined;
const transaction: ethers.TransactionLike<string> = {
to: toAddress,
to: toAddress ?? null,
nonce: Number(tx.nonce),
gasLimit: BigInt(tx.gas),
...(Number(tx.type) === 2