diff --git a/.github/actions/image-tag-and-push/action.yml b/.github/actions/image-tag-and-push/action.yml index fa733dff..a1b71db9 100644 --- a/.github/actions/image-tag-and-push/action.yml +++ b/.github/actions/image-tag-and-push/action.yml @@ -34,7 +34,7 @@ runs: steps: - name: Login to Docker Hub if: ${{ github.ref == 'refs/heads/main' && inputs.last_commit_tag_exists == '0' }} - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0 with: username: ${{ inputs.docker_username }} password: ${{ inputs.docker_password }} diff --git a/.github/workflows/all-tools.yml b/.github/workflows/all-tools.yml index cb9b58c8..71661e60 100644 --- a/.github/workflows/all-tools.yml +++ b/.github/workflows/all-tools.yml @@ -1,5 +1,10 @@ name: All tools CI +permissions: + contents: read + actions: read + packages: write + on: push: branches: @@ -93,7 +98,7 @@ jobs: submodules: true - name: Login to Docker Hub if: ${{ env.DOCKERHUB_USERNAME != '' && env.DOCKERHUB_TOKEN != '' }} - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -103,17 +108,17 @@ jobs: # cases. We can later set up self-hosted arm64 github runners if we # want arm* based images back. # - name: Set up QEMU - # uses: docker/setup-qemu-action@v3 + # uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 #v3.6.0 # with: # platforms: 'arm64,arm' - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 #v3.11.1 - name: Show the "version" build argument run: | echo "We inject the commit tag in the docker image ${{ env.COMMIT_TAG }}" echo COMMIT_TAG=${{ env.COMMIT_TAG }} >> GITHUB_ENV - name: Build and push all tools image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0 with: context: . file: ./operations/Dockerfile diff --git a/.github/workflows/bridge-ui-e2e-tests.yml b/.github/workflows/bridge-ui-e2e-tests.yml index 3b6834a7..2cc741a9 100644 --- a/.github/workflows/bridge-ui-e2e-tests.yml +++ b/.github/workflows/bridge-ui-e2e-tests.yml @@ -1,5 +1,9 @@ name: Run Bridge UI E2E Tests +permissions: + contents: read + actions: read + on: pull_request: branches: diff --git a/.github/workflows/bridge-ui-publish.yml b/.github/workflows/bridge-ui-publish.yml index f8358d18..4a3fdd32 100644 --- a/.github/workflows/bridge-ui-publish.yml +++ b/.github/workflows/bridge-ui-publish.yml @@ -1,5 +1,10 @@ name: Bridge UI Build and Publish +permissions: + contents: read + actions: read + packages: write + on: pull_request: branches: @@ -43,17 +48,17 @@ jobs: - name: Login to Docker Repository if: ${{ env.DOCKERHUB_USERNAME != '' && env.DOCKERHUB_TOKEN != '' }} - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 #v3.11.1 - name: Docker Image Build and Publish id: docker-build-publish - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0 with: context: . file: ./bridge-ui/Dockerfile @@ -83,7 +88,7 @@ jobs: NEXT_PUBLIC_ONRAMPER_API_KEY: ${{ secrets.PUBLIC_ONRAMPER_API_KEY }} NEXT_PUBLIC_LAYERSWAP_API_KEY: ${{ secrets.PUBLIC_LAYERSWAP_API_KEY }} NEXT_PUBLIC_ENVIRONMENT: ${{ matrix.environment }} - + test-build: if: github.event.pull_request.head.repo.fork == true # ~1 min saved vs small @@ -92,7 +97,7 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 - + - name: Setup nodejs environment uses: ./.github/actions/setup-nodejs with: diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml index 0e811e0a..efc8e6a8 100644 --- a/.github/workflows/build-and-publish.yml +++ b/.github/workflows/build-and-publish.yml @@ -1,5 +1,10 @@ name: Docker build and publish +permissions: + contents: read + actions: read + packages: write + on: workflow_call: inputs: diff --git a/.github/workflows/codecov-external-pr.yml b/.github/workflows/codecov-external-pr.yml index 0b40c0e7..e82e193e 100644 --- a/.github/workflows/codecov-external-pr.yml +++ b/.github/workflows/codecov-external-pr.yml @@ -64,7 +64,7 @@ jobs: github-token: ${{ secrets.GITHUB_TOKEN }} # Gets run id of the precedeing workflow that triggered this workflow_run run-id: ${{ github.event.workflow_run.id }} - - uses: codecov/codecov-action@v5 + - uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 #v5.4.3 if: ${{ steps.coordinator-report-download.outcome == 'success' }} with: fail_ci_if_error: true @@ -94,7 +94,7 @@ jobs: github-token: ${{ secrets.GITHUB_TOKEN }} # Gets run id of the precedeing workflow that triggered this workflow_run run-id: ${{ github.event.workflow_run.id }} - - uses: codecov/codecov-action@v5 + - uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 #v5.4.3 if: ${{ steps.smc-report-download.outcome == 'success' }} with: fail_ci_if_error: true @@ -103,4 +103,4 @@ jobs: os: linux name: codecov-contracts verbose: true - token: ${{ secrets.CODECOV_TOKEN }} \ No newline at end of file + token: ${{ secrets.CODECOV_TOKEN }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d149a61d..eb8f5061 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -29,7 +29,7 @@ jobs: - name: Setup Java if: matrix.language == 'java-kotlin' - uses: actions/setup-java@v4 + uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b #v4.5.0 with: distribution: temurin java-version: 21 diff --git a/.github/workflows/coordinator-build-and-publish.yml b/.github/workflows/coordinator-build-and-publish.yml index 03ba0454..d804f4a3 100644 --- a/.github/workflows/coordinator-build-and-publish.yml +++ b/.github/workflows/coordinator-build-and-publish.yml @@ -1,5 +1,10 @@ name: coordinator-build +permissions: + contents: read + actions: read + packages: write + on: workflow_call: inputs: @@ -81,22 +86,22 @@ jobs: ./gradlew coordinator:app:installDist - name: Login to Docker Hub if: ${{ env.DOCKERHUB_USERNAME != '' && env.DOCKERHUB_TOKEN != '' }} - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 #v3.6.0 - name: Set up Docker Buildx - local id: buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 #v3.11.1 - name: Docker meta id: coordinator - uses: docker/metadata-action@v5 + uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 #v5.7.0 with: images: ${{ env.IMAGE_NAME }} - name: Build for testing - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0 if: ${{ env.PUSH_IMAGE == 'false' }} with: context: . @@ -118,7 +123,7 @@ jobs: name: linea-coordinator path: linea-coordinator-docker-image.tar.gz - name: Build & push - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0 if: ${{ env.PUSH_IMAGE == 'true' || github.event_name == 'workflow_dispatch' }} with: context: . diff --git a/.github/workflows/coordinator-testing.yml b/.github/workflows/coordinator-testing.yml index f1373852..4001c188 100644 --- a/.github/workflows/coordinator-testing.yml +++ b/.github/workflows/coordinator-testing.yml @@ -1,5 +1,9 @@ name: coordinator-testing +permissions: + contents: read + actions: read + on: workflow_call: inputs: @@ -47,7 +51,7 @@ jobs: ./gradlew -V coordinator:app:buildNeeded - name: Login to Docker Hub if: ${{ env.DOCKERHUB_USERNAME != '' && env.DOCKERHUB_TOKEN != '' }} - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -67,7 +71,7 @@ jobs: ${{ github.workspace }}/build/reports/jacoco/jacocoRootReport/jacocoRootReport.xml - name: Upload coverage to Codecov if: ${{ env.CODECOV_TOKEN != '' }} - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 #v5.4.3 with: fail_ci_if_error: true files: ${{ github.workspace }}/build/reports/jacoco/jacocoRootReport/jacocoRootReport.xml diff --git a/.github/workflows/get-has-changes-requiring-e2e-testing.yml b/.github/workflows/get-has-changes-requiring-e2e-testing.yml index a753610e..68f56aa5 100644 --- a/.github/workflows/get-has-changes-requiring-e2e-testing.yml +++ b/.github/workflows/get-has-changes-requiring-e2e-testing.yml @@ -1,5 +1,8 @@ name: get-has-changes-requiring-e2e-testing +permissions: + contents: read + on: workflow_call: inputs: diff --git a/.github/workflows/github-release-besu-plugin.yml b/.github/workflows/github-release-besu-plugin.yml index 6fd81ab9..7929d246 100644 --- a/.github/workflows/github-release-besu-plugin.yml +++ b/.github/workflows/github-release-besu-plugin.yml @@ -1,4 +1,9 @@ name: Github Release for Besu Plugins + +permissions: + contents: write + actions: read + on: workflow_call: inputs: @@ -39,7 +44,7 @@ jobs: fetch-depth: 1 - name: Set up JDK 21 - uses: actions/setup-java@v4 + uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b #v4.5.0 with: java-version: '21' distribution: 'temurin' diff --git a/.github/workflows/linea-sequencer-plugin-release.yml b/.github/workflows/linea-sequencer-plugin-release.yml index a86029f8..b15cd0ab 100644 --- a/.github/workflows/linea-sequencer-plugin-release.yml +++ b/.github/workflows/linea-sequencer-plugin-release.yml @@ -1,5 +1,9 @@ name: linea-sequencer-plugin-release +permissions: + contents: write + actions: read + on: workflow_dispatch: inputs: @@ -14,7 +18,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Set up JDK 21 - uses: actions/setup-java@v4 + uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b #v4.5.0 with: java-version: 21 distribution: temurin diff --git a/.github/workflows/linea-sequencer-plugin-testing.yml b/.github/workflows/linea-sequencer-plugin-testing.yml index 902f16f8..97c56954 100644 --- a/.github/workflows/linea-sequencer-plugin-testing.yml +++ b/.github/workflows/linea-sequencer-plugin-testing.yml @@ -1,5 +1,9 @@ name: linea-sequencer-plugin-testing +permissions: + contents: read + actions: read + on: workflow_call: @@ -16,7 +20,7 @@ jobs: - uses: gradle/actions/wrapper-validation@v4 - name: Set up Java - uses: actions/setup-java@v4 + uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b #v4.5.0 with: distribution: temurin java-version: 21 @@ -53,7 +57,7 @@ jobs: uses: actions/checkout@v4 - name: Set up JDK 21 - uses: actions/setup-java@v4 + uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b #v4.5.0 with: java-version: 21 distribution: temurin diff --git a/.github/workflows/load-test.yml b/.github/workflows/load-test.yml index 07765472..01987488 100644 --- a/.github/workflows/load-test.yml +++ b/.github/workflows/load-test.yml @@ -1,5 +1,8 @@ name: Load Test Manual Action +permissions: + contents: read + on: workflow_dispatch: inputs: @@ -33,7 +36,7 @@ jobs: - name: Checkout uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b #v4.5.0 with: distribution: temurin java-version: 17 diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 9d7591aa..0f98bb37 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -10,6 +10,7 @@ permissions: contents: read actions: read security-events: write + packages: write jobs: store-image-name-and-tags: @@ -149,7 +150,6 @@ jobs: secrets: inherit code-analysis: - needs: [ filter-commit-changes ] uses: ./.github/workflows/codeql.yml testing: diff --git a/.github/workflows/maven-release-all.yml b/.github/workflows/maven-release-all.yml index 791f4c8c..d6c429a4 100644 --- a/.github/workflows/maven-release-all.yml +++ b/.github/workflows/maven-release-all.yml @@ -33,7 +33,7 @@ jobs: fetch-depth: 1 - name: Set up JDK 21 - uses: actions/setup-java@v4 + uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b #v4.5.0 with: java-version: '21' distribution: 'temurin' diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml index 63825e12..f8ef6c13 100644 --- a/.github/workflows/maven-release.yml +++ b/.github/workflows/maven-release.yml @@ -21,7 +21,7 @@ jobs: fetch-depth: 1 - name: Set up JDK 21 - uses: actions/setup-java@v4 + uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b #v4.5.0 with: java-version: '21' distribution: 'temurin' diff --git a/.github/workflows/postman-build-and-publish.yml b/.github/workflows/postman-build-and-publish.yml index ee4561e4..e8fa274b 100644 --- a/.github/workflows/postman-build-and-publish.yml +++ b/.github/workflows/postman-build-and-publish.yml @@ -1,5 +1,10 @@ name: postman-build +permissions: + contents: read + actions: read + packages: write + on: workflow_call: inputs: @@ -73,22 +78,22 @@ jobs: submodules: true - name: Login to Docker Hub if: ${{ env.DOCKERHUB_USERNAME != '' && env.DOCKERHUB_TOKEN != '' }} - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 #v3.6.0 with: platforms: 'arm64,arm' - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 #v3.11.1 - name: Show the "version" build argument run: | echo "We inject the commit tag in the docker image ${{ env.COMMIT_TAG }}" echo COMMIT_TAG=${{ env.COMMIT_TAG }} >> $GITHUB_ENV - name: Build postman image for testing - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0 if: ${{ env.PUSH_IMAGE == 'false' }} with: context: ./ @@ -111,7 +116,7 @@ jobs: name: linea-postman path: linea-postman-docker-image.tar.gz - name: Build and push postman image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0 if: ${{ env.PUSH_IMAGE == 'true' || github.event_name == 'workflow_dispatch' }} with: context: ./ diff --git a/.github/workflows/postman-testing.yml b/.github/workflows/postman-testing.yml index 32669c82..09371fbd 100644 --- a/.github/workflows/postman-testing.yml +++ b/.github/workflows/postman-testing.yml @@ -1,5 +1,9 @@ name: postman-and-SDK-testing +permissions: + contents: read + actions: read + on: workflow_call: diff --git a/.github/workflows/prover-build-and-publish.yml b/.github/workflows/prover-build-and-publish.yml index 59cbc18f..c401f828 100644 --- a/.github/workflows/prover-build-and-publish.yml +++ b/.github/workflows/prover-build-and-publish.yml @@ -1,5 +1,10 @@ name: Prover build and publish CI +permissions: + contents: read + actions: read + packages: write + on: workflow_call: inputs: @@ -76,18 +81,18 @@ jobs: submodules: true - name: Login to Docker Hub if: ${{ env.DOCKERHUB_USERNAME != '' && env.DOCKERHUB_TOKEN != '' }} - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 #v3.11.1 - name: Show the "version" build argument run: | echo "We inject the commit tag in the docker image ${{ env.COMMIT_TAG }}" echo COMMIT_TAG=${{ env.COMMIT_TAG }} >> $GITHUB_ENV - name: Build and push prover image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0 if: ${{ env.PUSH_IMAGE == 'false' }} with: context: . @@ -114,7 +119,7 @@ jobs: name: linea-prover path: linea-prover-docker-image.tar.gz - name: Build and push prover image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0 if: ${{ env.PUSH_IMAGE == 'true' || github.event_name == 'workflow_dispatch' }} with: context: . diff --git a/.github/workflows/prover-testing.yml b/.github/workflows/prover-testing.yml index 9d1d6003..fa0098ca 100644 --- a/.github/workflows/prover-testing.yml +++ b/.github/workflows/prover-testing.yml @@ -1,5 +1,9 @@ name: Prover testing CI +permissions: + contents: read + actions: read + on: workflow_call env: GOPROXY: "https://proxy.golang.org" diff --git a/.github/workflows/reuse-check-images-tags-and-push.yml b/.github/workflows/reuse-check-images-tags-and-push.yml index 748cc246..26d0b879 100644 --- a/.github/workflows/reuse-check-images-tags-and-push.yml +++ b/.github/workflows/reuse-check-images-tags-and-push.yml @@ -1,4 +1,10 @@ name: Reusable check images tags and push + +permissions: + contents: read + actions: read + packages: write + on: workflow_call: inputs: diff --git a/.github/workflows/reuse-linea-besu-package-build-test-push.yml b/.github/workflows/reuse-linea-besu-package-build-test-push.yml index 0c205f04..a310cb7d 100644 --- a/.github/workflows/reuse-linea-besu-package-build-test-push.yml +++ b/.github/workflows/reuse-linea-besu-package-build-test-push.yml @@ -4,7 +4,7 @@ on: inputs: release_tag_prefix: required: true - type: string + type: string run_test: required: true type: boolean @@ -32,7 +32,7 @@ jobs: if: ${{ inputs.run_test || inputs.run_e2e_test }} environment: dockerhub outputs: - linea_besu_package_tag: ${{ steps.assemble.outputs.dockertag }} + linea_besu_package_tag: ${{ steps.assemble.outputs.dockertag }} expected_traces_api_version: ${{ steps.assemble.outputs.tracer_plugin_version }} dockerimage: ${{ steps.assemble.outputs.dockerimage }} steps: @@ -44,9 +44,9 @@ jobs: uses: ./.github/actions/linea-besu-package/assemble with: release_tag_prefix: ${{ inputs.release_tag_prefix }} - + - name: set up docker buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 #v3.11.1 - name: set docker build args run: | @@ -54,7 +54,7 @@ jobs: echo "Building docker image: ${{ steps.assemble.outputs.dockerimage }}" - name: build the combined manifest - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0 env: DOCKER_BUILD_SUMMARY: false with: @@ -69,7 +69,7 @@ jobs: push: false tags: | consensys/linea-besu-package:${{ steps.assemble.outputs.dockertag }} - + - name: Save Docker image as artifact run: | docker images @@ -101,7 +101,7 @@ jobs: cancel-in-progress: ${{ github.ref != 'refs/heads/main' || github.event_name == 'workflow_dispatch' }} uses: ./.github/workflows/reuse-linea-besu-package-run-e2e-tests.yml with: - linea_besu_package_tag: ${{ needs.build-and-upload-artifact.outputs.linea_besu_package_tag }} + linea_besu_package_tag: ${{ needs.build-and-upload-artifact.outputs.linea_besu_package_tag }} expected_traces_api_version: ${{ inputs.expected_traces_api_ver || needs.build-and-upload-artifact.outputs.expected_traces_api_version }} e2e-tests-logs-dump: true secrets: inherit @@ -126,14 +126,14 @@ jobs: compile_release_notes: true - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 #v3.6.0 + - name: set up docker buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 #v3.11.1 - name: Login to Docker Hub if: ${{ env.DOCKERHUB_USERNAME != '' && env.DOCKERHUB_TOKEN != '' }} - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -144,7 +144,7 @@ jobs: echo "Building docker image: ${{ steps.assemble.outputs.dockerimage }}" - name: build and push the combined manifest - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0 env: DOCKER_BUILD_SUMMARY: false with: @@ -152,7 +152,7 @@ jobs: platforms: linux/arm64,linux/amd64 provenance: false cache-from: type=local,src=/tmp/.buildx-cache - cache-to: type=local,dest=/tmp/.buildx-cache + cache-to: type=local,dest=/tmp/.buildx-cache build-args: | VERSION=${{ steps.assemble.outputs.dockertag }} VCS_REF=${{ github.sha }} @@ -188,12 +188,12 @@ jobs: - name: Conventional Changelog Action if: ${{ github.event_name == 'workflow_dispatch' }} id: change_log - uses: TriPSs/conventional-changelog-action@v5 + uses: TriPSs/conventional-changelog-action@3c4970b6573374889b897403d2f1278c395ea0df #v5.4.0 with: git-path: ./linea-besu-package/ git-push: false output-file: "false" - + - name: Append Changelog Action to release note if: ${{ github.event_name == 'workflow_dispatch' }} id: append_change_log @@ -206,7 +206,7 @@ jobs: - name: release - publish artifacts and release notes id: release_publish - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 #v2.3.2 with: name: Linea Besu Package ${{ steps.assemble.outputs.releasetag }} tag_name: linea-besu-package-${{ steps.assemble.outputs.releasetag }} diff --git a/.github/workflows/reuse-linea-besu-package-run-e2e-tests.yml b/.github/workflows/reuse-linea-besu-package-run-e2e-tests.yml index a1e5ece8..934d1c13 100644 --- a/.github/workflows/reuse-linea-besu-package-run-e2e-tests.yml +++ b/.github/workflows/reuse-linea-besu-package-run-e2e-tests.yml @@ -49,7 +49,7 @@ jobs: steps: - name: Setup upterm session if: ${{ inputs.e2e-tests-with-ssh }} - uses: lhotari/action-upterm@v1 + uses: lhotari/action-upterm@b0357f23233f5ea6d58947c0c402e0631bab7334 #v1 - name: Checkout uses: actions/checkout@v4 - name: Setup nodejs environment @@ -58,7 +58,7 @@ jobs: pnpm-install-options: '-F contracts -F e2e --frozen-lockfile --prefer-offline' - name: Login to Docker Hub if: ${{ env.DOCKERHUB_USERNAME != '' && env.DOCKERHUB_TOKEN != '' }} - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -83,7 +83,7 @@ jobs: echo "BESU_PACKAGE_TAG=${{ env.BESU_PACKAGE_TAG }}" echo "$(grep expected-traces-api-version config/coordinator/coordinator-config-v2.toml)" - name: Spin up fresh environment with besu tracing with retry - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 #v3.0.2 with: max_attempts: 10 retry_on: error diff --git a/.github/workflows/reuse-run-e2e-tests.yml b/.github/workflows/reuse-run-e2e-tests.yml index e97a78d8..49971b77 100644 --- a/.github/workflows/reuse-run-e2e-tests.yml +++ b/.github/workflows/reuse-run-e2e-tests.yml @@ -1,4 +1,9 @@ name: Reusable run e2e tests + +permissions: + contents: read + actions: read + on: workflow_dispatch: inputs: @@ -71,7 +76,7 @@ jobs: steps: - name: Setup upterm session if: ${{ inputs.e2e-tests-with-ssh }} - uses: lhotari/action-upterm@v1 + uses: lhotari/action-upterm@b0357f23233f5ea6d58947c0c402e0631bab7334 #v1 - name: Checkout uses: actions/checkout@v4 - name: Setup nodejs environment @@ -80,7 +85,7 @@ jobs: pnpm-install-options: '-F contracts -F e2e --frozen-lockfile --prefer-offline' - name: Login to Docker Hub if: ${{ env.DOCKERHUB_USERNAME != '' && env.DOCKERHUB_TOKEN != '' }} - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -89,7 +94,7 @@ jobs: mkdir -p tmp/local/traces/v2/conflated chmod -R a+rw tmp/local/ - name: Pull all images with retry - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 #v3.0.2 with: max_attempts: 10 retry_on: error @@ -110,7 +115,7 @@ jobs: gunzip -c $GITHUB_WORKSPACE/linea-transaction-exclusion-api/linea-transaction-exclusion-api-docker-image.tar.gz | docker load shell: bash - name: Spin up fresh environment with besu tracing with retry - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 #v3.0.2 with: max_attempts: 10 retry_on: error diff --git a/.github/workflows/reuse-store-image-name-and-tags.yml b/.github/workflows/reuse-store-image-name-and-tags.yml index 07e1681d..eb50bb12 100644 --- a/.github/workflows/reuse-store-image-name-and-tags.yml +++ b/.github/workflows/reuse-store-image-name-and-tags.yml @@ -1,4 +1,8 @@ name: Reusable store image name and tags + +permissions: + contents: read + on: workflow_call: outputs: diff --git a/.github/workflows/run-smc-tests.yml b/.github/workflows/run-smc-tests.yml index 983439ba..bf3bac3f 100644 --- a/.github/workflows/run-smc-tests.yml +++ b/.github/workflows/run-smc-tests.yml @@ -1,5 +1,9 @@ name: Smart contracts test +permissions: + contents: read + actions: read + on: workflow_call: inputs: @@ -47,7 +51,7 @@ jobs: # Required for hardhat commands due to @nomicfoundation/hardhat-foundry package - name: Install Foundry - uses: foundry-rs/foundry-toolchain@v1 + uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de #v1.4.0 - name: Compile kzg.node run: npx node-gyp --directory=contracts/node_modules/c-kzg rebuild # explicitly running rebuild to get the .node file @@ -65,7 +69,7 @@ jobs: - name: Upload coverage to Codecov if: ${{ env.CODECOV_TOKEN != '' }} - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 #v5.4.3 with: fail_ci_if_error: true files: ./contracts/coverage/coverage-final.json diff --git a/.github/workflows/security-report-to-csv.yml b/.github/workflows/security-report-to-csv.yml index 209e38a1..f3e9c6b2 100644 --- a/.github/workflows/security-report-to-csv.yml +++ b/.github/workflows/security-report-to-csv.yml @@ -1,4 +1,10 @@ name: Export Security Report to CSV + +permissions: + contents: read + actions: read + security-events: read + on: workflow_dispatch jobs: data_gathering: diff --git a/.github/workflows/slack-notify-external-contributions.yml b/.github/workflows/slack-notify-external-contributions.yml index 25f937ad..e4646f06 100644 --- a/.github/workflows/slack-notify-external-contributions.yml +++ b/.github/workflows/slack-notify-external-contributions.yml @@ -1,5 +1,8 @@ name: Notify Slack on external issue creation +permissions: + contents: read + on: issues: types: [ opened ] diff --git a/.github/workflows/staterecovery-testing.yml b/.github/workflows/staterecovery-testing.yml index 14b09ab4..fd44c2c4 100644 --- a/.github/workflows/staterecovery-testing.yml +++ b/.github/workflows/staterecovery-testing.yml @@ -1,5 +1,9 @@ name: staterecovery-testing +permissions: + contents: read + actions: read + on: workflow_call: inputs: @@ -51,7 +55,7 @@ jobs: ./gradlew besu-plugins:state-recovery:besu-plugin:shadowJar - name: Login to Docker Hub if: ${{ env.DOCKERHUB_USERNAME != '' && env.DOCKERHUB_TOKEN != '' }} - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -61,7 +65,7 @@ jobs: ./gradlew besu-plugins:state-recovery:test-cases:integrationTest # - name: Setup upterm session # if: ${{ inputs.e2e-tests-with-ssh }} -# uses: lhotari/action-upterm@v1 +# uses: lhotari/action-upterm@b0357f23233f5ea6d58947c0c402e0631bab7334 #v1 # Stack fails to start in CI - Disable for now # - name: Run E2E tests # timeout-minutes: 15 @@ -82,7 +86,7 @@ jobs: # ${{ github.workspace }}/build/reports/jacoco/jacocoRootReport/jacocoRootReport.xml # - name: Upload coverage to Codecov Staterecovery # if: ${{ env.CODECOV_TOKEN != '' }} -# uses: codecov/codecov-action@v5 +# uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 #v5.4.3 # with: # fail_ci_if_error: true # files: ${{ github.workspace }}/build/reports/jacoco/jacocoRootReport/jacocoRootReport.xml diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index 9383eae2..080d1b87 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -1,5 +1,9 @@ name: Testing CI +permissions: + contents: read + actions: read + on: workflow_call: inputs: diff --git a/.github/workflows/transaction-exclusion-api-build-and-publish.yml b/.github/workflows/transaction-exclusion-api-build-and-publish.yml index f368b2df..04b36da2 100644 --- a/.github/workflows/transaction-exclusion-api-build-and-publish.yml +++ b/.github/workflows/transaction-exclusion-api-build-and-publish.yml @@ -68,7 +68,7 @@ jobs: echo "TAGS=${{ env.IMAGE_NAME }}:${{ env.COMMIT_TAG }},${{ env.IMAGE_NAME }}:${{ env.DEVELOP_TAG }}" >> $GITHUB_ENV - name: Checkout uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b #v4.5.0 with: distribution: temurin java-version: 21 @@ -79,22 +79,22 @@ jobs: ./gradlew transaction-exclusion-api:app:installDist - name: Login to Docker Hub if: ${{ env.DOCKERHUB_USERNAME != '' && env.DOCKERHUB_TOKEN != '' }} - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 #v3.6.0 - name: Set up Docker Buildx - local id: buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 #v3.11.1 - name: Docker meta id: transaction-exclusion-api - uses: docker/metadata-action@v5 + uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 #v5.7.0 with: images: ${{ env.IMAGE_NAME }} - name: Build for testing - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0 if: ${{ env.PUSH_IMAGE == 'false' }} with: context: . @@ -116,7 +116,7 @@ jobs: name: linea-transaction-exclusion-api path: linea-transaction-exclusion-api-docker-image.tar.gz - name: Build & push - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0 if: ${{ env.PUSH_IMAGE == 'true' || github.event_name == 'workflow_dispatch' }} with: context: . diff --git a/.github/workflows/transaction-exclusion-api-testing.yml b/.github/workflows/transaction-exclusion-api-testing.yml index 6130fc3e..0a23b1a5 100644 --- a/.github/workflows/transaction-exclusion-api-testing.yml +++ b/.github/workflows/transaction-exclusion-api-testing.yml @@ -1,5 +1,9 @@ name: transaction-exclusion-api-testing +permissions: + contents: read + actions: read + on: workflow_call: secrets: @@ -30,7 +34,7 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 - - uses: actions/setup-java@v4 + - uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b #v4.5.0 with: distribution: temurin java-version: 21 @@ -46,7 +50,7 @@ jobs: ./gradlew transaction-exclusion-api:app:buildNeeded - name: Login to Docker Hub if: ${{ env.DOCKERHUB_USERNAME != '' && env.DOCKERHUB_TOKEN != '' }} - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} diff --git a/.github/workflows/valid-audit-pr-has-tags.yml b/.github/workflows/valid-audit-pr-has-tags.yml index d90bd8b1..4f3f3705 100644 --- a/.github/workflows/valid-audit-pr-has-tags.yml +++ b/.github/workflows/valid-audit-pr-has-tags.yml @@ -1,5 +1,8 @@ name: Check For Audit Tags On PR +permissions: + contents: read + on: pull_request: branches: diff --git a/operations/src/commands/eth-transfer.ts b/operations/src/commands/eth-transfer.ts index e27a39a5..04239748 100644 --- a/operations/src/commands/eth-transfer.ts +++ b/operations/src/commands/eth-transfer.ts @@ -148,7 +148,7 @@ export default class EthTransfer extends Command { type: 2, chainId, maxFeePerGas: fees.maxFeePerGas, - maxPriorityFeePerGas: fees.maxPriorityFeePerGas, + maxPriorityFeePerGas: fees.maxPriorityFeePerGas ?? null, nonce: nonce, }; diff --git a/operations/src/commands/synctx.ts b/operations/src/commands/synctx.ts index fa39d869..bf68c0e5 100644 --- a/operations/src/commands/synctx.ts +++ b/operations/src/commands/synctx.ts @@ -179,7 +179,7 @@ export default class Synctx extends Command { const toAddress = tx.to ? await ethers.resolveAddress(tx.to) : undefined; const transaction: ethers.TransactionLike = { - to: toAddress, + to: toAddress ?? null, nonce: Number(tx.nonce), gasLimit: BigInt(tx.gas), ...(Number(tx.type) === 2