Skip to content

Update Snapshots for kusama #503

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
github-actions wants to merge 3 commits into from
Closed

Update Snapshots for kusama #503

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3055cd2
Rework CI to have 3 matrix jobs instead of 1
rockbmb Jan 28, 2026
c3ebbaa
Also rework snapshot update workflow
rockbmb Jan 28, 2026
5b55a39
Update snapshots for kusama
github-actions[bot] Jan 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
135 changes: 130 additions & 5 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,20 +25,144 @@
define-matrix:
runs-on: ubuntu-latest
outputs:
tests: ${{ steps.tests.outputs.tests }}
pah-tests: ${{ steps.tests.outputs.pah-tests }}
kah-tests: ${{ steps.tests.outputs.kah-tests }}
other-tests: ${{ steps.tests.outputs.other-tests }}
steps:
- uses: actions/checkout@v4
- name: Define Tests
id: tests
run: |
echo tests=$(cd packages && ls */src/*.test.ts | jq -R -s -c 'split("\n")[:-1]') >> "$GITHUB_OUTPUT"
tests:
cd packages
all_tests=$(ls */src/*.test.ts)

# Filter PAH tests (assetHubPolkadot)
pah_tests=$(echo "$all_tests" | grep -i "assetHubPolkadot" || true)
echo "pah-tests=$(echo "$pah_tests" | jq -R -s -c 'split("\n") | map(select(length > 0))')" >> "$GITHUB_OUTPUT"

# Filter KAH tests (assetHubKusama)
kah_tests=$(echo "$all_tests" | grep -i "assetHubKusama" || true)
echo "kah-tests=$(echo "$kah_tests" | jq -R -s -c 'split("\n") | map(select(length > 0))')" >> "$GITHUB_OUTPUT"

# All other tests
other_tests=$(echo "$all_tests" | grep -v -i "assetHub" || true)
echo "other-tests=$(echo "$other_tests" | jq -R -s -c 'split("\n") | map(select(length > 0))')" >> "$GITHUB_OUTPUT"

pah-tests:
needs: define-matrix
runs-on: ubuntu-latest
timeout-minutes: 60
steps:
- uses: actions/checkout@v4
- name: setup node env
uses: actions/setup-node@v4
with:
node-version: 22.x
cache: 'yarn'
- run: yarn --immutable
- name: Start Chopsticks for PAH
run: |
source KNOWN_GOOD_BLOCK_NUMBERS_POLKADOT.env
npx @acala-network/chopsticks@latest \
--endpoint=wss://sys.ibp.network/asset-hub-polkadot \
--block=$ASSETHUBPOLKADOT_BLOCK_NUMBER \
--port=8001 > /tmp/chopsticks-pah.log 2>&1 &
echo $! > /tmp/chopsticks-pah.pid

# Wait for server to be ready
timeout=120
elapsed=0
while [ $elapsed -lt $timeout ]; do
if nc -z localhost 8001 2>/dev/null; then
echo "Chopsticks PAH server ready"
break
fi
sleep 2
elapsed=$((elapsed + 2))
done

if [ $elapsed -ge $timeout ]; then
echo "Timeout waiting for chopsticks"
cat /tmp/chopsticks-pah.log
exit 1
fi
- name: Run PAH Tests
env:
ASSETHUBPOLKADOT_ENDPOINT: ws://localhost:8001
run: |
tests='${{ needs.define-matrix.outputs.pah-tests }}'
echo "$tests" | jq -r '.[]' | while read test; do
echo "Running test: $test"
yarn test "packages/$test" || exit 1
done
- name: Cleanup
if: always()
run: |
if [ -f /tmp/chopsticks-pah.pid ]; then
kill $(cat /tmp/chopsticks-pah.pid) || true
fi

kah-tests:
Comment on lines +52 to +105

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 4 months ago

In general, the problem is fixed by explicitly adding a permissions block to the workflow or to individual jobs, granting only the scopes they truly need (usually contents: read for typical CI tasks). This prevents the workflow from inheriting potentially broader default token permissions from the repo/organization.

For this workflow, none of the jobs (lint, define-matrix, pah-tests, kah-tests, other-tests) need to write to the repository, create releases, or modify issues/PRs. They just check out the code and run Node/Yarn commands. The least‑privilege configuration is therefore to set permissions: contents: read at the workflow root (right after the name: or on: block). This will apply to all jobs that do not override permissions, and it aligns with the “minimal starting point” suggested by CodeQL. No additional imports or external methods are needed; this is purely a YAML configuration change within .github/workflows/ci.yml.

Concretely:

  • Edit .github/workflows/ci.yml.
  • Insert a permissions block at the top level (same indentation as on: and jobs:), e.g. between the on: block and the concurrency: block.
  • Set contents: read inside that block.
  • Leave all existing job definitions and steps unchanged.
Suggested changeset 1
.github/workflows/ci.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@
   pull_request:
     branches: [ master ]
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
EOF
@@ -6,6 +6,9 @@
pull_request:
branches: [ master ]

permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
Copilot is powered by AI and may make mistakes. Always verify output.
needs: define-matrix
runs-on: ubuntu-latest
timeout-minutes: 60
steps:
- uses: actions/checkout@v4
- name: setup node env
uses: actions/setup-node@v4
with:
node-version: 22.x
cache: 'yarn'
- run: yarn --immutable
- name: Start Chopsticks for KAH
run: |
source KNOWN_GOOD_BLOCK_NUMBERS_KUSAMA.env
npx @acala-network/chopsticks@latest \
--endpoint=wss://sys.ibp.network/asset-hub-kusama \
--block=$ASSETHUBKUSAMA_BLOCK_NUMBER \
--port=8002 > /tmp/chopsticks-kah.log 2>&1 &
echo $! > /tmp/chopsticks-kah.pid

# Wait for server to be ready
timeout=120
elapsed=0
while [ $elapsed -lt $timeout ]; do
if nc -z localhost 8002 2>/dev/null; then
echo "Chopsticks KAH server ready"
break
fi
sleep 2
elapsed=$((elapsed + 2))
done

if [ $elapsed -ge $timeout ]; then
echo "Timeout waiting for chopsticks"
cat /tmp/chopsticks-kah.log
exit 1
fi
- name: Run KAH Tests
env:
ASSETHUBKUSAMA_ENDPOINT: ws://localhost:8002
run: |
tests='${{ needs.define-matrix.outputs.kah-tests }}'
echo "$tests" | jq -r '.[]' | while read test; do
echo "Running test: $test"
yarn test "packages/$test" || exit 1
done
- name: Cleanup
if: always()
run: |
if [ -f /tmp/chopsticks-kah.pid ]; then
kill $(cat /tmp/chopsticks-kah.pid) || true
fi

other-tests:
Comment on lines +106 to +159

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 4 months ago

In general, the problem is fixed by explicitly declaring permissions: for the workflow or individual jobs, limiting the GITHUB_TOKEN to the least privileges needed. For a typical test-only CI workflow that only checks out code and installs dependencies, contents: read is sufficient, and no write scopes are required.

The best fix here without changing existing functionality is to add a single permissions: block at the top (root) level of .github/workflows/ci.yml, right under name: CI and before on:, setting contents: read. Root-level permissions apply to all jobs (lint, define-matrix, pah-tests, kah-tests, other-tests, all-passed) that do not define their own permissions: block, so we only need to add it once. None of the shown jobs perform any write operations to the repository or other GitHub resources, so restricting to contents: read will not break behavior.

Concretely:

  • Edit .github/workflows/ci.yml.
  • Insert:
permissions:
  contents: read

between line 1 (name: CI) and line 3 (on:). No additional methods, imports, or dependencies are required.

Suggested changeset 1
.github/workflows/ci.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,5 +1,8 @@
 name: CI
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [ master ]
EOF
@@ -1,5 +1,8 @@
name: CI

permissions:
contents: read

on:
push:
branches: [ master ]
Copilot is powered by AI and may make mistakes. Always verify output.
needs: define-matrix
timeout-minutes: 60
strategy:
fail-fast: false
matrix:
tests: ${{ fromJSON(needs.define-matrix.outputs.tests) }}
tests: ${{ fromJSON(needs.define-matrix.outputs.other-tests) }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
Expand All @@ -49,9 +173,10 @@
cache: 'yarn'
- run: yarn --immutable
- run: yarn test packages/${{ matrix.tests }}

all-passed:
runs-on: ubuntu-latest
needs: tests
needs: [pah-tests, kah-tests, other-tests]
if: always()
steps:
- name: All tests ok
Expand Down
51 changes: 50 additions & 1 deletion .github/workflows/update-snapshot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,56 @@ jobs:
cache: 'yarn'
- run: yarn --immutable
- run: yarn update-known-good
- run: yarn test:${{ matrix.network }} -u
- name: Start Chopsticks
run: |
if [ "${{ matrix.network }}" = "polkadot" ]; then
source KNOWN_GOOD_BLOCK_NUMBERS_POLKADOT.env
npx @acala-network/chopsticks@latest \
--endpoint=wss://sys.ibp.network/asset-hub-polkadot \
--block=$ASSETHUBPOLKADOT_BLOCK_NUMBER \
--port=8001 > /tmp/chopsticks.log 2>&1 &
echo $! > /tmp/chopsticks.pid
PORT=8001
ENDPOINT_VAR="ASSETHUBPOLKADOT_ENDPOINT"
else
source KNOWN_GOOD_BLOCK_NUMBERS_KUSAMA.env
npx @acala-network/chopsticks@latest \
--endpoint=wss://sys.ibp.network/asset-hub-kusama \
--block=$ASSETHUBKUSAMA_BLOCK_NUMBER \
--port=8002 > /tmp/chopsticks.log 2>&1 &
echo $! > /tmp/chopsticks.pid
PORT=8002
ENDPOINT_VAR="ASSETHUBKUSAMA_ENDPOINT"
fi

# Wait for server to be ready
timeout=120
elapsed=0
while [ $elapsed -lt $timeout ]; do
if nc -z localhost $PORT 2>/dev/null; then
echo "Chopsticks server ready on port $PORT"
break
fi
sleep 2
elapsed=$((elapsed + 2))
done

if [ $elapsed -ge $timeout ]; then
echo "Timeout waiting for chopsticks"
cat /tmp/chopsticks.log
exit 1
fi

# Export endpoint for tests
echo "${ENDPOINT_VAR}=ws://localhost:${PORT}" >> $GITHUB_ENV
- name: Run Tests
run: yarn test:${{ matrix.network }} -u
- name: Cleanup
if: always()
run: |
if [ -f /tmp/chopsticks.pid ]; then
kill $(cat /tmp/chopsticks.pid) || true
fi
- name: Commit and Create PR
uses: actions/github-script@v6
with:
Expand Down
20 changes: 10 additions & 10 deletions KNOWN_GOOD_BLOCK_NUMBERS_KUSAMA.env
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
ASSETHUBKUSAMA_BLOCK_NUMBER=12792874
BASILISK_BLOCK_NUMBER=12909953
BRIDGEHUBKUSAMA_BLOCK_NUMBER=7419039
CORETIMEKUSAMA_BLOCK_NUMBER=4353209
ENCOINTERKUSAMA_BLOCK_NUMBER=12255934
KARURA_BLOCK_NUMBER=10794731
KUSAMA_BLOCK_NUMBER=31925684
MOONRIVER_BLOCK_NUMBER=14821033
PEOPLEKUSAMA_BLOCK_NUMBER=7485670
SHIDEN_BLOCK_NUMBER=13432313
ASSETHUBKUSAMA_BLOCK_NUMBER=12877952
BASILISK_BLOCK_NUMBER=13000929
BRIDGEHUBKUSAMA_BLOCK_NUMBER=7468550
CORETIMEKUSAMA_BLOCK_NUMBER=4402252
ENCOINTERKUSAMA_BLOCK_NUMBER=12346884
KARURA_BLOCK_NUMBER=10842448
KUSAMA_BLOCK_NUMBER=32025221
MOONRIVER_BLOCK_NUMBER=14914735
PEOPLEKUSAMA_BLOCK_NUMBER=7583926
SHIDEN_BLOCK_NUMBER=13523210
Loading