Added vault audit workflows

russell-stern · russell-stern · commit e51f2236dba4 · 2026-06-18T10:16:17.000-04:00
diff --git a/.github/workflows/vault-audit-commands.yml b/.github/workflows/vault-audit-commands.yml
@@ -0,0 +1,115 @@
+name: Vault Audit Commands
+
+# Handles /vault-audit and /vault-audit skip <reason> comments from authorized reviewers.
+# Authorization: commenter must have write or admin permission on this repository
+# (which is the requirement for being listed in CODEOWNERS).
+
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  handle-command:
+    # Only run on PR comments containing a vault-audit command
+    if: |
+      github.event.issue.pull_request != null &&
+      (
+        startsWith(github.event.comment.body, '/vault-audit skip ') ||
+        github.event.comment.body == '/vault-audit' ||
+        startsWith(github.event.comment.body, '/vault-audit ')
+      )
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+      statuses: write
+
+    steps:
+      - name: Check commenter authorization
+        id: auth
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          PERMISSION=$(gh api /repos/${{ github.repository }}/collaborators/${{ github.event.comment.user.login }}/permission \
+            --jq '.permission' 2>/dev/null || echo "none")
+
+          if [[ "$PERMISSION" == "write" || "$PERMISSION" == "admin" ]]; then
+            echo "authorized=true" >> $GITHUB_OUTPUT
+          else
+            echo "authorized=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Reject unauthorized commenter
+        if: steps.auth.outputs.authorized == 'false'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh pr comment ${{ github.event.issue.number }} \
+            --body "⛔ @${{ github.event.comment.user.login }} — only authorized reviewers (repository write access) can trigger the vault audit."
+          exit 1
+
+      - name: Get PR details
+        id: pr
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          PR=$(gh api /repos/${{ github.repository }}/pulls/${{ github.event.issue.number }} \
+            --jq '{head_sha: .head.sha, base_sha: .base.sha}')
+          echo "head_sha=$(echo "$PR" | jq -r '.head_sha')" >> $GITHUB_OUTPUT
+          echo "base_sha=$(echo "$PR" | jq -r '.base_sha')" >> $GITHUB_OUTPUT
+
+      - name: Parse command
+        id: cmd
+        run: |
+          BODY="${{ github.event.comment.body }}"
+          if echo "$BODY" | grep -qP '^/vault-audit skip .+'; then
+            echo "type=skip" >> $GITHUB_OUTPUT
+            REASON=$(echo "$BODY" | sed 's|^/vault-audit skip ||')
+            echo "reason=$REASON" >> $GITHUB_OUTPUT
+          else
+            echo "type=run" >> $GITHUB_OUTPUT
+          fi
+
+      # ── /vault-audit skip <reason> ────────────────────────────────────────────
+      - name: Handle skip
+        if: steps.cmd.outputs.type == 'skip'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          REASON="${{ steps.cmd.outputs.reason }}"
+          SHA="${{ steps.pr.outputs.head_sha }}"
+
+          gh api /repos/${{ github.repository }}/statuses/$SHA \
+            --method POST \
+            -f state=success \
+            -f context="vault-audit" \
+            -f description="Vault audit skipped by ${{ github.event.comment.user.login }}: $REASON"
+
+          gh pr comment ${{ github.event.issue.number }} \
+            --body "✅ Vault audit skipped by @${{ github.event.comment.user.login }}
+
+          **Reason:** $REASON
+
+          > ⚠️ This skip applies to the current HEAD (\`${SHA:0:8}\`). Pushing new vault file changes will re-require an audit."
+
+      # ── /vault-audit ─────────────────────────────────────────────────────────
+      - name: Acknowledge audit request
+        if: steps.cmd.outputs.type == 'run'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh pr comment ${{ github.event.issue.number }} \
+            --body "🔍 Vault audit triggered by @${{ github.event.comment.user.login }} — running now. Results will appear as a new comment when complete."
+
+      - name: Trigger vault audit
+        if: steps.cmd.outputs.type == 'run'
+        uses: smartcontractkit/cre-docs/.github/workflows/vault-audit.yml@main
+        with:
+          pr_number: ${{ github.event.issue.number }}
+          head_sha: ${{ steps.pr.outputs.head_sha }}
+          base_sha: ${{ steps.pr.outputs.base_sha }}
+          chainlink_repo: ${{ github.repository }}
+        secrets:
+          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
+          CRE_DOCS_TOKEN: ${{ secrets.CRE_DOCS_TOKEN }}
+          CHAINLINK_TOKEN: ${{ github.token }}
diff --git a/.github/workflows/vault-audit-gate.yml b/.github/workflows/vault-audit-gate.yml
@@ -0,0 +1,32 @@
+name: Vault Audit Gate
+
+# Posts a "pending" commit status whenever vault-related files are touched, requiring
+# an authorized reviewer to trigger the audit before the PR can merge.
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    paths:
+      - 'core/capabilities/vault/**'
+      - 'core/services/ocr2/plugins/vault/**'
+      - 'core/services/gateway/handlers/vault/**'
+      - 'core/services/workflows/v2/secrets.go'
+      - 'system-tests/tests/smoke/cre/vault_don_test.go'
+      - 'system-tests/tests/smoke/cre/vault_don_test_helpers.go'
+      - 'system-tests/lib/cre/vault/**'
+
+jobs:
+  gate:
+    runs-on: ubuntu-latest
+    permissions:
+      statuses: write
+    steps:
+      - name: Post pending status
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh api /repos/${{ github.repository }}/statuses/${{ github.event.pull_request.head.sha }} \
+            --method POST \
+            -f state=pending \
+            -f context="vault-audit" \
+            -f description="Vault audit required — an authorized reviewer must comment /vault-audit"
diff --git a/.github/workflows/vault-audit-thread-resolved.yml b/.github/workflows/vault-audit-thread-resolved.yml
@@ -0,0 +1,42 @@
+name: Vault Audit Thread Resolved
+
+# Fires when any PR review thread is resolved. Calls the cre-docs override-check
+# reusable workflow to re-evaluate whether all blocking vault audit findings are resolved
+# and updates the commit status accordingly.
+
+on:
+  pull_request_review_thread:
+    types: [resolved]
+
+jobs:
+  check-overrides:
+    runs-on: ubuntu-latest
+    permissions:
+      statuses: write
+      pull-requests: read
+
+    steps:
+      - name: Check resolver authorization
+        id: auth
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          RESOLVER="${{ github.event.sender.login }}"
+          PERMISSION=$(gh api /repos/${{ github.repository }}/collaborators/$RESOLVER/permission \
+            --jq '.permission' 2>/dev/null || echo "none")
+
+          if [[ "$PERMISSION" == "write" || "$PERMISSION" == "admin" ]]; then
+            echo "authorized=true" >> $GITHUB_OUTPUT
+          else
+            echo "authorized=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Run override check
+        if: steps.auth.outputs.authorized == 'true'
+        uses: smartcontractkit/cre-docs/.github/workflows/vault-audit-override-check.yml@main
+        with:
+          pr_number: ${{ github.event.pull_request.number }}
+          head_sha: ${{ github.event.pull_request.head.sha }}
+          chainlink_repo: ${{ github.repository }}
+        secrets:
+          CHAINLINK_TOKEN: ${{ github.token }}
