Added vault audit workflows#22893
Conversation
|
✅ No conflicts with other open PRs targeting |
| run-audit: | ||
| needs: handle-command | ||
| if: needs.handle-command.outputs.run_audit == 'true' | ||
| uses: smartcontractkit/cre-docs/.github/workflows/vault-audit.yml@main |
There was a problem hiding this comment.
Since this repo isn't public, you won't be able to this resuable workflow.
| - name: Get GATI token for cre-docs dispatch | ||
| id: gati | ||
| if: steps.cmd.outputs.type == 'run' && steps.verify.outputs.unverified == 'false' | ||
| uses: smartcontractkit/chainlink-github-actions/apps/setup-github-token@main |
There was a problem hiding this comment.
This action is deprecated, let's use: https://github.com/smartcontractkit/.github/tree/main/actions/setup-github-token
| if: steps.cmd.outputs.type == 'run' && steps.verify.outputs.unverified == 'false' | ||
| uses: smartcontractkit/chainlink-github-actions/apps/setup-github-token@main | ||
| with: | ||
| app-id: ${{ secrets.GATI_APP_ID }} |
There was a problem hiding this comment.
With GATI, you shouldn't need the app ID input or a private key. See an example here:
chainlink/.github/actions/deploy-image/action.yml
Lines 58 to 65 in ac2de62
| - name: Determine whether PR touches vault files | ||
| id: scope | ||
| run: | | ||
| VAULT_RE='^(core/capabilities/vault/|core/services/ocr2/plugins/vault/|core/services/gateway/handlers/vault/|core/services/workflows/v2/secrets\.go|system-tests/tests/smoke/cre/vault_don_test\.go|system-tests/tests/smoke/cre/vault_don_test_helpers\.go|system-tests/lib/cre/vault/)' |
There was a problem hiding this comment.
@erikburt would you suggest using https://github.com/smartcontractkit/.github/tree/main/actions/advanced-triggers to trigger this job?
| echo "touched=true" >> "$GITHUB_OUTPUT" | ||
| else | ||
| echo "touched=false" >> "$GITHUB_OUTPUT" |
There was a problem hiding this comment.
| echo "touched=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "touched=false" >> "$GITHUB_OUTPUT" | |
| echo "touched=true" | tee -a "$GITHUB_OUTPUT" | |
| else | |
| echo "touched=false" | tee -a "$GITHUB_OUTPUT" |
Totally optional but piping to tee like this will show the output in the GHA run logs (stdout) as well.
| COMMENTER: ${{ github.event.comment.user.login }} | ||
| PR_NUMBER: ${{ github.event.issue.number }} | ||
| run: | | ||
| gh pr comment "$PR_NUMBER" \ |
There was a problem hiding this comment.
Does this work? Do you need to check out the repo first?
What
Adds an automated security-audit gate for pull requests that modify CRE Vault code. When a PR touches vault paths, merging is blocked behind a
vault-auditstatus check until an authorized reviewer runs the audit and any blocking findings are addressed.This PR adds two workflows to chainlink:
.github/workflows/vault-audit-gate.yml— runs on every PR; ensures thevault-auditstatus check is always present on the latest commit..github/workflows/vault-audit-commands.yml— handles/vault-auditslash commands from authorized reviewers.The audit logic itself lives in the private
smartcontractkit/cre-docsrepo and is not part of this change. chainlink only triggers it and receives a pass/fail status.How it works
vault-audit-gate.ymlposts apendingstatus: "an authorized reviewer must comment/vault-audit." (PRs with no vault changes auto-pass.)/vault-audit. The workflow:vault-auditstatus (✅ pass /Carry-forward behavior
Once a PR has a passing audit, the verdict carries forward across new commits (e.g. merging
develop, small fixes) —vault-audit-gate.ymlre-stamps the last verdict on each new head. Re-auditing is the developer's call (/vault-auditagain); it is not forced on every push.Commands
/vault-audit— run the audit (authorized reviewers only)/vault-audit skip <reason>— bypass the audit for the PR (stands like a pass, carries forward)/vault-audit model=<opus|sonnet|haiku>— override the audit model/vault-audit effort=<low|medium|high|xhigh|max>(aliasthinking=) — override the reasoning effortRequired setup before this is effective
vault-auditas a required status check in branch protection for the target branch(es).contents:read,statuses:write, andpull_requests:writeon chainlink (the comment), andcontents:writeon cre-docs (dispatch trigger).issue_comment/pull_requestalways use the default-branch copy).Notes