Skip to content

Added vault audit workflows#22893

Open
russell-stern wants to merge 5 commits into
developfrom
vault_skill_action
Open

Added vault audit workflows#22893
russell-stern wants to merge 5 commits into
developfrom
vault_skill_action

Conversation

@russell-stern

@russell-stern russell-stern commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

What

Adds an automated security-audit gate for pull requests that modify CRE Vault code. When a PR touches vault paths, merging is blocked behind a vault-audit status check until an authorized reviewer runs the audit and any blocking findings are addressed.

This PR adds two workflows to chainlink:

  • .github/workflows/vault-audit-gate.yml — runs on every PR; ensures the vault-audit status check is always present on the latest commit.
  • .github/workflows/vault-audit-commands.yml — handles /vault-audit slash commands from authorized reviewers.

The audit logic itself lives in the private smartcontractkit/cre-docs repo and is not part of this change. chainlink only triggers it and receives a pass/fail status.

How it works

  1. A PR touches vault code → vault-audit-gate.yml posts a pending status: "an authorized reviewer must comment /vault-audit." (PRs with no vault changes auto-pass.)
  2. A reviewer with write access comments /vault-audit. The workflow:
    • verifies the commenter is authorized,
    • requires all commits in the PR to be verified (signed) before running, then
    • dispatches the audit to cre-docs (which audits this PR's HEAD and writes results to a private issue).
  3. cre-docs posts/updates the acknowledgement comment here and sets the final vault-audit status (✅ pass / ⚠️ blocking findings), with the "Details" link and comment pointing at the private issue.
  4. Blocking (CRITICAL / MUST FIX) findings are resolved by reviewers on the private issue; the status flips green automatically when none remain.

Carry-forward behavior

Once a PR has a passing audit, the verdict carries forward across new commits (e.g. merging develop, small fixes) — vault-audit-gate.yml re-stamps the last verdict on each new head. Re-auditing is the developer's call (/vault-audit again); it is not forced on every push.

Commands

  • /vault-audit — run the audit (authorized reviewers only)
  • /vault-audit skip <reason> — bypass the audit for the PR (stands like a pass, carries forward)
  • /vault-audit model=<opus|sonnet|haiku> — override the audit model
  • /vault-audit effort=<low|medium|high|xhigh|max> (alias thinking=) — override the reasoning effort

Required setup before this is effective

  • Add vault-audit as a required status check in branch protection for the target branch(es).
  • The GATI GitHub App must be installed with: contents:read, statuses:write, and pull_requests:write on chainlink (the comment), and contents:write on cre-docs (dispatch trigger).
  • Both workflows must be on the default branch to take effect (issue_comment / pull_request always use the default-branch copy).

Notes

  • Only commits that are verified (signed) can be audited, ensuring the audited code comes from a known signer.

Comment thread .github/workflows/vault-audit-commands.yml Fixed
@github-actions

github-actions Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

✅ No conflicts with other open PRs targeting develop

run-audit:
needs: handle-command
if: needs.handle-command.outputs.run_audit == 'true'
uses: smartcontractkit/cre-docs/.github/workflows/vault-audit.yml@main

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this repo isn't public, you won't be able to this resuable workflow.

@russell-stern russell-stern marked this pull request as ready for review June 26, 2026 17:05
@russell-stern russell-stern requested review from a team as code owners June 26, 2026 17:05
- name: Get GATI token for cre-docs dispatch
id: gati
if: steps.cmd.outputs.type == 'run' && steps.verify.outputs.unverified == 'false'
uses: smartcontractkit/chainlink-github-actions/apps/setup-github-token@main

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if: steps.cmd.outputs.type == 'run' && steps.verify.outputs.unverified == 'false'
uses: smartcontractkit/chainlink-github-actions/apps/setup-github-token@main
with:
app-id: ${{ secrets.GATI_APP_ID }}

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With GATI, you shouldn't need the app ID input or a private key. See an example here:

- name: Setup GitHub Token
id: setup-github-token
uses: smartcontractkit/.github/actions/setup-github-token@setup-github-token/v1
with:
aws-role-arn: ${{ inputs.aws-role-arn }}
aws-lambda-url: ${{ inputs.aws-lambda-url }}
aws-region: ${{ inputs.aws-region }}
aws-role-duration-seconds: ${{ inputs.aws-role-duration-seconds }}

- name: Determine whether PR touches vault files
id: scope
run: |
VAULT_RE='^(core/capabilities/vault/|core/services/ocr2/plugins/vault/|core/services/gateway/handlers/vault/|core/services/workflows/v2/secrets\.go|system-tests/tests/smoke/cre/vault_don_test\.go|system-tests/tests/smoke/cre/vault_don_test_helpers\.go|system-tests/lib/cre/vault/)'

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment thread .github/workflows/vault-audit-gate.yml Outdated
Comment on lines +43 to +45
echo "touched=true" >> "$GITHUB_OUTPUT"
else
echo "touched=false" >> "$GITHUB_OUTPUT"

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
echo "touched=true" >> "$GITHUB_OUTPUT"
else
echo "touched=false" >> "$GITHUB_OUTPUT"
echo "touched=true" | tee -a "$GITHUB_OUTPUT"
else
echo "touched=false" | tee -a "$GITHUB_OUTPUT"

Totally optional but piping to tee like this will show the output in the GHA run logs (stdout) as well.

COMMENTER: ${{ github.event.comment.user.login }}
PR_NUMBER: ${{ github.event.issue.number }}
run: |
gh pr comment "$PR_NUMBER" \

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this work? Do you need to check out the repo first?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants