diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index f85e68870e..d73e0af187 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -25,13 +25,13 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/master' && github.event_name != 'workflow_dispatch' }} +permissions: { } + jobs: analyze: name: Analyze runs-on: ubuntu-latest permissions: - actions: read - contents: read security-events: write strategy: @@ -42,41 +42,43 @@ jobs: # Learn more about CodeQL language support at https://git.io/codeql-language-support steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - - name: Set up Go 1.23 - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 - with: - go-version: 1.23.x - check-latest: true - cache: true + - name: Set up Go 1.23 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + with: + go-version: 1.23.x + check-latest: true + cache: true - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # v3 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - # queries: ./path/to/local/query, your-org/your-repo/queries@main + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # v3 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # queries: ./path/to/local/query, your-org/your-repo/queries@main - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@181d5eefc20863364f96762470ba6f862bdef56b # v3 + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@181d5eefc20863364f96762470ba6f862bdef56b # v3 - # â„šī¸ Command-line programs to run using the OS shell. - # 📚 https://git.io/JvXDl + # â„šī¸ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl - # âœī¸ If the Autobuild fails above, remove it and uncomment the following three lines - # and modify them (or add more) to build your code if your project - # uses a compiled language + # âœī¸ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language - #- run: | - # make bootstrap - # make release + #- run: | + # make bootstrap + # make release - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # v3 + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # v3 diff --git a/.github/workflows/deploy_node.yml b/.github/workflows/deploy_node.yml index 52d3ac1de3..2752d6f723 100644 --- a/.github/workflows/deploy_node.yml +++ b/.github/workflows/deploy_node.yml @@ -39,6 +39,8 @@ concurrency: group: deploy-node-${{ inputs.network }}-${{ inputs.arch }} # run only one deployment at a time for the same network and architecture cancel-in-progress: false # don't cancel the previous deployment if a new one is triggered +permissions: {} + jobs: check-inputs: name: check-inputs @@ -49,8 +51,11 @@ jobs: steps: - name: Check inputs run: | - echo "${{ env.NETWORK }}" | grep -E '^(mainnet|testnet|stagenet)$' || exit 1 # check if the network is valid - echo "${{ env.ARCH }}" | grep -E '^(amd64|arm64)$' || exit 1 # check if the architecture is valid + echo "${NETWORK}" | grep -E '^(mainnet|testnet|stagenet)$' || exit 1 # check if the network is valid + echo "${ARCH}" | grep -E '^(amd64|arm64)$' || exit 1 # check if the architecture is valid + env: + NETWORK: ${{ env.NETWORK }} + ARCH: ${{ env.ARCH }} deploy: name: deploy @@ -70,6 +75,7 @@ jobs: with: fetch-depth: 0 fetch-tags: true + persist-credentials: false - name: Set up Go 1.24 uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 @@ -83,9 +89,11 @@ jobs: - name: Build ${{ inputs.network }}-${{ inputs.arch }} deb package run: | - make ${{ env.MAKEFILE_TARGET }} # build the deb package + make ${MAKEFILE_TARGET} # build the deb package mv build/dist/*.deb ./ # move the deb package to the root directory echo "PACKAGE_NAME=$(ls ./*.deb | xargs -n 1 basename)" >> $GITHUB_ENV # set the package name for the next steps + env: + MAKEFILE_TARGET: ${{ env.MAKEFILE_TARGET }} - name: Copy deb package to the deployment server id: copy-deb diff --git a/.github/workflows/deploy_nodes.yml b/.github/workflows/deploy_nodes.yml index 40d7cfbd4c..26b29c5474 100644 --- a/.github/workflows/deploy_nodes.yml +++ b/.github/workflows/deploy_nodes.yml @@ -1,4 +1,7 @@ name: "Deploy nodes" + +permissions: { } + on: workflow_dispatch: inputs: @@ -16,7 +19,6 @@ jobs: network: [ stagenet, testnet, mainnet ] arch: [ "${{ inputs.arch }}" ] uses: "./.github/workflows/deploy_node.yml" - secrets: inherit with: network: ${{ matrix.network }} arch: ${{ matrix.arch }} diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index c29f91d8c0..631410a407 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -14,6 +14,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/master' && github.event_name != 'workflow_dispatch' }} +permissions: {} + jobs: golangci: name: lint @@ -28,6 +30,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 + persist-credentials: false - name: Set up Go 1.23 uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 @@ -57,6 +60,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 + persist-credentials: false - name: Set up Go 1.23 uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 @@ -87,7 +91,6 @@ jobs: name: smoke_tests if: ${{ (github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch' && github.event.inputs.smoke_tests) && github.repository == 'wavesplatform/gowaves'}} - secrets: inherit uses: "./.github/workflows/run_itests.yml" with: itest-type: 'smoke' diff --git a/.github/workflows/itests.yml b/.github/workflows/itests.yml index 7c9416eb91..439888c42b 100644 --- a/.github/workflows/itests.yml +++ b/.github/workflows/itests.yml @@ -11,6 +11,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/master' && github.event_name != 'workflow_dispatch' }} +permissions: { } + jobs: itest-check: name: integration_tests_run_check @@ -23,12 +25,12 @@ jobs: id: set-output run: | # Check if the workflow was triggered by a PR review, manually or by a PR - if [ "${{ github.event_name }}" == 'workflow_dispatch' ]; then + if [ "${GITHUB_EVENT_NAME}" == 'workflow_dispatch' ]; then echo "--> Running integration tests because the workflow was triggered manually" CAN_RUN_ITEST=true # if the workflow is triggered manually, we can run itests - elif [ "${{ github.event_name }}" == 'pull_request_review' ]; then + elif [ "${GITHUB_EVENT_NAME}" == 'pull_request_review' ]; then echo "--> Checking whether the PR review is approved" - if [ "${{ github.event.review.state }}" == 'approved' ]; then + if [ "${GITHUB_EVENT_REVIEW_STATE}" == 'approved' ]; then CAN_RUN_ITEST=true # if the PR review is approved, we can run itests else CAN_RUN_ITEST=false # if the PR review is not approved, we cannot run itests @@ -38,10 +40,10 @@ jobs: # for 'pull_request' event we need to check if the last review is approved echo "--> Checking whether the last PR review is approved" LAST_REVIEW_STATE=$(curl -sSL \ - -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ + -H "Authorization: Bearer ${SECRETS.GITHUB_TOKEN}" \ -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ - "https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews" | \ + "https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls/${GITHUB_PULL_REQUEST_NUMBER}/reviews" | \ jq -r '.[-1].state') echo "--> LAST_REVIEW_STATE=$LAST_REVIEW_STATE" # for debugging if [ "$LAST_REVIEW_STATE" == 'APPROVED' ]; then @@ -52,12 +54,16 @@ jobs: fi echo "--> CAN_RUN_ITEST=$CAN_RUN_ITEST" # for debugging echo "CAN_RUN_ITEST=$CAN_RUN_ITEST" >> "$GITHUB_OUTPUT" - + env: + GITHUB_EVENT_NAME: ${{ github.event_name }} + GITHUB_EVENT_REVIEW_STATE: ${{ github.event.review.state }} + SECRETS.GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_REPOSITORY: ${{ github.repository }} + GITHUB_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} itest: name: integration_tests needs: [ itest-check ] if: (needs.itest-check.outputs.can-run-itest == 'true' && github.repository == 'wavesplatform/gowaves') - secrets: inherit uses: "./.github/workflows/run_itests.yml" with: itest-type: 'itest' # run full set of integration tests diff --git a/.github/workflows/itests_race.yml b/.github/workflows/itests_race.yml index 860996675c..bfe44f9c8d 100644 --- a/.github/workflows/itests_race.yml +++ b/.github/workflows/itests_race.yml @@ -4,11 +4,12 @@ on: schedule: - cron: '21 22,23,00,01,02,03 * * *' # UTC time +permissions: { } + jobs: itest-race: name: integration_tests_with_race_detector if: (github.repository == 'wavesplatform/gowaves') - secrets: inherit uses: "./.github/workflows/run_itests.yml" with: itest-type: 'itest-race' diff --git a/.github/workflows/publish-to-ghcr.yml b/.github/workflows/publish-to-ghcr.yml index 19a7977551..84d64cac3e 100644 --- a/.github/workflows/publish-to-ghcr.yml +++ b/.github/workflows/publish-to-ghcr.yml @@ -14,8 +14,11 @@ env: IMAGE_NAME: ghcr.io/${{ github.repository }} IMAGE_TAG: ${{ inputs.dockerTag }} +permissions: { } + jobs: build: + name: Build and Push Docker Image to GitHub Container Registry runs-on: ubuntu-latest permissions: contents: read @@ -27,13 +30,14 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 + persist-credentials: false - name: Set up Go 1.23 uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: go-version: 1.23.x check-latest: true - cache: true + cache: false - name: Get dependencies run: go mod vendor diff --git a/.github/workflows/run_itests.yml b/.github/workflows/run_itests.yml index 9d9a262dd4..d07d058fb8 100644 --- a/.github/workflows/run_itests.yml +++ b/.github/workflows/run_itests.yml @@ -11,6 +11,8 @@ on: type: string description: "Environment name for the job ('ITests' for manual approval or '' for no environment)" +permissions: { } + jobs: check-inputs: name: check-inputs @@ -21,8 +23,11 @@ jobs: steps: - name: Check inputs run: | - echo "${{ env.ITEST_TYPE }}" | grep -E '^(itest|itest-race|smoke)$' || exit 1 # check if the itest type is valid - echo "${{ env.ENVIRONMENT }}" | grep -E '^(^$|ITests)$' || exit 1 # check if the environment is valid + echo "${ITEST_TYPE}" | grep -E '^(itest|itest-race|smoke)$' || exit 1 # check if the itest type is valid + echo "${ENVIRONMENT}" | grep -E '^(^$|ITests)$' || exit 1 # check if the environment is valid + env: + ITEST_TYPE: ${{ env.ITEST_TYPE }} + ENVIRONMENT: ${{ env.ENVIRONMENT }} run-itest: name: run_integration_tests @@ -37,6 +42,8 @@ jobs: steps: - name: Check out code into the Go module directory uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - name: Set up Go 1.23 uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 @@ -50,7 +57,9 @@ jobs: run: go mod vendor - name: Tests - run: make ${{ env.MAKEFILE_TARGET }} # run the integration tests + run: make ${MAKEFILE_TARGET} # run the integration tests + env: + MAKEFILE_TARGET: ${{ env.MAKEFILE_TARGET }} - name: Upload itest logs and configs uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 31cbe878ab..f041cc7e89 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -12,17 +12,21 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/master' && github.event_name != 'workflow_dispatch' }} +permissions: { } + jobs: gosec: name: gosec check runs-on: ubuntu-latest # Skip any created PR or push by dependabot to avoid permission issues - if: github.actor != 'dependabot[bot]' + if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name env: GO111MODULE: on steps: - name: Checkout Source uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - name: Run gosec security scanner uses: securego/gosec@d2d3ae66bd8d340b78b5142b6fe610691783c2fe # v2.22.5 with: @@ -37,12 +41,14 @@ jobs: name: semgrep scan runs-on: ubuntu-latest # Skip any created PR or push by dependabot to avoid permission issues and skip this check for PRs from forks - if: github.actor != 'dependabot[bot]' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == 'wavesplatform/gowaves') + if: github.event.pull_request.user.login != 'dependabot[bot]' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == 'wavesplatform/gowaves') container: - image: returntocorp/semgrep:latest + image: docker://semgrep/semgrep@sha256:ab68a1c0fe35f41be66e2392903aeea64b6228c16456c8c7058275bbab4c297d steps: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false # we let the report trigger content trigger a failure using the GitHub Security features. # see https://semgrep.dev/docs/cli-usage/#exit-codes for more details. - name: Run semgrep security scanner @@ -71,6 +77,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - name: Set up Go uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: