From cf40ea29e11d32013ea6919590bb06c290ec8050 Mon Sep 17 00:00:00 2001 From: Alexey Kiselev Date: Sat, 28 Jun 2025 22:08:16 +0400 Subject: [PATCH 01/17] Auto fixes from zizmor applied. --- .github/workflows/codeql-analysis.yml | 2 ++ .github/workflows/deploy_node.yml | 12 +++++++++--- .github/workflows/go.yml | 2 ++ .github/workflows/itests.yml | 4 +++- .github/workflows/publish-to-ghcr.yml | 1 + .github/workflows/run_itests.yml | 13 ++++++++++--- .github/workflows/security.yml | 6 ++++++ 7 files changed, 33 insertions(+), 7 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 3a553c0e4a..0fb6dbb45b 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -44,6 +44,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - name: Set up Go 1.23 uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 diff --git a/.github/workflows/deploy_node.yml b/.github/workflows/deploy_node.yml index 52d3ac1de3..95817a7b7e 100644 --- a/.github/workflows/deploy_node.yml +++ b/.github/workflows/deploy_node.yml @@ -49,8 +49,11 @@ jobs: steps: - name: Check inputs run: | - echo "${{ env.NETWORK }}" | grep -E '^(mainnet|testnet|stagenet)$' || exit 1 # check if the network is valid - echo "${{ env.ARCH }}" | grep -E '^(amd64|arm64)$' || exit 1 # check if the architecture is valid + echo "${NETWORK}" | grep -E '^(mainnet|testnet|stagenet)$' || exit 1 # check if the network is valid + echo "${ARCH}" | grep -E '^(amd64|arm64)$' || exit 1 # check if the architecture is valid + env: + NETWORK: ${{ env.NETWORK }} + ARCH: ${{ env.ARCH }} deploy: name: deploy @@ -70,6 +73,7 @@ jobs: with: fetch-depth: 0 fetch-tags: true + persist-credentials: false - name: Set up Go 1.24 uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 @@ -83,9 +87,11 @@ jobs: - name: Build ${{ inputs.network }}-${{ inputs.arch }} deb package run: | - make ${{ env.MAKEFILE_TARGET }} # build the deb package + make ${MAKEFILE_TARGET} # build the deb package mv build/dist/*.deb ./ # move the deb package to the root directory echo "PACKAGE_NAME=$(ls ./*.deb | xargs -n 1 basename)" >> $GITHUB_ENV # set the package name for the next steps + env: + MAKEFILE_TARGET: ${{ env.MAKEFILE_TARGET }} - name: Copy deb package to the deployment server id: copy-deb diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index c29f91d8c0..bcc283ca55 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -28,6 +28,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 + persist-credentials: false - name: Set up Go 1.23 uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 @@ -57,6 +58,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 + persist-credentials: false - name: Set up Go 1.23 uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 diff --git a/.github/workflows/itests.yml b/.github/workflows/itests.yml index 7c9416eb91..a72b5d0f6e 100644 --- a/.github/workflows/itests.yml +++ b/.github/workflows/itests.yml @@ -28,7 +28,7 @@ jobs: CAN_RUN_ITEST=true # if the workflow is triggered manually, we can run itests elif [ "${{ github.event_name }}" == 'pull_request_review' ]; then echo "--> Checking whether the PR review is approved" - if [ "${{ github.event.review.state }}" == 'approved' ]; then + if [ "${GITHUB_EVENT_REVIEW_STATE}" == 'approved' ]; then CAN_RUN_ITEST=true # if the PR review is approved, we can run itests else CAN_RUN_ITEST=false # if the PR review is not approved, we cannot run itests @@ -52,6 +52,8 @@ jobs: fi echo "--> CAN_RUN_ITEST=$CAN_RUN_ITEST" # for debugging echo "CAN_RUN_ITEST=$CAN_RUN_ITEST" >> "$GITHUB_OUTPUT" + env: + GITHUB_EVENT_REVIEW_STATE: ${{ github.event.review.state }} itest: name: integration_tests diff --git a/.github/workflows/publish-to-ghcr.yml b/.github/workflows/publish-to-ghcr.yml index 19a7977551..0f0a76e1b0 100644 --- a/.github/workflows/publish-to-ghcr.yml +++ b/.github/workflows/publish-to-ghcr.yml @@ -27,6 +27,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 + persist-credentials: false - name: Set up Go 1.23 uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 diff --git a/.github/workflows/run_itests.yml b/.github/workflows/run_itests.yml index 9d9a262dd4..ec74c41b6e 100644 --- a/.github/workflows/run_itests.yml +++ b/.github/workflows/run_itests.yml @@ -21,8 +21,11 @@ jobs: steps: - name: Check inputs run: | - echo "${{ env.ITEST_TYPE }}" | grep -E '^(itest|itest-race|smoke)$' || exit 1 # check if the itest type is valid - echo "${{ env.ENVIRONMENT }}" | grep -E '^(^$|ITests)$' || exit 1 # check if the environment is valid + echo "${ITEST_TYPE}" | grep -E '^(itest|itest-race|smoke)$' || exit 1 # check if the itest type is valid + echo "${ENVIRONMENT}" | grep -E '^(^$|ITests)$' || exit 1 # check if the environment is valid + env: + ITEST_TYPE: ${{ env.ITEST_TYPE }} + ENVIRONMENT: ${{ env.ENVIRONMENT }} run-itest: name: run_integration_tests @@ -37,6 +40,8 @@ jobs: steps: - name: Check out code into the Go module directory uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - name: Set up Go 1.23 uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 @@ -50,7 +55,9 @@ jobs: run: go mod vendor - name: Tests - run: make ${{ env.MAKEFILE_TARGET }} # run the integration tests + run: make ${MAKEFILE_TARGET} # run the integration tests + env: + MAKEFILE_TARGET: ${{ env.MAKEFILE_TARGET }} - name: Upload itest logs and configs uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index f511210d8d..1ad19a749f 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -23,6 +23,8 @@ jobs: steps: - name: Checkout Source uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - name: Run gosec security scanner uses: securego/gosec@d2d3ae66bd8d340b78b5142b6fe610691783c2fe # v2.22.5 with: @@ -43,6 +45,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false # we let the report trigger content trigger a failure using the GitHub Security features. # see https://semgrep.dev/docs/cli-usage/#exit-codes for more details. - name: Run semgrep security scanner @@ -71,6 +75,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - name: Set up Go uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: From 3ecede49852cbaadc21985c24e06479c58f70c0a Mon Sep 17 00:00:00 2001 From: Alexey Kiselev Date: Mon, 30 Jun 2025 13:39:54 +0400 Subject: [PATCH 02/17] Replaced returntocorp/semgrep:latest with pinned semgrep/semgrep repo. Temporary added permission monitor to codeql-analysis.yml. --- .github/workflows/codeql-analysis.yml | 4 ++++ .github/workflows/security.yml | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 5341e42005..a21d8fd005 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -80,5 +80,9 @@ jobs: # make bootstrap # make release + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + config: ${{ vars.PERMISSIONS_CONFIG }} + - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@39edc492dbe16b1465b0cafca41432d857bdb31a # v3 diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 3c7239ee75..2cb5bd5184 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -41,7 +41,7 @@ jobs: # Skip any created PR or push by dependabot to avoid permission issues and skip this check for PRs from forks if: github.actor != 'dependabot[bot]' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == 'wavesplatform/gowaves') container: - image: returntocorp/semgrep:latest + image: docker://semgrep/semgrep@sha256:ab68a1c0fe35f41be66e2392903aeea64b6228c16456c8c7058275bbab4c297d steps: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 From de6725b1bd30cf32b17c79209b8efe446b703032 Mon Sep 17 00:00:00 2001 From: Alexey Kiselev Date: Mon, 30 Jun 2025 13:57:15 +0400 Subject: [PATCH 03/17] Adjust permissions for codeql-analysis.yml. Permissions monitor removed. --- .github/workflows/codeql-analysis.yml | 75 +++++++++++++-------------- 1 file changed, 35 insertions(+), 40 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index a21d8fd005..cd4143dc7c 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -25,13 +25,13 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/master' && github.event_name != 'workflow_dispatch' }} +permissions: { } + jobs: analyze: name: Analyze runs-on: ubuntu-latest permissions: - actions: read - contents: read security-events: write strategy: @@ -42,47 +42,42 @@ jobs: # Learn more about CodeQL language support at https://git.io/codeql-language-support steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - with: - persist-credentials: false - - - name: Set up Go 1.23 - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 - with: - go-version: 1.23.x - check-latest: true - cache: true - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@39edc492dbe16b1465b0cafca41432d857bdb31a # v3 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - # queries: ./path/to/local/query, your-org/your-repo/queries@main + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@39edc492dbe16b1465b0cafca41432d857bdb31a # v3 + - name: Set up Go 1.23 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + with: + go-version: 1.23.x + check-latest: true + cache: true - # â„šī¸ Command-line programs to run using the OS shell. - # 📚 https://git.io/JvXDl + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@39edc492dbe16b1465b0cafca41432d857bdb31a # v3 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # queries: ./path/to/local/query, your-org/your-repo/queries@main - # âœī¸ If the Autobuild fails above, remove it and uncomment the following three lines - # and modify them (or add more) to build your code if your project - # uses a compiled language + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@39edc492dbe16b1465b0cafca41432d857bdb31a # v3 - #- run: | - # make bootstrap - # make release + # â„šī¸ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - config: ${{ vars.PERMISSIONS_CONFIG }} + # âœī¸ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@39edc492dbe16b1465b0cafca41432d857bdb31a # v3 + #- run: | + # make bootstrap + # make release + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@39edc492dbe16b1465b0cafca41432d857bdb31a # v3 From 4aa314d80404b055abd7548a916763aff01e6de9 Mon Sep 17 00:00:00 2001 From: Alexey Kiselev Date: Mon, 30 Jun 2025 14:10:48 +0400 Subject: [PATCH 04/17] Permissions monitor temporary added to deploy_node.yml. --- .github/workflows/deploy_node.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/deploy_node.yml b/.github/workflows/deploy_node.yml index 95817a7b7e..53d540bb12 100644 --- a/.github/workflows/deploy_node.yml +++ b/.github/workflows/deploy_node.yml @@ -47,6 +47,9 @@ jobs: NETWORK: "${{ inputs.network }}" ARCH: "${{ inputs.arch }}" steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + config: ${{ vars.PERMISSIONS_CONFIG }} - name: Check inputs run: | echo "${NETWORK}" | grep -E '^(mainnet|testnet|stagenet)$' || exit 1 # check if the network is valid @@ -68,6 +71,9 @@ jobs: PACKAGE_NAME: "" # will be set by the step that builds the deb package steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + config: ${{ vars.PERMISSIONS_CONFIG }} - name: Check out code into the Go module directory uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: From 98d174bade6cfbae0ca5d13c1ab5da0251756581 Mon Sep 17 00:00:00 2001 From: Alexey Kiselev Date: Mon, 30 Jun 2025 16:50:46 +0400 Subject: [PATCH 05/17] Temporary add permissions monitor to go.yml. --- .github/workflows/go.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index bcc283ca55..2b27f8d733 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -24,6 +24,9 @@ jobs: os: [ macos-latest, windows-latest, ubuntu-latest ] steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + config: ${{ vars.PERMISSIONS_CONFIG }} - name: Check out code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: @@ -54,6 +57,9 @@ jobs: if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name != 'wavesplatform/gowaves' steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + config: ${{ vars.PERMISSIONS_CONFIG }} - name: Check out code into the Go module directory uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: From bce7de979a05f3cfa8a08850d94babadbc231428 Mon Sep 17 00:00:00 2001 From: Alexey Kiselev Date: Mon, 30 Jun 2025 17:32:10 +0400 Subject: [PATCH 06/17] Temporary exclude Windows for lint task. --- .github/workflows/go.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 2b27f8d733..2024559448 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -21,7 +21,7 @@ jobs: if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name != 'wavesplatform/gowaves' strategy: matrix: - os: [ macos-latest, windows-latest, ubuntu-latest ] + os: [ macos-latest, ubuntu-latest ] steps: - uses: GitHubSecurityLab/actions-permissions/monitor@v1 From b895b8a1fe041c2319dd0bf1dc80662cfde8f9cd Mon Sep 17 00:00:00 2001 From: Alexey Kiselev Date: Mon, 30 Jun 2025 17:54:29 +0400 Subject: [PATCH 07/17] Get back Windows and remove permissions monitor. --- .github/workflows/go.yml | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 2024559448..05422991fd 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -14,6 +14,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/master' && github.event_name != 'workflow_dispatch' }} +permissions: {} + jobs: golangci: name: lint @@ -21,12 +23,9 @@ jobs: if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name != 'wavesplatform/gowaves' strategy: matrix: - os: [ macos-latest, ubuntu-latest ] + os: [ macos-latest, windows-latest, ubuntu-latest ] steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - config: ${{ vars.PERMISSIONS_CONFIG }} - name: Check out code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: @@ -57,9 +56,6 @@ jobs: if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name != 'wavesplatform/gowaves' steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - config: ${{ vars.PERMISSIONS_CONFIG }} - name: Check out code into the Go module directory uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: From 6940572d97cc372be6b056a7250de3da146e1a08 Mon Sep 17 00:00:00 2001 From: Alexey Kiselev Date: Mon, 30 Jun 2025 18:59:38 +0400 Subject: [PATCH 08/17] Comment out secrets inheritance. --- .github/workflows/go.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 05422991fd..2b4b68b0e7 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -91,7 +91,7 @@ jobs: name: smoke_tests if: ${{ (github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch' && github.event.inputs.smoke_tests) && github.repository == 'wavesplatform/gowaves'}} - secrets: inherit +# secrets: inherit uses: "./.github/workflows/run_itests.yml" with: itest-type: 'smoke' From d58b0595f142e8ae83dfcb38717c537ce6b35358 Mon Sep 17 00:00:00 2001 From: Alexey Kiselev Date: Mon, 30 Jun 2025 19:13:24 +0400 Subject: [PATCH 09/17] Secrets inheritance removed as unnecessary. --- .github/workflows/go.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 2b4b68b0e7..631410a407 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -91,7 +91,6 @@ jobs: name: smoke_tests if: ${{ (github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch' && github.event.inputs.smoke_tests) && github.repository == 'wavesplatform/gowaves'}} -# secrets: inherit uses: "./.github/workflows/run_itests.yml" with: itest-type: 'smoke' From d8025fd37ef3668035a3d0382ba42671350e0a7a Mon Sep 17 00:00:00 2001 From: Alexey Kiselev Date: Mon, 30 Jun 2025 19:16:37 +0400 Subject: [PATCH 10/17] Permissions monitor temporary added to itests.yml. --- .github/workflows/itests.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/itests.yml b/.github/workflows/itests.yml index a72b5d0f6e..f7f47a17c4 100644 --- a/.github/workflows/itests.yml +++ b/.github/workflows/itests.yml @@ -19,6 +19,9 @@ jobs: outputs: can-run-itest: ${{ steps.set-output.outputs.CAN_RUN_ITEST }} steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + config: ${{ vars.PERMISSIONS_CONFIG }} - name: Check permissions to run integration tests id: set-output run: | From cef5c5d7ce0575776a6b65d159010239f65a28e7 Mon Sep 17 00:00:00 2001 From: Alexey Kiselev Date: Mon, 30 Jun 2025 19:33:33 +0400 Subject: [PATCH 11/17] Permissions monitor removed from itests.yml. Fixed secrets inheritance in itests.yml. Fixed template injections in itests.yml. --- .github/workflows/itests.yml | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/.github/workflows/itests.yml b/.github/workflows/itests.yml index f7f47a17c4..9ea4d8e1cb 100644 --- a/.github/workflows/itests.yml +++ b/.github/workflows/itests.yml @@ -11,6 +11,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/master' && github.event_name != 'workflow_dispatch' }} +permissions: { } + jobs: itest-check: name: integration_tests_run_check @@ -19,17 +21,14 @@ jobs: outputs: can-run-itest: ${{ steps.set-output.outputs.CAN_RUN_ITEST }} steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - config: ${{ vars.PERMISSIONS_CONFIG }} - name: Check permissions to run integration tests id: set-output run: | # Check if the workflow was triggered by a PR review, manually or by a PR - if [ "${{ github.event_name }}" == 'workflow_dispatch' ]; then + if [ "${GITHUB_EVENT_NAME}" == 'workflow_dispatch' ]; then echo "--> Running integration tests because the workflow was triggered manually" CAN_RUN_ITEST=true # if the workflow is triggered manually, we can run itests - elif [ "${{ github.event_name }}" == 'pull_request_review' ]; then + elif [ "${GITHUB_EVENT_NAME}" == 'pull_request_review' ]; then echo "--> Checking whether the PR review is approved" if [ "${GITHUB_EVENT_REVIEW_STATE}" == 'approved' ]; then CAN_RUN_ITEST=true # if the PR review is approved, we can run itests @@ -41,10 +40,10 @@ jobs: # for 'pull_request' event we need to check if the last review is approved echo "--> Checking whether the last PR review is approved" LAST_REVIEW_STATE=$(curl -sSL \ - -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ + -H "Authorization: Bearer ${SECRETS.GITHUB_TOKEN}" \ -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ - "https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews" | \ + "https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls/${GITHUB_PULL_REQUEST_NUMBER}/reviews" | \ jq -r '.[-1].state') echo "--> LAST_REVIEW_STATE=$LAST_REVIEW_STATE" # for debugging if [ "$LAST_REVIEW_STATE" == 'APPROVED' ]; then @@ -56,13 +55,17 @@ jobs: echo "--> CAN_RUN_ITEST=$CAN_RUN_ITEST" # for debugging echo "CAN_RUN_ITEST=$CAN_RUN_ITEST" >> "$GITHUB_OUTPUT" env: + GITHUB_EVENT_NAME: ${{ github.event_name }} GITHUB_EVENT_REVIEW_STATE: ${{ github.event.review.state }} - + SECRETS.GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_REPOSITORY: ${{ github.repository }} + GITHUB_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} itest: name: integration_tests needs: [ itest-check ] if: (needs.itest-check.outputs.can-run-itest == 'true' && github.repository == 'wavesplatform/gowaves') - secrets: inherit + secrets: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} uses: "./.github/workflows/run_itests.yml" with: itest-type: 'itest' # run full set of integration tests From ce518dac5b8442e0b1b118bc3c8699afbb5f70e9 Mon Sep 17 00:00:00 2001 From: Alexey Kiselev Date: Mon, 30 Jun 2025 20:31:54 +0400 Subject: [PATCH 12/17] Reset permissions in itests_race.yml. Remove secrets inheritance form itests_race.yml. --- .github/workflows/itests_race.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/itests_race.yml b/.github/workflows/itests_race.yml index 860996675c..bfe44f9c8d 100644 --- a/.github/workflows/itests_race.yml +++ b/.github/workflows/itests_race.yml @@ -4,11 +4,12 @@ on: schedule: - cron: '21 22,23,00,01,02,03 * * *' # UTC time +permissions: { } + jobs: itest-race: name: integration_tests_with_race_detector if: (github.repository == 'wavesplatform/gowaves') - secrets: inherit uses: "./.github/workflows/run_itests.yml" with: itest-type: 'itest-race' From 2a0d4f2c2452145414e23549ebc445a3f73cd112 Mon Sep 17 00:00:00 2001 From: Alexey Kiselev Date: Mon, 30 Jun 2025 21:21:02 +0400 Subject: [PATCH 13/17] Reset permissions in security.yml. --- .github/workflows/security.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 2cb5bd5184..ba4ef02885 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -12,6 +12,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/master' && github.event_name != 'workflow_dispatch' }} +permissions: { } + jobs: gosec: name: gosec check From ff3e9753ec01dde3da3ff1a06187b373e5e0c16c Mon Sep 17 00:00:00 2001 From: Alexey Kiselev Date: Tue, 1 Jul 2025 13:05:08 +0400 Subject: [PATCH 14/17] Reset permissions in run_itests.yml. Removed secret in itests.yml. --- .github/workflows/itests.yml | 2 -- .github/workflows/run_itests.yml | 2 ++ 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/itests.yml b/.github/workflows/itests.yml index 9ea4d8e1cb..439888c42b 100644 --- a/.github/workflows/itests.yml +++ b/.github/workflows/itests.yml @@ -64,8 +64,6 @@ jobs: name: integration_tests needs: [ itest-check ] if: (needs.itest-check.outputs.can-run-itest == 'true' && github.repository == 'wavesplatform/gowaves') - secrets: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} uses: "./.github/workflows/run_itests.yml" with: itest-type: 'itest' # run full set of integration tests diff --git a/.github/workflows/run_itests.yml b/.github/workflows/run_itests.yml index ec74c41b6e..d07d058fb8 100644 --- a/.github/workflows/run_itests.yml +++ b/.github/workflows/run_itests.yml @@ -11,6 +11,8 @@ on: type: string description: "Environment name for the job ('ITests' for manual approval or '' for no environment)" +permissions: { } + jobs: check-inputs: name: check-inputs From 1bd4c5af3b87d5333f2c79ec17468d104965e7a2 Mon Sep 17 00:00:00 2001 From: Alexey Kiselev Date: Wed, 2 Jul 2025 10:09:54 +0400 Subject: [PATCH 15/17] Reset permissions in deploy workflows. Reset permissions and disabled cache in publish-to-ghcr.yml. --- .github/workflows/deploy_node.yml | 8 ++------ .github/workflows/deploy_nodes.yml | 4 +++- .github/workflows/publish-to-ghcr.yml | 5 ++++- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/.github/workflows/deploy_node.yml b/.github/workflows/deploy_node.yml index 53d540bb12..2752d6f723 100644 --- a/.github/workflows/deploy_node.yml +++ b/.github/workflows/deploy_node.yml @@ -39,6 +39,8 @@ concurrency: group: deploy-node-${{ inputs.network }}-${{ inputs.arch }} # run only one deployment at a time for the same network and architecture cancel-in-progress: false # don't cancel the previous deployment if a new one is triggered +permissions: {} + jobs: check-inputs: name: check-inputs @@ -47,9 +49,6 @@ jobs: NETWORK: "${{ inputs.network }}" ARCH: "${{ inputs.arch }}" steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - config: ${{ vars.PERMISSIONS_CONFIG }} - name: Check inputs run: | echo "${NETWORK}" | grep -E '^(mainnet|testnet|stagenet)$' || exit 1 # check if the network is valid @@ -71,9 +70,6 @@ jobs: PACKAGE_NAME: "" # will be set by the step that builds the deb package steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - config: ${{ vars.PERMISSIONS_CONFIG }} - name: Check out code into the Go module directory uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: diff --git a/.github/workflows/deploy_nodes.yml b/.github/workflows/deploy_nodes.yml index 40d7cfbd4c..26b29c5474 100644 --- a/.github/workflows/deploy_nodes.yml +++ b/.github/workflows/deploy_nodes.yml @@ -1,4 +1,7 @@ name: "Deploy nodes" + +permissions: { } + on: workflow_dispatch: inputs: @@ -16,7 +19,6 @@ jobs: network: [ stagenet, testnet, mainnet ] arch: [ "${{ inputs.arch }}" ] uses: "./.github/workflows/deploy_node.yml" - secrets: inherit with: network: ${{ matrix.network }} arch: ${{ matrix.arch }} diff --git a/.github/workflows/publish-to-ghcr.yml b/.github/workflows/publish-to-ghcr.yml index 0f0a76e1b0..84d64cac3e 100644 --- a/.github/workflows/publish-to-ghcr.yml +++ b/.github/workflows/publish-to-ghcr.yml @@ -14,8 +14,11 @@ env: IMAGE_NAME: ghcr.io/${{ github.repository }} IMAGE_TAG: ${{ inputs.dockerTag }} +permissions: { } + jobs: build: + name: Build and Push Docker Image to GitHub Container Registry runs-on: ubuntu-latest permissions: contents: read @@ -34,7 +37,7 @@ jobs: with: go-version: 1.23.x check-latest: true - cache: true + cache: false - name: Get dependencies run: go mod vendor From 8f1b9ec5d98fa9d5e0164afc9b03a24962c3ee6a Mon Sep 17 00:00:00 2001 From: Alexey Kiselev Date: Wed, 2 Jul 2025 18:38:24 +0400 Subject: [PATCH 16/17] Bot conditions fixed for security.yml. --- .github/workflows/security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 15109e8d4a..3588f659d1 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -19,7 +19,7 @@ jobs: name: gosec check runs-on: ubuntu-latest # Skip any created PR or push by dependabot to avoid permission issues - if: github.actor != 'dependabot[bot]' + if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name env: GO111MODULE: on steps: From 19113957efb509855a81e7326a84b0fea443e921 Mon Sep 17 00:00:00 2001 From: Alexey Kiselev Date: Wed, 2 Jul 2025 21:15:26 +0400 Subject: [PATCH 17/17] Fix other place with dependabot check. --- .github/workflows/security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 3588f659d1..f041cc7e89 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -41,7 +41,7 @@ jobs: name: semgrep scan runs-on: ubuntu-latest # Skip any created PR or push by dependabot to avoid permission issues and skip this check for PRs from forks - if: github.actor != 'dependabot[bot]' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == 'wavesplatform/gowaves') + if: github.event.pull_request.user.login != 'dependabot[bot]' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == 'wavesplatform/gowaves') container: image: docker://semgrep/semgrep@sha256:ab68a1c0fe35f41be66e2392903aeea64b6228c16456c8c7058275bbab4c297d steps: