Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
cf40ea2
Auto fixes from zizmor applied.
alexeykiselev Jun 28, 2025
f418cb1
Merge branch 'master' into apply-zizmor-fixes
alexeykiselev Jun 30, 2025
3ecede4
Replaced returntocorp/semgrep:latest with pinned semgrep/semgrep repo.
alexeykiselev Jun 30, 2025
de6725b
Adjust permissions for codeql-analysis.yml. Permissions monitor removed.
alexeykiselev Jun 30, 2025
4aa314d
Permissions monitor temporary added to deploy_node.yml.
alexeykiselev Jun 30, 2025
98d174b
Temporary add permissions monitor to go.yml.
alexeykiselev Jun 30, 2025
bce7de9
Temporary exclude Windows for lint task.
alexeykiselev Jun 30, 2025
b895b8a
Get back Windows and remove permissions monitor.
alexeykiselev Jun 30, 2025
6940572
Comment out secrets inheritance.
alexeykiselev Jun 30, 2025
d58b059
Secrets inheritance removed as unnecessary.
alexeykiselev Jun 30, 2025
d8025fd
Permissions monitor temporary added to itests.yml.
alexeykiselev Jun 30, 2025
cef5c5d
Permissions monitor removed from itests.yml.
alexeykiselev Jun 30, 2025
ce518da
Reset permissions in itests_race.yml.
alexeykiselev Jun 30, 2025
2a0d4f2
Reset permissions in security.yml.
alexeykiselev Jun 30, 2025
ff3e975
Reset permissions in run_itests.yml.
alexeykiselev Jul 1, 2025
c663fa2
Merge branch 'master' into apply-zizmor-fixes
alexeykiselev Jul 1, 2025
1bd4c5a
Reset permissions in deploy workflows.
alexeykiselev Jul 2, 2025
0474435
Merge branch 'master' into apply-zizmor-fixes
alexeykiselev Jul 2, 2025
8f1b9ec
Bot conditions fixed for security.yml.
alexeykiselev Jul 2, 2025
1911395
Fix other place with dependabot check.
alexeykiselev Jul 2, 2025
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
68 changes: 35 additions & 33 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,13 +25,13 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/master' && github.event_name != 'workflow_dispatch' }}

permissions: { }

jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write

strategy:
Expand All @@ -42,41 +42,43 @@ jobs:
# Learn more about CodeQL language support at https://git.io/codeql-language-support

steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
persist-credentials: false

- name: Set up Go 1.23
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version: 1.23.x
check-latest: true
cache: true
- name: Set up Go 1.23
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version: 1.23.x
check-latest: true
cache: true

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # v3
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# queries: ./path/to/local/query, your-org/your-repo/queries@main
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # v3
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# queries: ./path/to/local/query, your-org/your-repo/queries@main

# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@181d5eefc20863364f96762470ba6f862bdef56b # v3
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@181d5eefc20863364f96762470ba6f862bdef56b # v3

# ℹ️ Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
# ℹ️ Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl

# ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
# and modify them (or add more) to build your code if your project
# uses a compiled language
# ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
# and modify them (or add more) to build your code if your project
# uses a compiled language

#- run: |
# make bootstrap
# make release
#- run: |
# make bootstrap
# make release

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # v3
14 changes: 11 additions & 3 deletions .github/workflows/deploy_node.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,8 @@ concurrency:
group: deploy-node-${{ inputs.network }}-${{ inputs.arch }} # run only one deployment at a time for the same network and architecture
cancel-in-progress: false # don't cancel the previous deployment if a new one is triggered

permissions: {}

jobs:
check-inputs:
name: check-inputs
Expand All @@ -49,8 +51,11 @@ jobs:
steps:
- name: Check inputs
run: |
echo "${{ env.NETWORK }}" | grep -E '^(mainnet|testnet|stagenet)$' || exit 1 # check if the network is valid
echo "${{ env.ARCH }}" | grep -E '^(amd64|arm64)$' || exit 1 # check if the architecture is valid
echo "${NETWORK}" | grep -E '^(mainnet|testnet|stagenet)$' || exit 1 # check if the network is valid
echo "${ARCH}" | grep -E '^(amd64|arm64)$' || exit 1 # check if the architecture is valid
env:
NETWORK: ${{ env.NETWORK }}
ARCH: ${{ env.ARCH }}

deploy:
name: deploy
Expand All @@ -70,6 +75,7 @@ jobs:
with:
fetch-depth: 0
fetch-tags: true
persist-credentials: false

- name: Set up Go 1.24
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
Expand All @@ -83,9 +89,11 @@ jobs:

- name: Build ${{ inputs.network }}-${{ inputs.arch }} deb package
run: |
make ${{ env.MAKEFILE_TARGET }} # build the deb package
make ${MAKEFILE_TARGET} # build the deb package
mv build/dist/*.deb ./ # move the deb package to the root directory
echo "PACKAGE_NAME=$(ls ./*.deb | xargs -n 1 basename)" >> $GITHUB_ENV # set the package name for the next steps
env:
MAKEFILE_TARGET: ${{ env.MAKEFILE_TARGET }}

- name: Copy deb package to the deployment server
id: copy-deb
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/deploy_nodes.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,7 @@
name: "Deploy nodes"

permissions: { }

on:
workflow_dispatch:
inputs:
Expand All @@ -16,7 +19,6 @@ jobs:
network: [ stagenet, testnet, mainnet ]
arch: [ "${{ inputs.arch }}" ]
uses: "./.github/workflows/deploy_node.yml"
secrets: inherit
with:
network: ${{ matrix.network }}
arch: ${{ matrix.arch }}
5 changes: 4 additions & 1 deletion .github/workflows/go.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/master' && github.event_name != 'workflow_dispatch' }}

permissions: {}

jobs:
golangci:
name: lint
Expand All @@ -28,6 +30,7 @@ jobs:
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
fetch-depth: 0
persist-credentials: false

- name: Set up Go 1.23
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
Expand Down Expand Up @@ -57,6 +60,7 @@ jobs:
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
fetch-depth: 0
persist-credentials: false

- name: Set up Go 1.23
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
Expand Down Expand Up @@ -87,7 +91,6 @@ jobs:
name: smoke_tests
if: ${{ (github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch' && github.event.inputs.smoke_tests) &&
github.repository == 'wavesplatform/gowaves'}}
secrets: inherit
uses: "./.github/workflows/run_itests.yml"
with:
itest-type: 'smoke'
20 changes: 13 additions & 7 deletions .github/workflows/itests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/master' && github.event_name != 'workflow_dispatch' }}

permissions: { }

jobs:
itest-check:
name: integration_tests_run_check
Expand All @@ -23,12 +25,12 @@ jobs:
id: set-output
run: |
# Check if the workflow was triggered by a PR review, manually or by a PR
if [ "${{ github.event_name }}" == 'workflow_dispatch' ]; then
if [ "${GITHUB_EVENT_NAME}" == 'workflow_dispatch' ]; then
echo "--> Running integration tests because the workflow was triggered manually"
CAN_RUN_ITEST=true # if the workflow is triggered manually, we can run itests
elif [ "${{ github.event_name }}" == 'pull_request_review' ]; then
elif [ "${GITHUB_EVENT_NAME}" == 'pull_request_review' ]; then
echo "--> Checking whether the PR review is approved"
if [ "${{ github.event.review.state }}" == 'approved' ]; then
if [ "${GITHUB_EVENT_REVIEW_STATE}" == 'approved' ]; then
CAN_RUN_ITEST=true # if the PR review is approved, we can run itests
else
CAN_RUN_ITEST=false # if the PR review is not approved, we cannot run itests
Expand All @@ -38,10 +40,10 @@ jobs:
# for 'pull_request' event we need to check if the last review is approved
echo "--> Checking whether the last PR review is approved"
LAST_REVIEW_STATE=$(curl -sSL \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-H "Authorization: Bearer ${SECRETS.GITHUB_TOKEN}" \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews" | \
"https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls/${GITHUB_PULL_REQUEST_NUMBER}/reviews" | \
jq -r '.[-1].state')
echo "--> LAST_REVIEW_STATE=$LAST_REVIEW_STATE" # for debugging
if [ "$LAST_REVIEW_STATE" == 'APPROVED' ]; then
Expand All @@ -52,12 +54,16 @@ jobs:
fi
echo "--> CAN_RUN_ITEST=$CAN_RUN_ITEST" # for debugging
echo "CAN_RUN_ITEST=$CAN_RUN_ITEST" >> "$GITHUB_OUTPUT"

env:
Comment thread
nickeskov marked this conversation as resolved.
GITHUB_EVENT_NAME: ${{ github.event_name }}
GITHUB_EVENT_REVIEW_STATE: ${{ github.event.review.state }}
SECRETS.GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_REPOSITORY: ${{ github.repository }}
GITHUB_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
itest:
name: integration_tests
needs: [ itest-check ]
if: (needs.itest-check.outputs.can-run-itest == 'true' && github.repository == 'wavesplatform/gowaves')
secrets: inherit
uses: "./.github/workflows/run_itests.yml"
with:
itest-type: 'itest' # run full set of integration tests
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/itests_race.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,12 @@ on:
schedule:
- cron: '21 22,23,00,01,02,03 * * *' # UTC time

permissions: { }

jobs:
itest-race:
name: integration_tests_with_race_detector
if: (github.repository == 'wavesplatform/gowaves')
secrets: inherit
uses: "./.github/workflows/run_itests.yml"
with:
itest-type: 'itest-race'
6 changes: 5 additions & 1 deletion .github/workflows/publish-to-ghcr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,11 @@ env:
IMAGE_NAME: ghcr.io/${{ github.repository }}
IMAGE_TAG: ${{ inputs.dockerTag }}

permissions: { }

jobs:
build:
name: Build and Push Docker Image to GitHub Container Registry
runs-on: ubuntu-latest
permissions:
contents: read
Expand All @@ -27,13 +30,14 @@ jobs:
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
fetch-depth: 0
persist-credentials: false

- name: Set up Go 1.23
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version: 1.23.x
check-latest: true
cache: true
cache: false

- name: Get dependencies
run: go mod vendor
Expand Down
15 changes: 12 additions & 3 deletions .github/workflows/run_itests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ on:
type: string
description: "Environment name for the job ('ITests' for manual approval or '' for no environment)"

permissions: { }

jobs:
check-inputs:
name: check-inputs
Expand All @@ -21,8 +23,11 @@ jobs:
steps:
- name: Check inputs
run: |
echo "${{ env.ITEST_TYPE }}" | grep -E '^(itest|itest-race|smoke)$' || exit 1 # check if the itest type is valid
echo "${{ env.ENVIRONMENT }}" | grep -E '^(^$|ITests)$' || exit 1 # check if the environment is valid
echo "${ITEST_TYPE}" | grep -E '^(itest|itest-race|smoke)$' || exit 1 # check if the itest type is valid
echo "${ENVIRONMENT}" | grep -E '^(^$|ITests)$' || exit 1 # check if the environment is valid
env:
ITEST_TYPE: ${{ env.ITEST_TYPE }}
ENVIRONMENT: ${{ env.ENVIRONMENT }}
Comment thread
nickeskov marked this conversation as resolved.

run-itest:
name: run_integration_tests
Expand All @@ -37,6 +42,8 @@ jobs:
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
persist-credentials: false

- name: Set up Go 1.23
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
Expand All @@ -50,7 +57,9 @@ jobs:
run: go mod vendor

- name: Tests
run: make ${{ env.MAKEFILE_TARGET }} # run the integration tests
run: make ${MAKEFILE_TARGET} # run the integration tests
env:
MAKEFILE_TARGET: ${{ env.MAKEFILE_TARGET }}
Comment thread
nickeskov marked this conversation as resolved.

- name: Upload itest logs and configs
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
Expand Down
14 changes: 11 additions & 3 deletions .github/workflows/security.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,17 +12,21 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/master' && github.event_name != 'workflow_dispatch' }}

permissions: { }

jobs:
gosec:
name: gosec check
runs-on: ubuntu-latest
# Skip any created PR or push by dependabot to avoid permission issues
if: github.actor != 'dependabot[bot]'
if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
env:
GO111MODULE: on
steps:
- name: Checkout Source
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
persist-credentials: false
- name: Run gosec security scanner
uses: securego/gosec@d2d3ae66bd8d340b78b5142b6fe610691783c2fe # v2.22.5
with:
Expand All @@ -37,12 +41,14 @@ jobs:
name: semgrep scan
runs-on: ubuntu-latest
# Skip any created PR or push by dependabot to avoid permission issues and skip this check for PRs from forks
if: github.actor != 'dependabot[bot]' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == 'wavesplatform/gowaves')
if: github.event.pull_request.user.login != 'dependabot[bot]' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == 'wavesplatform/gowaves')
container:
image: returntocorp/semgrep:latest
image: docker://semgrep/semgrep@sha256:ab68a1c0fe35f41be66e2392903aeea64b6228c16456c8c7058275bbab4c297d
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
persist-credentials: false
# we let the report trigger content trigger a failure using the GitHub Security features.
# see https://semgrep.dev/docs/cli-usage/#exit-codes for more details.
- name: Run semgrep security scanner
Expand Down Expand Up @@ -71,6 +77,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
persist-credentials: false
- name: Set up Go
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
Expand Down
Loading