datahaven

Elgato_dark/datahaven

Fork 0

mirror of https://github.com/datahaven-xyz/datahaven synced 2026-05-24 09:50:01 +00:00

Commit graph

Author	SHA1	Message	Date
Steve Degosserie	746fce9328	security: 🛡️ Harden GitHub Actions workflows (#349 ) ## Summary This PR addresses several security vulnerabilities and applies hardening measures to the GitHub Actions workflows: - Replace `secrets: inherit` with explicit secret passing - Prevents unnecessary exposure of all repository secrets to called workflows - Add SHA256 checksum verification for downloaded binaries - Protects against supply chain attacks via compromised upstream releases - Add GitHub Environment protections for release workflows - Requires approval before publishing to Docker Hub or creating releases - Add explicit minimal permissions to all workflows - Follows principle of least privilege, removes unnecessary `packages: write` from CI.yml ## Changes by Category ### 1. Explicit Secret Passing \| Workflow \| Before \| After \| \|----------\|--------\|-------\| \| CI.yml → docker-build-ci \| `secrets: inherit` \| No secrets (GITHUB_TOKEN is automatic) \| \| CI.yml → docker-build-release \| `secrets: inherit` \| Explicit `DOCKERHUB_USERNAME`, `DOCKERHUB_TOKEN` \| \| CI.yml → e2e-tests \| `secrets: inherit` \| No secrets (GITHUB_TOKEN is automatic) \| ### 2. Binary Checksum Verification \| Workflow \| Binary \| SHA256 \| \|----------\|--------\|--------\| \| task-rust-lint.yml \| taplo 0.8.1 \| `c62baa73c9d7c1572...` \| \| task-e2e.yml \| kurtosis 1.11.99 \| `5e88e98c1b255362...` \| ### 3. Environment Protections \| Workflow \| Job \| Environment \| \|----------\|-----\|-------------\| \| task-docker-release.yml \| build-test-push \| `production` \| \| task-publish-binary.yml \| publish-draft-release \| `releases` \| \| task-publish-binary.yml \| docker-release-candidate \| `production` \| \| task-publish-runtime.yml \| publish-draft-release \| `releases` \| ### 4. Explicit Permissions All 14 workflow files now have explicit `permissions:` blocks with minimal required access. Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Ahmad Kaouk <56095276+ahmadkaouk@users.noreply.github.com>	2025-12-12 09:52:50 +00:00
Ahmad Kaouk	dd7b72ca29	chore: pin Bun version and migrate to bun.lock (#290 ) ## Summary Pins Bun version to 1.3.2 and migrates workflows to use text-based `bun.lock` instead of binary `bun.lockb`. This fixes CI failures caused by Bun version mismatches between local development and GitHub Actions. ## Changes - Created `test/.bun-version` to pin Bun to v1.3.2 - Updated all workflows to use `bun-version-file: test/.bun-version` - Migrated workflow cache keys from `bun.lockb` to `bun.lock` - Removed deprecated `test/bun.lockb` binary lockfile ## Why? Version Consistency: - Local environments and CI were using different Bun versions - Different versions generate different lockfile formats → CI failures Lockfile Migration: - Bun v1.2+ uses text-based `bun.lock` as default - Binary `bun.lockb` is still supported but deprioritized - Text format provides better git diffs and merge conflict resolution ## Affected Workflows - `.github/workflows/task-check-metadata.yml` - `.github/workflows/task-e2e.yml` - `.github/workflows/task-moonwall-tests.yml` - `.github/workflows/task-ts-build.yml` - `.github/workflows/task-ts-lint.yml` ## After Merge Developers should upgrade their local Bun: ```bash bun upgrade --stable # Should install v1.3.2 bun --version # Verify version bun install # Regenerate lockfile if needed ``` --------- Co-authored-by: Steve Degosserie <723552+stiiifff@users.noreply.github.com>	2025-11-10 22:37:39 +01:00
Facundo Farall	935babe36a	ci: 👷 Add CI to check PAPI metadata (#107 ) Add CI check for Polkadot-API metadata freshness This PR adds a new CI workflow that ensures the Polkadot-API metadata file (`test/.papi/metadata/datahaven.scale`) is kept up-to-date when runtime changes are made. Changes: - Added task-check-metadata.yml workflow that: - Reuses the WASM artifact from the build-operator job (no duplicate compilation) - Runs `bun x papi add` to regenerate metadata - Fails if the metadata file has uncommitted changes - Integrated the check into `CI.yml` as a second-tier job alongside `docker-build` Why: - Prevents TypeScript type definitions from becoming out of sync with the runtime - Reminds developers to run `bun generate:types:fast` when making runtime changes - Ensures consistent type safety across the codebase The check provides clear error messages with instructions when metadata is outdated.	2025-06-19 19:12:04 -03:00

Author

SHA1

Message

Date

Steve Degosserie

746fce9328

security: 🛡️ Harden GitHub Actions workflows (#349 )

## Summary

This PR addresses several security vulnerabilities and applies hardening
measures to the GitHub Actions workflows:

- **Replace `secrets: inherit` with explicit secret passing** - Prevents
unnecessary exposure of all repository secrets to called workflows
- **Add SHA256 checksum verification for downloaded binaries** -
Protects against supply chain attacks via compromised upstream releases
- **Add GitHub Environment protections for release workflows** -
Requires approval before publishing to Docker Hub or creating releases
- **Add explicit minimal permissions to all workflows** - Follows
principle of least privilege, removes unnecessary `packages: write` from
CI.yml

## Changes by Category

### 1. Explicit Secret Passing
| Workflow | Before | After |
|----------|--------|-------|
| CI.yml → docker-build-ci | `secrets: inherit` | No secrets
(GITHUB_TOKEN is automatic) |
| CI.yml → docker-build-release | `secrets: inherit` | Explicit
`DOCKERHUB_USERNAME`, `DOCKERHUB_TOKEN` |
| CI.yml → e2e-tests | `secrets: inherit` | No secrets (GITHUB_TOKEN is
automatic) |

### 2. Binary Checksum Verification
| Workflow | Binary | SHA256 |
|----------|--------|--------|
| task-rust-lint.yml | taplo 0.8.1 | `c62baa73c9d7c1572...` |
| task-e2e.yml | kurtosis 1.11.99 | `5e88e98c1b255362...` |

### 3. Environment Protections
| Workflow | Job | Environment |
|----------|-----|-------------|
| task-docker-release.yml | build-test-push | `production` |
| task-publish-binary.yml | publish-draft-release | `releases` |
| task-publish-binary.yml | docker-release-candidate | `production` |
| task-publish-runtime.yml | publish-draft-release | `releases` |

### 4. Explicit Permissions
All 14 workflow files now have explicit `permissions:` blocks with
minimal required access.

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Ahmad Kaouk <56095276+ahmadkaouk@users.noreply.github.com>

2025-12-12 09:52:50 +00:00

Ahmad Kaouk

dd7b72ca29

chore: pin Bun version and migrate to bun.lock (#290 )

## Summary

Pins Bun version to 1.3.2 and migrates workflows to use text-based
`bun.lock` instead of binary `bun.lockb`. This fixes CI failures caused
by Bun version mismatches between local development and GitHub Actions.

## Changes

- Created `test/.bun-version` to pin Bun to v1.3.2
- Updated all workflows to use `bun-version-file: test/.bun-version`
- Migrated workflow cache keys from `bun.lockb` to `bun.lock`
- Removed deprecated `test/bun.lockb` binary lockfile

## Why?

**Version Consistency:**
- Local environments and CI were using different Bun versions
- Different versions generate different lockfile formats → CI failures

**Lockfile Migration:**
- Bun v1.2+ uses text-based `bun.lock` as default
- Binary `bun.lockb` is still supported but deprioritized
- Text format provides better git diffs and merge conflict resolution

## Affected Workflows

- `.github/workflows/task-check-metadata.yml`
- `.github/workflows/task-e2e.yml`
- `.github/workflows/task-moonwall-tests.yml`
- `.github/workflows/task-ts-build.yml`
- `.github/workflows/task-ts-lint.yml`

## After Merge

Developers should upgrade their local Bun:
```bash
bun upgrade --stable  # Should install v1.3.2
bun --version         # Verify version
bun install           # Regenerate lockfile if needed
```

---------

Co-authored-by: Steve Degosserie <723552+stiiifff@users.noreply.github.com>

2025-11-10 22:37:39 +01:00

Facundo Farall

935babe36a

ci: 👷 Add CI to check PAPI metadata (#107 )

Add CI check for Polkadot-API metadata freshness

This PR adds a new CI workflow that ensures the Polkadot-API metadata
file (`test/.papi/metadata/datahaven.scale`)
   is kept up-to-date when runtime changes are made.

  Changes:

  - Added task-check-metadata.yml workflow that:
- Reuses the WASM artifact from the build-operator job (no duplicate
compilation)
    - Runs `bun x papi add` to regenerate metadata
    - Fails if the metadata file has uncommitted changes
- Integrated the check into `CI.yml` as a second-tier job alongside
`docker-build`

  Why:

- Prevents TypeScript type definitions from becoming out of sync with
the runtime
- Reminds developers to run `bun generate:types:fast` when making
runtime changes
  - Ensures consistent type safety across the codebase

The check provides clear error messages with instructions when metadata
is outdated.

2025-06-19 19:12:04 -03:00

3 commits