Elgato_dark/datahaven
1
0
Fork 0
mirror of https://github.com/datahaven-xyz/datahaven synced 2026-05-24 09:50:01 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
424 commits 43 branches 56 tags 33 MiB
Commit graph

3 commits

Author SHA1 Message Date
Steve Degosserie
746fce9328
security: 🛡️ Harden GitHub Actions workflows (#349) 
## Summary

This PR addresses several security vulnerabilities and applies hardening
measures to the GitHub Actions workflows:

- **Replace `secrets: inherit` with explicit secret passing** - Prevents
unnecessary exposure of all repository secrets to called workflows
- **Add SHA256 checksum verification for downloaded binaries** -
Protects against supply chain attacks via compromised upstream releases
- **Add GitHub Environment protections for release workflows** -
Requires approval before publishing to Docker Hub or creating releases
- **Add explicit minimal permissions to all workflows** - Follows
principle of least privilege, removes unnecessary `packages: write` from
CI.yml

## Changes by Category

### 1. Explicit Secret Passing
| Workflow | Before | After |
|----------|--------|-------|
| CI.yml → docker-build-ci | `secrets: inherit` | No secrets
(GITHUB_TOKEN is automatic) |
| CI.yml → docker-build-release | `secrets: inherit` | Explicit
`DOCKERHUB_USERNAME`, `DOCKERHUB_TOKEN` |
| CI.yml → e2e-tests | `secrets: inherit` | No secrets (GITHUB_TOKEN is
automatic) |

### 2. Binary Checksum Verification
| Workflow | Binary | SHA256 |
|----------|--------|--------|
| task-rust-lint.yml | taplo 0.8.1 | `c62baa73c9d7c1572...` |
| task-e2e.yml | kurtosis 1.11.99 | `5e88e98c1b255362...` |

### 3. Environment Protections
| Workflow | Job | Environment |
|----------|-----|-------------|
| task-docker-release.yml | build-test-push | `production` |
| task-publish-binary.yml | publish-draft-release | `releases` |
| task-publish-binary.yml | docker-release-candidate | `production` |
| task-publish-runtime.yml | publish-draft-release | `releases` |

### 4. Explicit Permissions
All 14 workflow files now have explicit `permissions:` blocks with
minimal required access.

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Ahmad Kaouk <56095276+ahmadkaouk@users.noreply.github.com>
 2025-12-12 09:52:50 +00:00
Ahmad Kaouk
dd7b72ca29
chore: pin Bun version and migrate to bun.lock (#290) 
## Summary

Pins Bun version to 1.3.2 and migrates workflows to use text-based
`bun.lock` instead of binary `bun.lockb`. This fixes CI failures caused
by Bun version mismatches between local development and GitHub Actions.

## Changes

- Created `test/.bun-version` to pin Bun to v1.3.2
- Updated all workflows to use `bun-version-file: test/.bun-version`
- Migrated workflow cache keys from `bun.lockb` to `bun.lock`
- Removed deprecated `test/bun.lockb` binary lockfile

## Why?

**Version Consistency:**
- Local environments and CI were using different Bun versions
- Different versions generate different lockfile formats → CI failures

**Lockfile Migration:**
- Bun v1.2+ uses text-based `bun.lock` as default
- Binary `bun.lockb` is still supported but deprioritized
- Text format provides better git diffs and merge conflict resolution

## Affected Workflows

- `.github/workflows/task-check-metadata.yml`
- `.github/workflows/task-e2e.yml`
- `.github/workflows/task-moonwall-tests.yml`
- `.github/workflows/task-ts-build.yml`
- `.github/workflows/task-ts-lint.yml`

## After Merge

Developers should upgrade their local Bun:
```bash
bun upgrade --stable  # Should install v1.3.2
bun --version         # Verify version
bun install           # Regenerate lockfile if needed
```

---------

Co-authored-by: Steve Degosserie <723552+stiiifff@users.noreply.github.com>
 2025-11-10 22:37:39 +01:00
Ahmad Kaouk
17c706dc64
test: Integrate moonwall (#185) 
### Description

This PR introduces the **Moonwall** end-to-end (E2E) testing framework.
The primary motivation for this is to enable the porting of existing
Mobeam tests into the `DataHaven` repository.

### Key Changes

*   **Node Manual Sealing:**
* Introduced a `--sealing=manual` flag for the `datahaven-node`. When
enabled, blocks are only produced on demand via an RPC call. This is the
core mechanism that allows for deterministic tests.

*   **Moonwall Framework Integration:**
* Added `@moonwall/cli` and `@moonwall/util` dependencies to the
`test/package.json`.
* A new `test/moonwall.config.json` file configures the test
environment, defining how Moonwall should launch the `datahaven-node`
with the manual sealing flag.
* Added a `moonwall:test` script to `package.json` for running the
tests.

*   **CI Workflow:**
* A new reusable workflow, `.github/workflows/task-moonwall-tests.yml`,
has been created to handle the setup, execution, and reporting of
Moonwall tests.
* The main `CI.yml` now includes a `moonwall-tests` job that runs after
the `build-operator` job, ensuring it always tests the correct,
freshly-built binary.

*   **Example Test Suite:**
* A new test suite, `test/datahaven/suites/dev/test-block.ts`, had been
copied from moonbeam.

### How to Run Locally

1.  Navigate to the `test` directory.
2.  Install dependencies: `bun install`
3.  Run the tests: `bun run moonwall:test`

---------

Co-authored-by: undercover-cactus <lola@moonsonglabs.com>
 2025-09-30 14:47:39 +00:00