mirror of
https://github.com/datahaven-xyz/datahaven
synced 2026-05-24 01:38:32 +00:00
746fce9328
## Summary This PR addresses several security vulnerabilities and applies hardening measures to the GitHub Actions workflows: - **Replace `secrets: inherit` with explicit secret passing** - Prevents unnecessary exposure of all repository secrets to called workflows - **Add SHA256 checksum verification for downloaded binaries** - Protects against supply chain attacks via compromised upstream releases - **Add GitHub Environment protections for release workflows** - Requires approval before publishing to Docker Hub or creating releases - **Add explicit minimal permissions to all workflows** - Follows principle of least privilege, removes unnecessary `packages: write` from CI.yml ## Changes by Category ### 1. Explicit Secret Passing | Workflow | Before | After | |----------|--------|-------| | CI.yml → docker-build-ci | `secrets: inherit` | No secrets (GITHUB_TOKEN is automatic) | | CI.yml → docker-build-release | `secrets: inherit` | Explicit `DOCKERHUB_USERNAME`, `DOCKERHUB_TOKEN` | | CI.yml → e2e-tests | `secrets: inherit` | No secrets (GITHUB_TOKEN is automatic) | ### 2. Binary Checksum Verification | Workflow | Binary | SHA256 | |----------|--------|--------| | task-rust-lint.yml | taplo 0.8.1 | `c62baa73c9d7c1572...` | | task-e2e.yml | kurtosis 1.11.99 | `5e88e98c1b255362...` | ### 3. Environment Protections | Workflow | Job | Environment | |----------|-----|-------------| | task-docker-release.yml | build-test-push | `production` | | task-publish-binary.yml | publish-draft-release | `releases` | | task-publish-binary.yml | docker-release-candidate | `production` | | task-publish-runtime.yml | publish-draft-release | `releases` | ### 4. Explicit Permissions All 14 workflow files now have explicit `permissions:` blocks with minimal required access. Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Ahmad Kaouk <56095276+ahmadkaouk@users.noreply.github.com>
100 lines
3.3 KiB
YAML
100 lines
3.3 KiB
YAML
name: "Task: Check Metadata Freshness"
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
binary-hash:
|
|
description: "Hash of the binary artifact to use"
|
|
required: true
|
|
type: string
|
|
workflow_call:
|
|
inputs:
|
|
binary-hash:
|
|
description: "Hash of the binary artifact to use"
|
|
required: true
|
|
type: string
|
|
|
|
# Explicit minimal permissions
|
|
permissions:
|
|
contents: read
|
|
|
|
defaults:
|
|
run:
|
|
shell: bash
|
|
|
|
env:
|
|
RUST_BACKTRACE: "1"
|
|
|
|
jobs:
|
|
check-metadata:
|
|
name: Check metadata freshness
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup Bun
|
|
uses: oven-sh/setup-bun@v2
|
|
with:
|
|
bun-version-file: test/.bun-version
|
|
|
|
- name: Install dependencies
|
|
working-directory: test
|
|
run: bun install --frozen-lockfile
|
|
|
|
- name: Download WASM artifact
|
|
uses: actions/download-artifact@v4
|
|
with:
|
|
name: datahaven-wasm-${{ inputs.binary-hash }}
|
|
path: ./operator/target/release/wbuild/datahaven-stagenet-runtime
|
|
|
|
- name: Verify WASM download to target directory
|
|
run: |
|
|
echo "Target directory contents:"
|
|
find ./operator/target/release/wbuild/datahaven-stagenet-runtime -type f | head -20
|
|
|
|
# The WASM should be at this path in the artifact
|
|
WASM_PATH="./operator/target/release/wbuild/datahaven-stagenet-runtime/datahaven_stagenet_runtime.wasm"
|
|
if [ ! -f "$WASM_PATH" ]; then
|
|
echo "Error: WASM file not found at expected path: $WASM_PATH"
|
|
echo "Looking for WASM files in target directory:"
|
|
find ./operator/target/release/wbuild/datahaven-stagenet-runtime -name "*.wasm" -type f
|
|
exit 1
|
|
fi
|
|
echo "Found WASM at: $WASM_PATH"
|
|
echo "WASM size: $(du -h $WASM_PATH | cut -f1)"
|
|
|
|
- name: Generate metadata from WASM
|
|
working-directory: test
|
|
run: |
|
|
echo "Generating metadata from WASM..."
|
|
bun x papi add --wasm "../operator/target/release/wbuild/datahaven-stagenet-runtime/datahaven_stagenet_runtime.wasm" datahaven
|
|
|
|
- name: Check for metadata changes
|
|
run: |
|
|
# Check if the metadata file has changed
|
|
if git diff --exit-code test/.papi/metadata/datahaven.scale; then
|
|
echo "✅ Metadata is up to date!"
|
|
else
|
|
echo "❌ Metadata file has changed!"
|
|
echo ""
|
|
echo "The runtime metadata is out of date. Please run the following command and commit the changes:"
|
|
echo ""
|
|
echo " cd test && bun generate:types:fast"
|
|
echo ""
|
|
echo "This ensures that TypeScript types match the current runtime."
|
|
echo ""
|
|
echo "Diff of changes:"
|
|
git diff test/.papi/metadata/datahaven.scale | head -50
|
|
exit 1
|
|
fi
|
|
|
|
- name: Check for other papi changes
|
|
run: |
|
|
# Also check if polkadot-api.json changed (shouldn't happen, but good to verify)
|
|
if git diff --exit-code test/.papi/polkadot-api.json; then
|
|
echo "✅ polkadot-api.json is unchanged"
|
|
else
|
|
echo "⚠️ polkadot-api.json has changed - this is unexpected"
|
|
git diff test/.papi/polkadot-api.json
|
|
fi
|