mirror of
https://github.com/datahaven-xyz/datahaven
synced 2026-05-24 09:50:01 +00:00
746fce9328
## Summary This PR addresses several security vulnerabilities and applies hardening measures to the GitHub Actions workflows: - **Replace `secrets: inherit` with explicit secret passing** - Prevents unnecessary exposure of all repository secrets to called workflows - **Add SHA256 checksum verification for downloaded binaries** - Protects against supply chain attacks via compromised upstream releases - **Add GitHub Environment protections for release workflows** - Requires approval before publishing to Docker Hub or creating releases - **Add explicit minimal permissions to all workflows** - Follows principle of least privilege, removes unnecessary `packages: write` from CI.yml ## Changes by Category ### 1. Explicit Secret Passing | Workflow | Before | After | |----------|--------|-------| | CI.yml → docker-build-ci | `secrets: inherit` | No secrets (GITHUB_TOKEN is automatic) | | CI.yml → docker-build-release | `secrets: inherit` | Explicit `DOCKERHUB_USERNAME`, `DOCKERHUB_TOKEN` | | CI.yml → e2e-tests | `secrets: inherit` | No secrets (GITHUB_TOKEN is automatic) | ### 2. Binary Checksum Verification | Workflow | Binary | SHA256 | |----------|--------|--------| | task-rust-lint.yml | taplo 0.8.1 | `c62baa73c9d7c1572...` | | task-e2e.yml | kurtosis 1.11.99 | `5e88e98c1b255362...` | ### 3. Environment Protections | Workflow | Job | Environment | |----------|-----|-------------| | task-docker-release.yml | build-test-push | `production` | | task-publish-binary.yml | publish-draft-release | `releases` | | task-publish-binary.yml | docker-release-candidate | `production` | | task-publish-runtime.yml | publish-draft-release | `releases` | ### 4. Explicit Permissions All 14 workflow files now have explicit `permissions:` blocks with minimal required access. Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Ahmad Kaouk <56095276+ahmadkaouk@users.noreply.github.com>
54 lines
1.2 KiB
YAML
54 lines
1.2 KiB
YAML
# Foundry Tests: CI for Foundry components (smart contracts for EigenLayer and Snowbridge interaction)
|
|
#
|
|
# Overview:
|
|
# 1. All Foundry Tests: Executes the full suite of Foundry tests found within the `./contracts` directory
|
|
|
|
name: Foundry AVS Smart Contract Tests
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
workflow_call:
|
|
|
|
# Explicit minimal permissions
|
|
permissions:
|
|
contents: read
|
|
|
|
env:
|
|
FOUNDRY_PROFILE: ci
|
|
|
|
jobs:
|
|
test:
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
partition: [1]
|
|
|
|
name: Foundry Tests
|
|
runs-on: ubuntu-latest
|
|
defaults:
|
|
run:
|
|
working-directory: contracts
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
submodules: recursive
|
|
|
|
- name: Install Foundry
|
|
uses: foundry-rs/foundry-toolchain@v1
|
|
with:
|
|
version: v1.4.3
|
|
|
|
- name: Cache Foundry build artifacts
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: |
|
|
contracts/out
|
|
contracts/cache
|
|
key: ${{ runner.os }}-foundry-build-${{ hashFiles('contracts/foundry.toml', 'contracts/**/*.sol') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-foundry-build-
|
|
|
|
- run: forge --version
|
|
- run: forge fmt --check
|
|
- run: forge build --sizes
|
|
- run: forge test -vvv
|