diff --git a/.github/workflows/proto-comment.yml b/.github/workflows/proto-comment.yml new file mode 100644 index 000000000..596243c10 --- /dev/null +++ b/.github/workflows/proto-comment.yml @@ -0,0 +1,81 @@ +name: Comment protobuf breaking action outcome on the pull request + +permissions: + # for finding and downloading artifacts. + actions: read + # for commenting on pull requests. + pull-requests: write + # the content of the repo is irrelevant to this workflow. + contents: none + +on: + workflow_run: + workflows: ["Protobuf"] + types: + - completed + +jobs: + download-artifact-and-comment: + runs-on: ubuntu-latest + if: > + github.event.workflow_run.conclusion == 'success' + steps: + - name: 'Download artifact' + uses: actions/github-script@v7.0.1 + with: + script: | + var artifacts = await github.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{github.event.workflow_run.id }}, + }); + var matchArtifact = artifacts.data.artifacts.find((artifact) => { + return artifact.name == "result"; + }); + if (!matchArtifact) { + var core = require('@actions/core'); + core.setFailed('Artifact "result" not found.'); + return; + } + var download = await github.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + var fs = require('fs'); + fs.writeFileSync('${{github.workspace}}/result.zip', Buffer.from(download.data)); + - run: unzip result.zip -d result + - name: Read PR number and outcome + run: | + pr_number=$(cat "result/pr_number.txt") + outcome=$(cat "result/outcome.txt") + echo "PR_NUMBER=${pr_number}" >> "$GITHUB_ENV" + echo "OUTCOME=${outcome}" >> "$GITHUB_ENV" + - name: Find comment + id: find-comment + uses: peter-evans/find-comment@v2 + with: + issue-number: ${{ env.PR_NUMBER }} + comment-author: 'github-actions[bot]' + body-includes: buf breaking change + - name: Comment status of break-check in the case of failure + if: ${{ env.OUTCOME == 'failure' }} + uses: peter-evans/create-or-update-comment@v3 + with: + issue-number: ${{ env.PR_NUMBER }} + comment-id: ${{ steps.find-comment.outputs.comment-id }} + body: | + ${{ github.sha }} (${{ github.event.workflow_run.updated_at }}) has a buf breaking change. + View the workflow run: [here](https://github.com/${{ github.repository }}/actions/runs/${{ github.event.workflow_run.id }}) + edit-mode: append + - name: Comment status of break-check in the case of success + if: env.OUTCOME == 'success' && steps.find-comment.outputs.comment-id != '' + uses: peter-evans/create-or-update-comment@v3 + with: + issue-number: ${{ env.PR_NUMBER }} + comment-id: ${{ steps.find-comment.outputs.comment-id }} + body: | + ${{ github.sha }} (${{ github.event.workflow_run.updated_at }}) has no buf breaking changes. + View the workflow run: [here](https://github.com/${{ github.repository }}/actions/runs/${{ github.event.workflow_run.id }}) + edit-mode: append diff --git a/.github/workflows/proto.yml b/.github/workflows/proto.yml index de4cfd9d5..3bfafc585 100644 --- a/.github/workflows/proto.yml +++ b/.github/workflows/proto.yml @@ -7,7 +7,13 @@ on: - "proto/**" permissions: - contents: read + # for uploading artifacts + contents: write + pull-requests: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true jobs: build: @@ -42,6 +48,7 @@ jobs: - uses: actions/checkout@v4 - uses: bufbuild/buf-setup-action@v1.26.1 - uses: bufbuild/buf-breaking-action@v1 + id: break-check with: input: "proto" # previously, this ran on ref=HEAD~1, which is incorrect as it can @@ -49,3 +56,14 @@ jobs: # on a PR, so it must compare the HEAD of the base branch against # the PR branch. against: "https://github.com/${{ github.repository }}.git#branch=${{ github.event.pull_request.base.ref }},subdir=proto" + # do not fail the build if there are breaking changes + continue-on-error: true + - name: Make buf breaking changes outcome as txt file + run: | + mkdir -p ./result/ + echo "${{ steps.break-check.outcome }}" > ./result/outcome.txt + echo "${{ github.event.pull_request.number }}" > ./result/pr_number.txt + - uses: actions/upload-artifact@v2 + with: + name: result + path: ./result/ diff --git a/.github/workflows/test-comment.yml b/.github/workflows/test-comment.yml new file mode 100644 index 000000000..9fc63ddca --- /dev/null +++ b/.github/workflows/test-comment.yml @@ -0,0 +1,71 @@ +# This workflow runs after test.yml and comments the test coverage on the pull request. +name: Comment test coverage on the pull request + +permissions: + # for finding and downloading artifacts. + actions: read + # for commenting on pull requests. + pull-requests: write + # the content of the repo is irrelevant to this workflow. + contents: none + +on: + workflow_run: + workflows: ["Tests"] + types: + - completed + +jobs: + download-artifact-and-comment: + runs-on: ubuntu-latest + if: > + github.event.workflow_run.event == 'pull_request' && + github.event.workflow_run.conclusion == 'success' + steps: + - name: Download artifact + uses: actions/github-script@v7.0.1 + with: + script: | + var artifacts = await github.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{github.event.workflow_run.id }}, + }); + var matchArtifact = artifacts.data.artifacts.find((artifact) => { + return artifact.name == "result" + }); + if (!matchArtifact) { + var core = require('@actions/core'); + core.setFailed('Artifact "result" not found.'); + return; + } + var download = await github.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + var fs = require('fs'); + fs.writeFileSync('${{github.workspace}}/result.zip', Buffer.from(download.data)); + - run: unzip result.zip -d result + - name: Read PR number and coverage + run: | + pr_number=$(cat "result/pr_number.txt") + coverage=$(cat "result/coverage.txt") + echo "PR_NUMBER=${pr_number}" >> "$GITHUB_ENV" + echo "COVERAGE=${coverage}" >> "$GITHUB_ENV" + - name: Find comment + id: find-comment + uses: peter-evans/find-comment@v2 + with: + issue-number: ${{ env.PR_NUMBER }} + comment-author: 'github-actions[bot]' + body-includes: Coverage as of + - name: Comment coverage on PR + uses: peter-evans/create-or-update-comment@v3 + with: + issue-number: ${{ env.PR_NUMBER }} + comment-id: ${{ steps.find-comment.outputs.comment-id }} + body: | + Coverage as of ${{ github.sha }}: ${{ env.COVERAGE }}% + edit-mode: append diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 9d669e41d..4221bb8a2 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,7 +1,13 @@ +# This workflow runs on every push and pull request to the repository. +# It then calculates the unit test coverage and checks if it's above a certain threshold. +# this information is passed on to another workflow as artifacts for commenting on the PR. +# This is because the `pull_request` event does not have the commenting permissions. +# We could switch to `pull_request_target` which does have them, however, it +# opens a security hole. See: +# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ name: Tests on: - # for write permission, use pull_request_target and not pull_request. - pull_request_target: + pull_request: push: branches: - develop @@ -10,8 +16,9 @@ on: - release/** permissions: + # for uploading artifacts contents: write - pull-requests: write + pull-requests: read # Automatically cancel run if another commit to the same ref is detected. concurrency: @@ -30,7 +37,6 @@ jobs: - uses: technote-space/get-diff-action@v6.1.2 with: PATTERNS: | - **/**.sol **/**.go go.mod go.sum @@ -47,19 +53,14 @@ jobs: # TODO: increase this threshold with time to 80 threshold-total: 10 if: env.GIT_DIFF - - name: Find comment - id: find-comment - uses: peter-evans/find-comment@v2 - with: - issue-number: ${{ github.event.pull_request.number }} - comment-author: 'github-actions[bot]' + - name: Generate artifact for PR + run: | + mkdir -p ./result/ + echo "${{ steps.output-coverage.outputs.total-coverage }}" > ./result/coverage.txt + echo "${{ github.event.pull_request.number }}" > ./result/pr_number.txt if: env.GIT_DIFF && github.event_name == 'pull_request' - - name: Comment coverage on PR - uses: peter-evans/create-or-update-comment@v3 + - uses: actions/upload-artifact@v2 with: - issue-number: ${{ github.event.pull_request.number }} - comment-id: ${{ steps.find-comment.outputs.comment-id }} - body: | - Coverage as of ${{ github.sha }}: ${{ steps.output-coverage.outputs.total-coverage }}% - edit-mode: append + name: result + path: ./result/ if: env.GIT_DIFF && github.event_name == 'pull_request' diff --git a/.semgrepignore b/.semgrepignore index 2fd10b138..9f5d214e5 100644 --- a/.semgrepignore +++ b/.semgrepignore @@ -19,6 +19,7 @@ vendor/ # Common test paths test/ tests/ +testutil/ *_test.go *.pb.gw.go *.pb.go diff --git a/docker-compose.yml b/docker-compose.yml index c039a41d9..967a5d2f7 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -4,6 +4,7 @@ services: exocorenode0: container_name: exocorenode0 image: "exocore/node" + read_only: true environment: - DEBUG=1 - ID=0 @@ -11,7 +12,7 @@ services: cap_add: - SYS_PTRACE security_opt: - - seccomp:unconfined + - no-new-privileges:true ports: - "26656-26657:26656-26657" - "1317:1317" @@ -28,6 +29,7 @@ services: exocorenode1: container_name: exocorenode1 image: "exocore/node" + read_only: true environment: - DEBUG=0 - ID=1 @@ -35,7 +37,7 @@ services: cap_add: - SYS_PTRACE security_opt: - - seccomp:unconfined + - no-new-privileges:true ports: - "26666-26667:26656-26657" - "1318:1317" @@ -52,6 +54,7 @@ services: exocorenode2: container_name: exocorenode2 image: "exocore/node" + read_only: true environment: - DEBUG=0 - ID=2 @@ -59,7 +62,7 @@ services: cap_add: - SYS_PTRACE security_opt: - - seccomp:unconfined + - no-new-privileges:true ports: - "26676-26677:26656-26657" - "1319:1317" @@ -76,6 +79,7 @@ services: exocorenode3: container_name: exocorenode3 image: "exocore/node" + read_only: true environment: - DEBUG=0 - ID=3 @@ -83,7 +87,7 @@ services: cap_add: - SYS_PTRACE security_opt: - - seccomp:unconfined + - no-new-privileges:true ports: - "26686-26687:26656-26657" - "1320:1317" diff --git a/x/restaking_assets_manage/client/cli/tx.go b/x/restaking_assets_manage/client/cli/tx.go index 7b55345a0..bfd11b538 100644 --- a/x/restaking_assets_manage/client/cli/tx.go +++ b/x/restaking_assets_manage/client/cli/tx.go @@ -56,7 +56,7 @@ func RegisterClientChain() *cobra.Command { if err != nil { return errorsmod.Wrap(restakingtype.ErrCliCmdInputArg, fmt.Sprintf("error arg is:%v", args[2])) } - addressLength, err := strconv.ParseUint(args[3], 10, 64) + addressLength, err := strconv.ParseUint(args[3], 10, 32) if err != nil { return errorsmod.Wrap(restakingtype.ErrCliCmdInputArg, fmt.Sprintf("error arg is:%v", args[3])) } @@ -105,7 +105,7 @@ func RegisterAsset() *cobra.Command { if err != nil { return errorsmod.Wrap(restakingtype.ErrCliCmdInputArg, fmt.Sprintf("error arg is:%v", args[5])) } - decimal, err := strconv.ParseUint(args[6], 10, 64) + decimal, err := strconv.ParseUint(args[6], 10, 32) if err != nil { return errorsmod.Wrap(restakingtype.ErrCliCmdInputArg, fmt.Sprintf("error arg is:%v", args[6])) }