zeta-chain · gzukel · Sep 26, 2023
@@ -0,0 +1,54 @@
+import json
+import os
+
+genesis = open(os.environ["NEW_GENESIS"], "r").read()
+genesis_json_object = json.loads(genesis)
+
+#cut this out for now because it fails to start when done in  python with the exact same keys being replaced with same value. Will fix later.
+# genesis_json_object["staking"]["params"]["bond_denom"] = "azeta"
+# genesis_json_object["crisis"]["constant_fee"]["denom"] = "azeta"
+# genesis_json_object["gov"]["deposit_params"]["min_deposit"][0]["denom"] = "azeta"
+# genesis_json_object["mint"]["params"]["mint_denom"] = "azeta"
+# genesis_json_object["evm"]["params"]["evm_denom"] = "azeta"
+# genesis_json_object["block"]["max_gas"] = "10000000"
+# genesis_json_object["gov"]["voting_params"]["voting_period"] = '60s'
+
+exported_genesis = open(os.environ["OLD_GENESIS"], "r").read()
+exported_genesis_json_object = json.loads(exported_genesis)
+
+crosschain = exported_genesis_json_object["app_state"]["crosschain"]
+observer = exported_genesis_json_object["app_state"]["observer"]
+emissions = exported_genesis_json_object["app_state"]["emissions"]
+fungible = exported_genesis_json_object["app_state"]["fungible"]
+evm = exported_genesis_json_object["app_state"]["evm"]
+auth_accounts = exported_genesis_json_object["app_state"]["auth"]["accounts"]
+
+genesis_json_object["app_state"]["auth"]["accounts"] = genesis_json_object["app_state"]["auth"]["accounts"] + auth_accounts
+genesis_json_object["app_state"]["crosschain"] = crosschain
+genesis_json_object["app_state"]["observer"] = observer
+genesis_json_object["app_state"]["emissions"] = emissions
+genesis_json_object["app_state"]["fungible"] = fungible
+
+evm_accounts = []
+for index, account in enumerate(evm["accounts"]):
+    if account["address"] == "0x0000000000000000000000000000000000000001":
+        print("pop account", account["address"])
+    elif account["address"] == "0x0000000000000000000000000000000000000006":
+        print("pop account", account["address"])
+    elif account["address"] == "0x0000000000000000000000000000000000000002":
+        print("pop account", account["address"])
+    elif account["address"] == "0x0000000000000000000000000000000000000002":
+        print("pop account", account["address"])
+    elif account["address"] == "0x0000000000000000000000000000000000000008":
+        print("pop account", account["address"])
+    else:
+        evm_accounts.append(account)
+
+evm["accounts"] = evm_accounts
+genesis_json_object["app_state"]["evm"] = evm
+
+genesis = open("genesis-edited.json", "w")
+genesis_string = json.dumps(genesis_json_object, indent=2)
+dumped_genesis_object = genesis_string.replace("0x0000000000000000000000000000000000000001","0x387A12B28fe02DcAa467c6a1070D19B82F718Bb5")
+genesis.write(genesis_string)
+genesis.close()
@@ -0,0 +1,49 @@
+import json
+import os
+
+print("OPEN NEW GENESIS")
+genesis = open(os.environ["NEW_GENESIS"], "r").read()
+genesis_json_object = json.loads(genesis)
+
+print("OPEN OLD GENESIS")
+exported_genesis = open(os.environ["OLD_GENESIS"], "r").read()
+exported_genesis_json_object = json.loads(exported_genesis)
+
+print("PULL STATE OUT OF OLD GENESIS")
+crosschain = exported_genesis_json_object["app_state"]["crosschain"]
+observer = exported_genesis_json_object["app_state"]["observer"]
+emissions = exported_genesis_json_object["app_state"]["emissions"]
+fungible = exported_genesis_json_object["app_state"]["fungible"]
+evm = exported_genesis_json_object["app_state"]["evm"]
+auth_accounts = exported_genesis_json_object["app_state"]["auth"]["accounts"]
+
+print("MANIPULATE NEW GENESIS")
+genesis_json_object["app_state"]["auth"]["accounts"] = genesis_json_object["app_state"]["auth"]["accounts"] + auth_accounts
+genesis_json_object["app_state"]["crosschain"] = crosschain
+genesis_json_object["app_state"]["observer"] = observer
+genesis_json_object["app_state"]["emissions"] = emissions
+genesis_json_object["app_state"]["fungible"] = fungible
+
+evm_accounts = []
+for index, account in enumerate(evm["accounts"]):
+    if account["address"] == "0x0000000000000000000000000000000000000001":
+        print("pop account", account["address"])
+    elif account["address"] == "0x0000000000000000000000000000000000000006":
+        print("pop account", account["address"])
+    elif account["address"] == "0x0000000000000000000000000000000000000002":
+        print("pop account", account["address"])
+    elif account["address"] == "0x0000000000000000000000000000000000000002":
+        print("pop account", account["address"])
+    elif account["address"] == "0x0000000000000000000000000000000000000008":
+        print("pop account", account["address"])
+    else:
+        evm_accounts.append(account)
+evm["accounts"] = evm_accounts
+genesis_json_object["app_state"]["evm"] = evm
+
+print("WRITE GENESIS-EDITED")
+genesis = open("genesis-edited.json", "w")
+genesis_string = json.dumps(genesis_json_object, indent=2)
+dumped_genesis_object = genesis_string.replace("0x0000000000000000000000000000000000000001","0x387A12B28fe02DcAa467c6a1070D19B82F718Bb5")
+genesis.write(genesis_string)
+genesis.close()
@@ -0,0 +1,23 @@
+import json
+import subprocess
+import os
+
+os.environ['NODE'] = "http://127.0.0.1:26657"
+def run_command(self, cmd):
+    COMMAND_PREFIX = "export PATH=" + self.go_path + ":${PATH} && "
+    cmd = COMMAND_PREFIX + cmd
+    result = subprocess.run(cmd, stdout=subprocess.PIPE, shell=True)
+    result_output = result.stdout.decode('utf-8')
+    return result_output
+
+try:
+    QUERY_GOV_PROPOSAL = f"""zetacored query gov proposals --output json --node {os.environ['NODE']}"""
+    GOV_PROPOSALS = json.loads(run_command(QUERY_GOV_PROPOSAL))
+    for proposal in GOV_PROPOSALS["proposals"]:
+        try:
+            PROPOSAL_ID = proposal["id"]
+        except Exception as e:
+            print(1)
+    print(PROPOSAL_ID)
+except Exception as e:
+    print(1)
@@ -0,0 +1,63 @@
+import os
+import requests
+import json
+
+os.environ['NODE'] = "http://127.0.0.1:26657"
+CURRENT_HEIGHT = requests.get(f"{os.environ['NODE']}/status").json()["result"]["sync_info"]["latest_block_height"]
+UPGRADE_HEIGHT = int(CURRENT_HEIGHT) + (
+            int(os.environ['PROPOSAL_TIME_SECONDS']) / int(os.environ['BLOCK_TIME_SECONDS'])) + 20
+github_file = open(os.environ["GITHUB_ENV"], "a+")
+github_file.write(f"UPGRADE_HEIGHT={UPGRADE_HEIGHT}")
+github_file.close()
+
+proposal_json = {
+    "messages": [
+        {
+            "@type": "/cosmos.upgrade.v1beta1.MsgSoftwareUpgrade",
+            "authority": os.environ["GOV_ADDRESS"],
+            "plan": {
+                "name": os.environ['UPGRADE_NAME'],
+                "time": "0001-01-01T00:00:00Z",
+                "height": str(UPGRADE_HEIGHT).split('.')[0],
+                "info": os.environ["UPGRADE_INFO"],
+                "upgraded_client_state": None
+            }
+        }
+    ],
+    "metadata": os.environ["METADATA"],
+    "deposit": os.environ["DEPOSIT"]
+}
+
+proposal_json = json.dumps(proposal_json)
+write_gov_json = open("gov.json", "w")
+write_gov_json.write(proposal_json)
+write_gov_json.close()
+
+# GOV_PROPOSAL = f"""zetacored tx gov submit-proposal gov.json \
+# --from {os.environ['MONIKER']} \
+# --chain-id "{os.environ['CHAINID']}" \
+# --keyring-backend test \
+# --node "{os.environ['NODE']}" \
+# --gas=auto \
+# --gas-adjustment=2 \
+# --gas-prices={os.environ['GAS_PRICES']} \
+# -y
+# """
+
+GOV_PROPOSAL = f"""zetacored tx gov submit-legacy-proposal software-upgrade "{os.environ['UPGRADE_NAME']}" \
+    --from "{os.environ['MONIKER']}" \
+    --deposit {os.environ["DEPOSIT"]} \
+    --upgrade-height "{str(UPGRADE_HEIGHT).split('.')[0]}" \
+    --upgrade-info '{os.environ["UPGRADE_INFO"]}' \
+    --title "{os.environ['VERSION']}" \
+    --description "Zeta Release {os.environ['UPGRADE_NAME']}" \
+    --chain-id "{os.environ['CHAINID']}" \
+    --node "{os.environ['NODE']}" \
+    --keyring-backend test \
+    --gas=auto \
+    --gas-adjustment=2 \
+    --gas-prices={os.environ['GAS_PRICES']} \
+    -y \
+    --no-validate"""
+
+print(GOV_PROPOSAL)
@@ -4,3 +4,6 @@ breaking:proto:
 breaking:cli:
   - "x/*/client/cli/*.go"
   - "cmd/**/*.go"
+
+ci:
+  - ".github/**"
@@ -245,7 +245,6 @@ jobs:
         shell: alpine.sh --root {0}
         run: |
           git config --global --add safe.directory '*'
-          go mod tidy
           make install-testnet
           cp "$HOME"/go/bin/* ./
 

@@ -33,10 +33,33 @@ jobs:
       #   uses:  ./.github/actions/install-dependencies
 
       - name: Run Gosec Security Scanner
-        run: |
-          export PATH=$PATH:$(go env GOPATH)/bin
-          go install github.com/securego/gosec/v2/cmd/gosec@latest
-          gosec ./...
+        uses: securego/gosec@master
+        with:
+          args: ./...
+
+  gosec-cosmos:
+    runs-on: ubuntu-latest
+    env:
+      GO111MODULE: on
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: '1.20'
+
+      # - name: Install Pipeline Dependencies
+      #   uses:  ./.github/actions/install-dependencies
+
+      - name: Run Cosmos Gosec Security Scanner
+        uses: cosmos/gosec@master
+        with:
+          args: './... -include=G701,G703,G704' # Disabled G702 as it doesn't seem to be relevant 2023-09-14
+
 
   git-guardian:
     runs-on: ubuntu-latest
@@ -68,18 +91,18 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Install Pipeline Dependencies
-        uses:  ./.github/actions/install-dependencies
+      # - name: Install Pipeline Dependencies
+      #   uses:  ./.github/actions/install-dependencies
 
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: '1.19'
+          go-version: '1.20'
 
       - name: Run golangci-lint
         uses: golangci/golangci-lint-action@v3
         with:
-          version: v1.50
+          version: v1.54
           skip-cache: true
           args: --timeout=15m
 
@@ -137,8 +160,11 @@ jobs:
 
             Be very careful about using `#nosec` in code. It can be a quick way to suppress security warnings and move forward with development, it should be employed with caution. Suppressing warnings with #nosec can hide potentially serious vulnerabilities. Only use #nosec when you're absolutely certain that the security issue is either a false positive or has been mitigated in another way.
 
+            Only suppress a single rule (or a specific set of rules) within a section of code, while continuing to scan for other problems. To do this, you can list the rule(s) to be suppressed within the #nosec annotation, e.g: /* #nosec G401 */ or //#nosec G201 G202 G203
+            Broad `#nosec` annotations should be avoided, as they can hide other vulnerabilities. **The CI will block you from merging this PR until you remove `#nosec` annotations that do not target specific rules**.
+
             Pay extra attention to the way `#nosec` is being used in the files listed above. 
-      
+
       - name: Add Label
         uses: actions/github-script@v6
         if: env.nosec_detected == 1
@@ -150,3 +176,11 @@ jobs:
               repo: context.repo.repo,
               labels: ["nosec"]
             })
+
+      - name: Check for '#nosec' without a specific rule
+        run: |
+          DIFF=$(git diff ${{ github.event.pull_request.base.sha }})
+          echo "$DIFF" | grep -P '#nosec(?!(\sG\d{3}))(?![^\s\t])([\s\t]*|$)' && echo "nosec without specified rule found!" && exit 1 || exit 0
+
+
+