From d72a475371c7a3f951aee875ed9c0c173b75779d Mon Sep 17 00:00:00 2001 From: anupsv Date: Sun, 27 Jul 2025 21:02:44 -0700 Subject: [PATCH 1/5] fixing workflows --- .github/workflows/commitlint.yml | 6 +++++- .github/workflows/forge-test-intense.yml | 8 ++++++-- .github/workflows/foundry.yml | 16 +++++++++++----- .github/workflows/storage-report.yml | 17 +++++++++++++---- 4 files changed, 35 insertions(+), 12 deletions(-) diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml index 014d39ff6..dd19b80c2 100644 --- a/.github/workflows/commitlint.yml +++ b/.github/workflows/commitlint.yml @@ -8,11 +8,15 @@ on: dev testnet-goerli +permissions: + contents: read + jobs: commitlint: runs-on: ubuntu-latest + timeout-minutes: 10 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - name: Install node dependencies diff --git a/.github/workflows/forge-test-intense.yml b/.github/workflows/forge-test-intense.yml index 5f17cf635..7a7b6bd11 100644 --- a/.github/workflows/forge-test-intense.yml +++ b/.github/workflows/forge-test-intense.yml @@ -8,6 +8,9 @@ on: - testnet-holesky - dev +permissions: + contents: read + env: FOUNDRY_PROFILE: intense @@ -19,15 +22,16 @@ jobs: forge-test-intense: name: Test (Intense) runs-on: ubuntu-latest + timeout-minutes: 480 # 8 hours for intense testing steps: # Check out repository with all submodules for complete codebase access. - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: recursive # Install the Foundry toolchain. - name: Install Foundry - uses: foundry-rs/foundry-toolchain@v1 + uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de # v1.4.0 with: version: stable diff --git a/.github/workflows/foundry.yml b/.github/workflows/foundry.yml index 0ea358155..f4cdc271a 100644 --- a/.github/workflows/foundry.yml +++ b/.github/workflows/foundry.yml @@ -9,6 +9,10 @@ on: - dev pull_request: +permissions: + contents: read + actions: read # Required for artifact upload + env: FOUNDRY_PROFILE: ci RPC_MAINNET: ${{ secrets.RPC_MAINNET }} @@ -23,15 +27,16 @@ jobs: test: name: Test runs-on: ubuntu-latest + timeout-minutes: 30 steps: # Check out repository with all submodules for complete codebase access. - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: recursive # Install the Foundry toolchain. - name: Install Foundry - uses: foundry-rs/foundry-toolchain@v1 + uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de # v1.4.0 with: version: stable @@ -63,15 +68,16 @@ jobs: run-coverage: name: Coverage runs-on: ubuntu-latest + timeout-minutes: 45 steps: # Check out repository with all submodules for complete codebase access. - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: recursive # Install the Foundry toolchain. - name: Install Foundry - uses: foundry-rs/foundry-toolchain@v1 + uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de # v1.4.0 with: version: stable @@ -96,7 +102,7 @@ jobs: # Upload coverage report as artifact before potential failure - name: Upload Coverage Report - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: code-coverage-report path: report/* diff --git a/.github/workflows/storage-report.yml b/.github/workflows/storage-report.yml index ddd22a2e8..81ac70d29 100644 --- a/.github/workflows/storage-report.yml +++ b/.github/workflows/storage-report.yml @@ -10,17 +10,21 @@ on: - dev pull_request: +permissions: + contents: read + jobs: check_storage: name: CI runs-on: "ubuntu-latest" + timeout-minutes: 20 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: recursive - name: Install Foundry - uses: foundry-rs/foundry-toolchain@v1 + uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de # v1.4.0 with: version: nightly @@ -32,8 +36,13 @@ jobs: env: TARGET: ${{ github.event.pull_request.base.sha }} run: | - git fetch origin $TARGET - git checkout $TARGET + # Validate TARGET is a valid SHA (basic validation) + if ! echo "$TARGET" | grep -qE '^[a-f0-9]{40}$'; then + echo "::error::Invalid SHA format: $TARGET" + exit 1 + fi + git fetch origin "$TARGET" + git checkout "$TARGET" - name: "Generate and prepare the storage reports for target branch" run: | From d0e0196bead045fe8c53811ae83ad66e28110607 Mon Sep 17 00:00:00 2001 From: anupsv Date: Sun, 27 Jul 2025 21:16:04 -0700 Subject: [PATCH 2/5] fixing node --- .github/workflows/commitlint.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml index dd19b80c2..108d02e53 100644 --- a/.github/workflows/commitlint.yml +++ b/.github/workflows/commitlint.yml @@ -19,10 +19,9 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - - name: Install node dependencies - run: | - npm install conventional-changelog-conventionalcommits - npm install commitlint@18.2.0 + + - name: Install dependencies + run: npm install - name: Validate current commit (last commit) with commitlint if: github.event_name == 'push' From 352c3cc58e295ea01a784da5ca88b73646a45ac8 Mon Sep 17 00:00:00 2001 From: anupsv Date: Sun, 27 Jul 2025 21:16:46 -0700 Subject: [PATCH 3/5] npm audit fix --- package-lock.json | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index db549482d..56a1d9323 100644 --- a/package-lock.json +++ b/package-lock.json @@ -676,10 +676,11 @@ } }, "node_modules/cross-spawn": { - "version": "7.0.3", - "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz", - "integrity": "sha512-iRDPJKUPVEND7dHPO8rkbOnPpyDygcDFtWjpeWNCgy8WP2rXcxXL8TskReQl6OrB2G7+UJrags1q15Fudc7G6w==", + "version": "7.0.6", + "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz", + "integrity": "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==", "dev": true, + "license": "MIT", "dependencies": { "path-key": "^3.1.0", "shebang-command": "^2.0.0", From 75dbc53bdc9018d21027152f42680e2a0ffc58d8 Mon Sep 17 00:00:00 2001 From: anupsv Date: Sun, 27 Jul 2025 21:20:33 -0700 Subject: [PATCH 4/5] fix: workflow files --- .github/workflows/commitlint.yml | 2 +- .github/workflows/forge-test-intense.yml | 2 +- .github/workflows/foundry.yml | 1 + .github/workflows/storage-report.yml | 11 ++++++++++- 4 files changed, 13 insertions(+), 3 deletions(-) diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml index 108d02e53..e6ac41dca 100644 --- a/.github/workflows/commitlint.yml +++ b/.github/workflows/commitlint.yml @@ -21,7 +21,7 @@ jobs: fetch-depth: 0 - name: Install dependencies - run: npm install + run: npm ci - name: Validate current commit (last commit) with commitlint if: github.event_name == 'push' diff --git a/.github/workflows/forge-test-intense.yml b/.github/workflows/forge-test-intense.yml index 7a7b6bd11..b370bbfd3 100644 --- a/.github/workflows/forge-test-intense.yml +++ b/.github/workflows/forge-test-intense.yml @@ -22,7 +22,7 @@ jobs: forge-test-intense: name: Test (Intense) runs-on: ubuntu-latest - timeout-minutes: 480 # 8 hours for intense testing + timeout-minutes: 240 # 4 hours for intense testing steps: # Check out repository with all submodules for complete codebase access. - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/foundry.yml b/.github/workflows/foundry.yml index f4cdc271a..f732be9a2 100644 --- a/.github/workflows/foundry.yml +++ b/.github/workflows/foundry.yml @@ -106,6 +106,7 @@ jobs: with: name: code-coverage-report path: report/* + retention-days: 30 # Check coverage threshold after uploading report - name: Check Coverage Threshold for >=90% diff --git a/.github/workflows/storage-report.yml b/.github/workflows/storage-report.yml index 81ac70d29..d65106e57 100644 --- a/.github/workflows/storage-report.yml +++ b/.github/workflows/storage-report.yml @@ -36,11 +36,20 @@ jobs: env: TARGET: ${{ github.event.pull_request.base.sha }} run: | - # Validate TARGET is a valid SHA (basic validation) + # Validate TARGET is a valid SHA (enhanced validation) + if [ -z "$TARGET" ]; then + echo "::error::TARGET SHA is empty" + exit 1 + fi if ! echo "$TARGET" | grep -qE '^[a-f0-9]{40}$'; then echo "::error::Invalid SHA format: $TARGET" exit 1 fi + # Verify the SHA exists in the repository + if ! git cat-file -e "$TARGET" 2>/dev/null; then + echo "::error::SHA does not exist in repository: $TARGET" + exit 1 + fi git fetch origin "$TARGET" git checkout "$TARGET" From f93ee46139e64a3e629a5132f176b8f5f9c11f3c Mon Sep 17 00:00:00 2001 From: anupsv Date: Sun, 27 Jul 2025 21:25:02 -0700 Subject: [PATCH 5/5] fix: storage-report workflow --- .github/workflows/storage-report.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/.github/workflows/storage-report.yml b/.github/workflows/storage-report.yml index d65106e57..e8d423e08 100644 --- a/.github/workflows/storage-report.yml +++ b/.github/workflows/storage-report.yml @@ -45,11 +45,6 @@ jobs: echo "::error::Invalid SHA format: $TARGET" exit 1 fi - # Verify the SHA exists in the repository - if ! git cat-file -e "$TARGET" 2>/dev/null; then - echo "::error::SHA does not exist in repository: $TARGET" - exit 1 - fi git fetch origin "$TARGET" git checkout "$TARGET" @@ -64,4 +59,4 @@ jobs: else echo "::error::Differences found between PR and target branch storage layouts" exit 1 - fi \ No newline at end of file + fi