diff --git a/.github/actions/delete-deployments/action.yml b/.github/actions/delete-deployments/action.yml index c79b798ebfb..9b966b7901e 100644 --- a/.github/actions/delete-deployments/action.yml +++ b/.github/actions/delete-deployments/action.yml @@ -3,7 +3,7 @@ description: Delete deployments by env and ref inputs: environment: required: true - description: The Github environment to filter deployments by + description: The GitHub environment to filter deployments by ref: required: true description: The ref to filter deployments by @@ -11,12 +11,12 @@ inputs: required: false description: Whether to actually delete deployments or not github-token: - description: "The Github token to use for authentication" + description: "The GitHub token to use for authentication" required: true default: ${{ github.token }} num-of-pages: required: false - description: The number of pages (of 100 per page) to fetch deployments from, set to 'all' to fetch all deployments + description: The number of pages (100 per page) to fetch deployments from, set to 'all' to fetch all deployments default: "all" starting-page: required: false @@ -25,35 +25,69 @@ inputs: required: false description: The owner and repository name to delete deployments from, defaults to the current repository, ex. 'smartcontractkit/chainlink' default: ${{ github.repository }} + owner: + required: false + description: Repository owner (derived automatically) + default: ${{ github.repository_owner }} runs: using: composite steps: - - uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0 - with: - version: ^10.0.0 - - - uses: actions/setup-node@v4 + - name: Setup Node + uses: actions/setup-node@v4 with: node-version: "20" cache: "pnpm" - cache-dependency-path: "./.github/actions/delete-deployments/pnpm-lock.yaml" + cache-dependency-path: ".github/actions/delete-deployments/pnpm-lock.yaml" + + - name: Enable pnpm via Corepack + shell: bash + run: | + corepack enable + corepack prepare pnpm@10 --activate + pnpm --version + + - name: Validate inputs + shell: bash + run: | + error() { echo "::error::$1"; exit 1; } + [ -z "${{ inputs.environment }}" ] && error "environment input is required" + [ -z "${{ inputs.ref }}" ] && error "ref input is required" + if [ "${{ inputs.num-of-pages }}" != "all" ]; then + echo "${{ inputs.num-of-pages }}" | grep -Eq '^[0-9]+$' || error "num-of-pages must be a number or 'all'" + if [ -n "${{ inputs.starting-page }}" ]; then + echo "${{ inputs.starting-page }}" | grep -Eq '^[0-9]+$' || error "starting-page must be numeric" + if [ ${{ inputs.starting-page }} -gt ${{ inputs.num-of-pages }} ]; then + error "starting-page cannot exceed num-of-pages" + fi + fi + fi + # Normalize environment name and export for later steps + ENV_LC=$(echo "${{ inputs.environment }}" | tr '[:upper:]' '[:lower:]') + echo "ENVIRONMENT_NORMALIZED=$ENV_LC" >> "$GITHUB_ENV" + echo "Validated inputs for environment=$ENV_LC ref='${{ inputs.ref }}'" - name: Install dependencies shell: bash - run: pnpm i --prod working-directory: "./.github/actions/delete-deployments" + run: | + if [ -f pnpm-lock.yaml ]; then + pnpm install --frozen-lockfile --prod + else + pnpm install --prod + fi - name: Run deployment deleter shell: bash - run: pnpm start + working-directory: "./.github/actions/delete-deployments" env: NUM_OF_PAGES: ${{ inputs.num-of-pages }} STARTING_PAGE: ${{ inputs.starting-page }} GITHUB_TOKEN: ${{ inputs.github-token }} ENVIRONMENT: ${{ inputs.environment }} + ENVIRONMENT_NORMALIZED: ${{ env.ENVIRONMENT_NORMALIZED }} REF: ${{ inputs.ref }} DRY_RUN: ${{ inputs.dry-run }} OWNER: ${{ inputs.owner }} REPOSITORY: ${{ inputs.repository }} - working-directory: "./.github/actions/delete-deployments" + run: pnpm start diff --git a/.github/workflows/SYNC_DEVELOP_SETUP.md b/.github/workflows/SYNC_DEVELOP_SETUP.md new file mode 100644 index 00000000000..ee919f856aa --- /dev/null +++ b/.github/workflows/SYNC_DEVELOP_SETUP.md @@ -0,0 +1,65 @@ +# Sync Develop Workflow Setup + +This document provides instructions for setting up the "Sync develop from smartcontractkit/chainlink" workflow. + +## Overview + +The `sync-develop-from-smartcontractkit-chainlink.yml` workflow automatically syncs the `develop` branch from the upstream repository (`smartcontractkit/chainlink`) to your fork every 30 minutes. + +## Required Setup + +To enable this workflow, you need to create a Personal Access Token (PAT) and add it as a repository secret. + +### Step 1: Create a Personal Access Token + +1. Go to GitHub Settings → Developer settings → Personal access tokens → Tokens (classic) + - Direct link: https://github.com/settings/tokens +2. Click "Generate new token" → "Generate new token (classic)" +3. Configure the token: + - **Note**: `Chainlink Fork Sync Token` + - **Expiration**: Choose an appropriate expiration (recommended: 90 days or No expiration for continuous sync) + - **Scopes**: Select the following permissions: + - ✅ `repo` (Full control of private repositories) - Required to push to your repository +4. Click "Generate token" +5. **Important**: Copy the token immediately - you won't be able to see it again! + +### Step 2: Add the Token as a Repository Secret + +1. Go to your forked repository on GitHub +2. Navigate to Settings → Secrets and variables → Actions +3. Click "New repository secret" +4. Configure the secret: + - **Name**: `PAT_TOKEN` (must be exactly this name) + - **Value**: Paste the Personal Access Token you created in Step 1 +5. Click "Add secret" + +### Step 3: Verify the Setup + +After adding the secret, the workflow will automatically use it on the next scheduled run (every 30 minutes). + +To manually trigger a test: +1. Go to Actions tab in your repository +2. Select "Sync develop from smartcontractkit/chainlink" workflow +3. If the workflow file includes a `workflow_dispatch` trigger, you can click "Run workflow" to trigger it manually. (By default, this workflow only runs on a schedule.) + +Alternatively, wait for the next scheduled run and check the workflow logs to ensure it completes successfully. + +## Troubleshooting + +### Authentication Failed Error +- Verify the `PAT_TOKEN` secret exists and is spelled correctly +- Ensure the token has the `repo` scope enabled +- Check if the token has expired and create a new one if needed + +### Push Permission Denied +- The PAT must have write access to your fork +- Verify you're using a token associated with an account that has push permissions to the repository + +### Workflow Not Running +- This workflow only runs on forks (not on `smartcontractkit/chainlink`) +- Check the Actions tab to see if the workflow is enabled +- Verify the workflow file is present in the `.github/workflows` directory + +## Security Note + +Never commit your Personal Access Token directly in code or configuration files. Always use GitHub Secrets to store sensitive credentials. diff --git a/.github/workflows/delete-deployments.yml b/.github/workflows/delete-deployments.yml index 0c4b60cf500..6043040155a 100644 --- a/.github/workflows/delete-deployments.yml +++ b/.github/workflows/delete-deployments.yml @@ -2,24 +2,30 @@ name: Cleanup integration deployments on: workflow_dispatch: schedule: - # every 10 mins - - cron: "*/10 * * * *" + # hourly cleanup to reduce API usage vs every 10 mins + - cron: "0 * * * *" jobs: cleanup: name: Clean up integration environment deployments runs-on: ubuntu-latest + permissions: + deployments: write + contents: read + concurrency: + group: cleanup-deployments + cancel-in-progress: false steps: - name: Checkout repo uses: actions/checkout@v4 with: persist-credentials: false - - name: Clean up integration environment + - name: Clean up integration environment deployments uses: ./.github/actions/delete-deployments with: environment: integration - # Delete 300 deployments at a time + ref: ${{ github.ref_name }} num-of-pages: 3 - # We start with page 2 because usually the first 200 deployments are still active, so we cannot delete them starting-page: 2 + dry-run: false diff --git a/.github/workflows/generator-generic-ossf-slsa3-publish.yml b/.github/workflows/generator-generic-ossf-slsa3-publish.yml new file mode 100644 index 00000000000..35c829b139b --- /dev/null +++ b/.github/workflows/generator-generic-ossf-slsa3-publish.yml @@ -0,0 +1,66 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow lets you generate SLSA provenance file for your project. +# The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements +# The project is an initiative of the OpenSSF (openssf.org) and is developed at +# https://github.com/slsa-framework/slsa-github-generator. +# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. +# For more information about SLSA and how it improves the supply-chain, visit slsa.dev. + +name: SLSA generic generator +on: + workflow_dispatch: + release: + types: [created] + +jobs: + build: + runs-on: ubuntu-latest + outputs: + digests: ${{ steps.hash.outputs.digests }} + + steps: + - uses: actions/checkout@v4 + + # ======================================================== + # + # Step 1: Build your artifacts. + # + # ======================================================== + - name: Build artifacts + run: | + # These are some amazing artifacts. + echo "artifact1" > artifact1 + echo "artifact2" > artifact2 + + # ======================================================== + # + # Step 2: Add a step to generate the provenance subjects + # as shown below. Update the sha256 sum arguments + # to include all binaries that you generate + # provenance for. + # + # ======================================================== + - name: Generate subject for provenance + id: hash + run: | + set -euo pipefail + + # List the artifacts the provenance will refer to. + files=$(ls artifact*) + # Generate the subjects (base64 encoded). + echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}" + + provenance: + needs: [build] + permissions: + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to a release. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0 + with: + base64-subjects: "${{ needs.build.outputs.digests }}" + upload-assets: true # Optional: Upload to a new release diff --git a/.github/workflows/go-ossf-slsa3-publish.yml b/.github/workflows/go-ossf-slsa3-publish.yml new file mode 100644 index 00000000000..79ea193f754 --- /dev/null +++ b/.github/workflows/go-ossf-slsa3-publish.yml @@ -0,0 +1,38 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow lets you compile your Go project using a SLSA3 compliant builder. +# This workflow will generate a so-called "provenance" file describing the steps +# that were performed to generate the final binary. +# The project is an initiative of the OpenSSF (openssf.org) and is developed at +# https://github.com/slsa-framework/slsa-github-generator. +# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. +# For more information about SLSA and how it improves the supply-chain, visit slsa.dev. + +name: SLSA Go releaser +on: + workflow_dispatch: + release: + types: [created] + +permissions: read-all + +jobs: + # ======================================================================================================================================== + # Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project. + # See format in https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md#configuration-file + #========================================================================================================================================= + build: + permissions: + id-token: write # To sign. + contents: write # To upload release assets. + actions: read # To read workflow path. + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.4.0 + with: + go-version: 1.17 + # ============================================================================================================= + # Optional: For more options, see https://github.com/slsa-framework/slsa-github-generator#golang-projects + # ============================================================================================================= + diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml new file mode 100644 index 00000000000..adf7b4a4025 --- /dev/null +++ b/.github/workflows/go.yml @@ -0,0 +1,28 @@ +# This workflow will build a golang project +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go + +name: Go + +on: + push: + branches: [ "develop" ] + pull_request: + branches: [ "develop" ] + +jobs: + + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v4 + with: + go-version: '1.20' + + - name: Build + run: go build -v ./... + + - name: Test + run: go test -v ./... diff --git a/.github/workflows/npm-publish-github-packages.yml b/.github/workflows/npm-publish-github-packages.yml new file mode 100644 index 00000000000..57214527b1f --- /dev/null +++ b/.github/workflows/npm-publish-github-packages.yml @@ -0,0 +1,35 @@ +# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created +# For more information see: https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages + +name: Node.js Package + +on: + release: + types: [created] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: 20 + - run: npm ci + + publish-gpr: + needs: build + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: 20 + registry-url: https://npm.pkg.github.com/ + - run: npm ci + - run: npm publish + env: + NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} diff --git a/.github/workflows/sync-develop-from-smartcontractkit-chainlink.yml b/.github/workflows/sync-develop-from-smartcontractkit-chainlink.yml index 939e67df17f..05c1e5f3b0e 100644 --- a/.github/workflows/sync-develop-from-smartcontractkit-chainlink.yml +++ b/.github/workflows/sync-develop-from-smartcontractkit-chainlink.yml @@ -10,9 +10,14 @@ jobs: name: Sync runs-on: ubuntu-latest steps: + - name: Validate Branch + run: | + git ls-remote "https://github.com/${{ github.repository }}.git" develop | grep -q "refs/heads/develop$" || (echo "develop branch is missing in origin (${{ github.repository }})" && exit 1) + git ls-remote "https://github.com/smartcontractkit/chainlink.git" develop | grep -q "refs/heads/develop$" || (echo "develop branch is missing in upstream (smartcontractkit/chainlink)" && exit 1) + if: github.repository != 'smartcontractkit/chainlink' - uses: actions/checkout@v4 with: - persist-credentials: false + token: ${{ secrets.GITHUB_TOKEN }} ref: develop if: env.GITHUB_REPOSITORY != 'smartcontractkit/chainlink' - name: Sync @@ -25,6 +30,6 @@ jobs: else echo "upstream has develop at $COMMIT_HASH_UPSTREAM. origin has develop at $COMMIT_HASH_ORIGIN. Syncing..." git fetch upstream - git push origin upstream/develop:develop + git push origin upstream/develop:develop --force fi - if: env.GITHUB_REPOSITORY != 'smartcontractkit/chainlink' + if: env.GITHUB_REPOSITORY != 'smartcontractkit/chainlink' \ No newline at end of file