From e02a2ce0325d3d12fe9da98d84e037fcdb0b9178 Mon Sep 17 00:00:00 2001 From: JohnDaWalka Date: Tue, 28 Oct 2025 15:30:36 -0400 Subject: [PATCH 01/19] Add SLSA generic generator workflow This workflow generates SLSA provenance files for the project, satisfying level 3 requirements. --- .../generator-generic-ossf-slsa3-publish.yml | 66 +++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 .github/workflows/generator-generic-ossf-slsa3-publish.yml diff --git a/.github/workflows/generator-generic-ossf-slsa3-publish.yml b/.github/workflows/generator-generic-ossf-slsa3-publish.yml new file mode 100644 index 00000000000..35c829b139b --- /dev/null +++ b/.github/workflows/generator-generic-ossf-slsa3-publish.yml @@ -0,0 +1,66 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow lets you generate SLSA provenance file for your project. +# The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements +# The project is an initiative of the OpenSSF (openssf.org) and is developed at +# https://github.com/slsa-framework/slsa-github-generator. +# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. +# For more information about SLSA and how it improves the supply-chain, visit slsa.dev. + +name: SLSA generic generator +on: + workflow_dispatch: + release: + types: [created] + +jobs: + build: + runs-on: ubuntu-latest + outputs: + digests: ${{ steps.hash.outputs.digests }} + + steps: + - uses: actions/checkout@v4 + + # ======================================================== + # + # Step 1: Build your artifacts. + # + # ======================================================== + - name: Build artifacts + run: | + # These are some amazing artifacts. + echo "artifact1" > artifact1 + echo "artifact2" > artifact2 + + # ======================================================== + # + # Step 2: Add a step to generate the provenance subjects + # as shown below. Update the sha256 sum arguments + # to include all binaries that you generate + # provenance for. + # + # ======================================================== + - name: Generate subject for provenance + id: hash + run: | + set -euo pipefail + + # List the artifacts the provenance will refer to. + files=$(ls artifact*) + # Generate the subjects (base64 encoded). + echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}" + + provenance: + needs: [build] + permissions: + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to a release. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0 + with: + base64-subjects: "${{ needs.build.outputs.digests }}" + upload-assets: true # Optional: Upload to a new release From d0951db477ed0c5862c18945123699c088dfa41a Mon Sep 17 00:00:00 2001 From: JohnDaWalka Date: Tue, 28 Oct 2025 15:30:48 -0400 Subject: [PATCH 02/19] Add GitHub Actions workflow for Go project This workflow automates the build and test process for a Go project on push and pull request events to the develop branch. --- .github/workflows/go.yml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 .github/workflows/go.yml diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml new file mode 100644 index 00000000000..adf7b4a4025 --- /dev/null +++ b/.github/workflows/go.yml @@ -0,0 +1,28 @@ +# This workflow will build a golang project +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go + +name: Go + +on: + push: + branches: [ "develop" ] + pull_request: + branches: [ "develop" ] + +jobs: + + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v4 + with: + go-version: '1.20' + + - name: Build + run: go build -v ./... + + - name: Test + run: go test -v ./... From 3bede9a8972166f7887949d584b3ac4143979d04 Mon Sep 17 00:00:00 2001 From: JohnDaWalka Date: Tue, 28 Oct 2025 15:31:01 -0400 Subject: [PATCH 03/19] Add SLSA Go releaser workflow This workflow compiles a Go project using a SLSA3 compliant builder and generates a provenance file. --- .github/workflows/go-ossf-slsa3-publish.yml | 38 +++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .github/workflows/go-ossf-slsa3-publish.yml diff --git a/.github/workflows/go-ossf-slsa3-publish.yml b/.github/workflows/go-ossf-slsa3-publish.yml new file mode 100644 index 00000000000..79ea193f754 --- /dev/null +++ b/.github/workflows/go-ossf-slsa3-publish.yml @@ -0,0 +1,38 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow lets you compile your Go project using a SLSA3 compliant builder. +# This workflow will generate a so-called "provenance" file describing the steps +# that were performed to generate the final binary. +# The project is an initiative of the OpenSSF (openssf.org) and is developed at +# https://github.com/slsa-framework/slsa-github-generator. +# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. +# For more information about SLSA and how it improves the supply-chain, visit slsa.dev. + +name: SLSA Go releaser +on: + workflow_dispatch: + release: + types: [created] + +permissions: read-all + +jobs: + # ======================================================================================================================================== + # Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project. + # See format in https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md#configuration-file + #========================================================================================================================================= + build: + permissions: + id-token: write # To sign. + contents: write # To upload release assets. + actions: read # To read workflow path. + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.4.0 + with: + go-version: 1.17 + # ============================================================================================================= + # Optional: For more options, see https://github.com/slsa-framework/slsa-github-generator#golang-projects + # ============================================================================================================= + From 5f99acba16c66645ffc4a29f0d66a5afb176b7f0 Mon Sep 17 00:00:00 2001 From: JohnDaWalka Date: Tue, 28 Oct 2025 15:32:17 -0400 Subject: [PATCH 04/19] Add workflow for publishing Node.js package This workflow runs tests and publishes a Node.js package to GitHub Packages upon release creation. --- .../workflows/npm-publish-github-packages.yml | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 .github/workflows/npm-publish-github-packages.yml diff --git a/.github/workflows/npm-publish-github-packages.yml b/.github/workflows/npm-publish-github-packages.yml new file mode 100644 index 00000000000..ea2d329fa02 --- /dev/null +++ b/.github/workflows/npm-publish-github-packages.yml @@ -0,0 +1,36 @@ +# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created +# For more information see: https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages + +name: Node.js Package + +on: + release: + types: [created] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: 20 + - run: npm ci + - run: npm test + + publish-gpr: + needs: build + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: 20 + registry-url: https://npm.pkg.github.com/ + - run: npm ci + - run: npm publish + env: + NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} From 757ad37b9671ca8ad14375a7c869302ef3066599 Mon Sep 17 00:00:00 2001 From: JohnDaWalka Date: Tue, 18 Nov 2025 07:31:53 -0500 Subject: [PATCH 05/19] Update .github/workflows/npm-publish-github-packages.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/npm-publish-github-packages.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/npm-publish-github-packages.yml b/.github/workflows/npm-publish-github-packages.yml index ea2d329fa02..57214527b1f 100644 --- a/.github/workflows/npm-publish-github-packages.yml +++ b/.github/workflows/npm-publish-github-packages.yml @@ -16,7 +16,6 @@ jobs: with: node-version: 20 - run: npm ci - - run: npm test publish-gpr: needs: build From c3b3753c57c87d1153ffcc4fc200892a65d44571 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 19 Nov 2025 07:45:10 +0000 Subject: [PATCH 06/19] Initial plan From c3aa2cceb0c8e33cb7bffaac4f58d866e4ee0faf Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 19 Nov 2025 07:48:13 +0000 Subject: [PATCH 07/19] Update sync-develop workflow to use PAT_TOKEN and add setup documentation Co-authored-by: JohnDaWalka <201526231+JohnDaWalka@users.noreply.github.com> --- .github/workflows/SYNC_DEVELOP_SETUP.md | 65 +++++++++++++++++++ ...evelop-from-smartcontractkit-chainlink.yml | 2 +- 2 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/SYNC_DEVELOP_SETUP.md diff --git a/.github/workflows/SYNC_DEVELOP_SETUP.md b/.github/workflows/SYNC_DEVELOP_SETUP.md new file mode 100644 index 00000000000..c9c98275862 --- /dev/null +++ b/.github/workflows/SYNC_DEVELOP_SETUP.md @@ -0,0 +1,65 @@ +# Sync Develop Workflow Setup + +This document provides instructions for setting up the "Sync develop from smartcontractkit/chainlink" workflow. + +## Overview + +The `sync-develop-from-smartcontractkit-chainlink.yml` workflow automatically syncs the `develop` branch from the upstream repository (`smartcontractkit/chainlink`) to your fork every 30 minutes. + +## Required Setup + +To enable this workflow, you need to create a Personal Access Token (PAT) and add it as a repository secret. + +### Step 1: Create a Personal Access Token + +1. Go to GitHub Settings → Developer settings → Personal access tokens → Tokens (classic) + - Direct link: https://github.com/settings/tokens +2. Click "Generate new token" → "Generate new token (classic)" +3. Configure the token: + - **Note**: `Chainlink Fork Sync Token` + - **Expiration**: Choose an appropriate expiration (recommended: 90 days or No expiration for continuous sync) + - **Scopes**: Select the following permissions: + - ✅ `repo` (Full control of private repositories) - Required to push to your repository +4. Click "Generate token" +5. **Important**: Copy the token immediately - you won't be able to see it again! + +### Step 2: Add the Token as a Repository Secret + +1. Go to your forked repository on GitHub +2. Navigate to Settings → Secrets and variables → Actions +3. Click "New repository secret" +4. Configure the secret: + - **Name**: `PAT_TOKEN` (must be exactly this name) + - **Value**: Paste the Personal Access Token you created in Step 1 +5. Click "Add secret" + +### Step 3: Verify the Setup + +After adding the secret, the workflow will automatically use it on the next scheduled run (every 30 minutes). + +To manually trigger a test: +1. Go to Actions tab in your repository +2. Select "Sync develop from smartcontractkit/chainlink" workflow +3. Click "Run workflow" (if manual trigger is enabled) + +Alternatively, wait for the next scheduled run and check the workflow logs to ensure it completes successfully. + +## Troubleshooting + +### Authentication Failed Error +- Verify the `PAT_TOKEN` secret exists and is spelled correctly +- Ensure the token has the `repo` scope enabled +- Check if the token has expired and create a new one if needed + +### Push Permission Denied +- The PAT must have write access to your fork +- Verify you're using a token associated with an account that has push permissions to the repository + +### Workflow Not Running +- This workflow only runs on forks (not on `smartcontractkit/chainlink`) +- Check the Actions tab to see if the workflow is enabled +- Verify the workflow file is present in the `.github/workflows` directory + +## Security Note + +Never commit your Personal Access Token directly in code or configuration files. Always use GitHub Secrets to store sensitive credentials. diff --git a/.github/workflows/sync-develop-from-smartcontractkit-chainlink.yml b/.github/workflows/sync-develop-from-smartcontractkit-chainlink.yml index 939e67df17f..053a4941b51 100644 --- a/.github/workflows/sync-develop-from-smartcontractkit-chainlink.yml +++ b/.github/workflows/sync-develop-from-smartcontractkit-chainlink.yml @@ -12,7 +12,7 @@ jobs: steps: - uses: actions/checkout@v4 with: - persist-credentials: false + token: ${{ secrets.PAT_TOKEN }} ref: develop if: env.GITHUB_REPOSITORY != 'smartcontractkit/chainlink' - name: Sync From d082bec6e81c1c251114301c143c5f5b13ac8be8 Mon Sep 17 00:00:00 2001 From: JohnDaWalka Date: Fri, 21 Nov 2025 03:27:50 -0500 Subject: [PATCH 08/19] Update SYNC_DEVELOP_SETUP.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/SYNC_DEVELOP_SETUP.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/SYNC_DEVELOP_SETUP.md b/.github/workflows/SYNC_DEVELOP_SETUP.md index c9c98275862..ee919f856aa 100644 --- a/.github/workflows/SYNC_DEVELOP_SETUP.md +++ b/.github/workflows/SYNC_DEVELOP_SETUP.md @@ -40,7 +40,7 @@ After adding the secret, the workflow will automatically use it on the next sche To manually trigger a test: 1. Go to Actions tab in your repository 2. Select "Sync develop from smartcontractkit/chainlink" workflow -3. Click "Run workflow" (if manual trigger is enabled) +3. If the workflow file includes a `workflow_dispatch` trigger, you can click "Run workflow" to trigger it manually. (By default, this workflow only runs on a schedule.) Alternatively, wait for the next scheduled run and check the workflow logs to ensure it completes successfully. From d17d007b9dc7eea277ba861361b8beb825a8f72f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 25 Nov 2025 04:26:53 +0000 Subject: [PATCH 09/19] Initial plan From 2c4147bc6ce94c5e5a68979a3e307cbbec06745b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 25 Nov 2025 04:28:32 +0000 Subject: [PATCH 10/19] Fix sync workflow by using GITHUB_TOKEN instead of PAT_TOKEN Co-authored-by: JohnDaWalka <201526231+JohnDaWalka@users.noreply.github.com> --- .../workflows/sync-develop-from-smartcontractkit-chainlink.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sync-develop-from-smartcontractkit-chainlink.yml b/.github/workflows/sync-develop-from-smartcontractkit-chainlink.yml index 053a4941b51..95ab5dbb5d9 100644 --- a/.github/workflows/sync-develop-from-smartcontractkit-chainlink.yml +++ b/.github/workflows/sync-develop-from-smartcontractkit-chainlink.yml @@ -12,7 +12,7 @@ jobs: steps: - uses: actions/checkout@v4 with: - token: ${{ secrets.PAT_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} ref: develop if: env.GITHUB_REPOSITORY != 'smartcontractkit/chainlink' - name: Sync From 4363170dd4c56a58239faafc65cc162bc36fabc8 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 25 Nov 2025 16:33:07 +0000 Subject: [PATCH 11/19] Initial plan From ddcf377e7ad3ff090e134613474c3199be96b88d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 25 Nov 2025 16:35:43 +0000 Subject: [PATCH 12/19] Replace pnpm/action-setup with corepack in delete-deployments action Co-authored-by: JohnDaWalka <201526231+JohnDaWalka@users.noreply.github.com> --- .github/actions/delete-deployments/action.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/actions/delete-deployments/action.yml b/.github/actions/delete-deployments/action.yml index c79b798ebfb..cca033d96e4 100644 --- a/.github/actions/delete-deployments/action.yml +++ b/.github/actions/delete-deployments/action.yml @@ -29,15 +29,16 @@ inputs: runs: using: composite steps: - - uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0 - with: - version: ^10.0.0 - - uses: actions/setup-node@v4 with: node-version: "20" - cache: "pnpm" - cache-dependency-path: "./.github/actions/delete-deployments/pnpm-lock.yaml" + + - name: Enable pnpm via Corepack + shell: bash + run: | + corepack enable + corepack prepare pnpm@10 --activate + pnpm --version - name: Install dependencies shell: bash From 1d3fd21700c5d02679afe6527900f44594ddcf29 Mon Sep 17 00:00:00 2001 From: JohnDaWalka Date: Tue, 25 Nov 2025 11:48:54 -0500 Subject: [PATCH 13/19] Update action.yml for delete deployments action --- .github/actions/delete-deployments/action.yml | 26 ++++++++++++++----- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/.github/actions/delete-deployments/action.yml b/.github/actions/delete-deployments/action.yml index cca033d96e4..4e71fe2555b 100644 --- a/.github/actions/delete-deployments/action.yml +++ b/.github/actions/delete-deployments/action.yml @@ -3,7 +3,7 @@ description: Delete deployments by env and ref inputs: environment: required: true - description: The Github environment to filter deployments by + description: The GitHub environment to filter deployments by ref: required: true description: The ref to filter deployments by @@ -11,12 +11,12 @@ inputs: required: false description: Whether to actually delete deployments or not github-token: - description: "The Github token to use for authentication" + description: The GitHub token to use for authentication required: true default: ${{ github.token }} num-of-pages: required: false - description: The number of pages (of 100 per page) to fetch deployments from, set to 'all' to fetch all deployments + description: The number of pages (100 per page) to fetch deployments from, set to 'all' to fetch all deployments default: "all" starting-page: required: false @@ -25,13 +25,20 @@ inputs: required: false description: The owner and repository name to delete deployments from, defaults to the current repository, ex. 'smartcontractkit/chainlink' default: ${{ github.repository }} + owner: + required: false + description: Repository owner (derived automatically) + default: ${{ github.repository_owner }} runs: using: composite steps: - - uses: actions/setup-node@v4 + - name: Setup Node + uses: actions/setup-node@v4 with: node-version: "20" + cache: "pnpm" + cache-dependency-path: ".github/actions/delete-deployments/pnpm-lock.yaml" - name: Enable pnpm via Corepack shell: bash @@ -42,12 +49,17 @@ runs: - name: Install dependencies shell: bash - run: pnpm i --prod working-directory: "./.github/actions/delete-deployments" + run: | + if [ -f pnpm-lock.yaml ]; then + pnpm install --frozen-lockfile --prod + else + pnpm install --prod + fi - name: Run deployment deleter shell: bash - run: pnpm start + working-directory: "./.github/actions/delete-deployments" env: NUM_OF_PAGES: ${{ inputs.num-of-pages }} STARTING_PAGE: ${{ inputs.starting-page }} @@ -57,4 +69,4 @@ runs: DRY_RUN: ${{ inputs.dry-run }} OWNER: ${{ inputs.owner }} REPOSITORY: ${{ inputs.repository }} - working-directory: "./.github/actions/delete-deployments" + run: pnpm start From fafc1fd7c9da0bfb15cea99a73cdf7a8412056bf Mon Sep 17 00:00:00 2001 From: JohnDaWalka Date: Tue, 25 Nov 2025 11:50:57 -0500 Subject: [PATCH 14/19] Update .github/workflows/delete-deployments.yml --- .github/workflows/delete-deployments.yml | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/.github/workflows/delete-deployments.yml b/.github/workflows/delete-deployments.yml index 0c4b60cf500..6043040155a 100644 --- a/.github/workflows/delete-deployments.yml +++ b/.github/workflows/delete-deployments.yml @@ -2,24 +2,30 @@ name: Cleanup integration deployments on: workflow_dispatch: schedule: - # every 10 mins - - cron: "*/10 * * * *" + # hourly cleanup to reduce API usage vs every 10 mins + - cron: "0 * * * *" jobs: cleanup: name: Clean up integration environment deployments runs-on: ubuntu-latest + permissions: + deployments: write + contents: read + concurrency: + group: cleanup-deployments + cancel-in-progress: false steps: - name: Checkout repo uses: actions/checkout@v4 with: persist-credentials: false - - name: Clean up integration environment + - name: Clean up integration environment deployments uses: ./.github/actions/delete-deployments with: environment: integration - # Delete 300 deployments at a time + ref: ${{ github.ref_name }} num-of-pages: 3 - # We start with page 2 because usually the first 200 deployments are still active, so we cannot delete them starting-page: 2 + dry-run: false From 3120136828f383efbbaf2f732dea05b7431873e8 Mon Sep 17 00:00:00 2001 From: JohnDaWalka Date: Tue, 25 Nov 2025 11:53:55 -0500 Subject: [PATCH 15/19] Update action.yml for delete deployments action --- .github/actions/delete-deployments/action.yml | 26 +++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/.github/actions/delete-deployments/action.yml b/.github/actions/delete-deployments/action.yml index 4e71fe2555b..97d541a4af1 100644 --- a/.github/actions/delete-deployments/action.yml +++ b/.github/actions/delete-deployments/action.yml @@ -11,7 +11,7 @@ inputs: required: false description: Whether to actually delete deployments or not github-token: - description: The GitHub token to use for authentication + description: "The GitHub token to use for authentication" required: true default: ${{ github.token }} num-of-pages: @@ -34,7 +34,8 @@ runs: using: composite steps: - name: Setup Node - uses: actions/setup-node@v4 + # Pin setup-node@v4 to commit for supply-chain security; update periodically. + uses: actions/setup-node@0a44ba784f751b8b62ce51b2b32110f316b9a121 with: node-version: "20" cache: "pnpm" @@ -47,6 +48,26 @@ runs: corepack prepare pnpm@10 --activate pnpm --version + - name: Validate inputs + shell: bash + run: | + error() { echo "::error::$1"; exit 1; } + [ -z "${{ inputs.environment }}" ] && error "environment input is required" + [ -z "${{ inputs.ref }}" ] && error "ref input is required" + if [ "${{ inputs.num-of-pages }}" != "all" ]; then + echo "${{ inputs.num-of-pages }}" | grep -Eq '^[0-9]+$' || error "num-of-pages must be a number or 'all'" + if [ -n "${{ inputs.starting-page }}" ]; then + echo "${{ inputs.starting-page }}" | grep -Eq '^[0-9]+$' || error "starting-page must be numeric" + if [ ${{ inputs.starting-page }} -gt ${{ inputs.num-of-pages }} ]; then + error "starting-page cannot exceed num-of-pages" + fi + fi + fi + # Normalize environment name and export for later steps + ENV_LC=$(echo "${{ inputs.environment }}" | tr '[:upper:]' '[:lower:]') + echo "ENVIRONMENT_NORMALIZED=$ENV_LC" >> "$GITHUB_ENV" + echo "Validated inputs for environment=$ENV_LC ref='${{ inputs.ref }}'" + - name: Install dependencies shell: bash working-directory: "./.github/actions/delete-deployments" @@ -65,6 +86,7 @@ runs: STARTING_PAGE: ${{ inputs.starting-page }} GITHUB_TOKEN: ${{ inputs.github-token }} ENVIRONMENT: ${{ inputs.environment }} + ENVIRONMENT_NORMALIZED: ${{ env.ENVIRONMENT_NORMALIZED }} REF: ${{ inputs.ref }} DRY_RUN: ${{ inputs.dry-run }} OWNER: ${{ inputs.owner }} From b6f3f7af042a6a8141a56e5be20efd5f9c203468 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 5 Dec 2025 09:34:34 +0000 Subject: [PATCH 16/19] Update actions/setup-node to v4 instead of invalid commit SHA Co-authored-by: JohnDaWalka <201526231+JohnDaWalka@users.noreply.github.com> --- .github/actions/delete-deployments/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/delete-deployments/action.yml b/.github/actions/delete-deployments/action.yml index 97d541a4af1..2b3f6c8b9ec 100644 --- a/.github/actions/delete-deployments/action.yml +++ b/.github/actions/delete-deployments/action.yml @@ -35,7 +35,7 @@ runs: steps: - name: Setup Node # Pin setup-node@v4 to commit for supply-chain security; update periodically. - uses: actions/setup-node@0a44ba784f751b8b62ce51b2b32110f316b9a121 + uses: actions/setup-node@v4 with: node-version: "20" cache: "pnpm" From 5ae0b1af5dab2ded9d2ab8172e1ed9bd0fd4a6fa Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 5 Dec 2025 09:35:27 +0000 Subject: [PATCH 17/19] Remove misleading comment about commit pinning Co-authored-by: JohnDaWalka <201526231+JohnDaWalka@users.noreply.github.com> --- .github/actions/delete-deployments/action.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/actions/delete-deployments/action.yml b/.github/actions/delete-deployments/action.yml index 2b3f6c8b9ec..9b966b7901e 100644 --- a/.github/actions/delete-deployments/action.yml +++ b/.github/actions/delete-deployments/action.yml @@ -34,7 +34,6 @@ runs: using: composite steps: - name: Setup Node - # Pin setup-node@v4 to commit for supply-chain security; update periodically. uses: actions/setup-node@v4 with: node-version: "20" From 3fea153c59821c4a22ed40627567d568afdbd66b Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Fri, 5 Dec 2025 18:36:14 -0500 Subject: [PATCH 18/19] Add branch validation to sync workflow to prevent checkout failures (#13) --- .../sync-develop-from-smartcontractkit-chainlink.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/sync-develop-from-smartcontractkit-chainlink.yml b/.github/workflows/sync-develop-from-smartcontractkit-chainlink.yml index 95ab5dbb5d9..5dc4e2ae838 100644 --- a/.github/workflows/sync-develop-from-smartcontractkit-chainlink.yml +++ b/.github/workflows/sync-develop-from-smartcontractkit-chainlink.yml @@ -10,6 +10,11 @@ jobs: name: Sync runs-on: ubuntu-latest steps: + - name: Validate Branch + run: | + git ls-remote "https://github.com/${{ github.repository }}.git" develop | grep -q "refs/heads/develop$" || (echo "develop branch is missing in origin (${{ github.repository }})" && exit 1) + git ls-remote "https://github.com/smartcontractkit/chainlink.git" develop | grep -q "refs/heads/develop$" || (echo "develop branch is missing in upstream (smartcontractkit/chainlink)" && exit 1) + if: github.repository != 'smartcontractkit/chainlink' - uses: actions/checkout@v4 with: token: ${{ secrets.GITHUB_TOKEN }} From 278b096d628b6daa380cc95a272492d61cd2cb1c Mon Sep 17 00:00:00 2001 From: JohnDaWalka <201526231+JohnDaWalka@users.noreply.github.com> Date: Thu, 25 Dec 2025 00:12:32 -0500 Subject: [PATCH 19/19] Update sync workflow --- .../sync-develop-from-smartcontractkit-chainlink.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sync-develop-from-smartcontractkit-chainlink.yml b/.github/workflows/sync-develop-from-smartcontractkit-chainlink.yml index 5dc4e2ae838..05c1e5f3b0e 100644 --- a/.github/workflows/sync-develop-from-smartcontractkit-chainlink.yml +++ b/.github/workflows/sync-develop-from-smartcontractkit-chainlink.yml @@ -30,6 +30,6 @@ jobs: else echo "upstream has develop at $COMMIT_HASH_UPSTREAM. origin has develop at $COMMIT_HASH_ORIGIN. Syncing..." git fetch upstream - git push origin upstream/develop:develop + git push origin upstream/develop:develop --force fi - if: env.GITHUB_REPOSITORY != 'smartcontractkit/chainlink' + if: env.GITHUB_REPOSITORY != 'smartcontractkit/chainlink' \ No newline at end of file