smartcontractkit · JohnDaWalka · Oct 28, 2025 · Oct 28, 2025 · Oct 28, 2025 · Oct 28, 2025
@@ -3,20 +3,20 @@ description: Delete deployments by env and ref
 inputs:
   environment:
     required: true
-    description: The Github environment to filter deployments by
+    description: The GitHub environment to filter deployments by
   ref:
     required: true
     description: The ref to filter deployments by
   dry-run:
     required: false
     description: Whether to actually delete deployments or not
   github-token:
-    description: "The Github token to use for authentication"
+    description: "The GitHub token to use for authentication"
     required: true
     default: ${{ github.token }}
   num-of-pages:
     required: false
-    description: The number of pages (of 100 per page) to fetch deployments from, set to 'all' to fetch all deployments
+    description: The number of pages (100 per page) to fetch deployments from, set to 'all' to fetch all deployments
     default: "all"
   starting-page:
     required: false
@@ -25,35 +25,69 @@ inputs:
     required: false
     description: The owner and repository name to delete deployments from, defaults to the current repository, ex. 'smartcontractkit/chainlink'
     default: ${{ github.repository }}
+  owner:
+    required: false
+    description: Repository owner (derived automatically)
+    default: ${{ github.repository_owner }}
 
 runs:
   using: composite
   steps:
-    - uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0
-      with:
-        version: ^10.0.0
-
-    - uses: actions/setup-node@v4
+    - name: Setup Node
+      uses: actions/setup-node@v4
       with:
         node-version: "20"
         cache: "pnpm"
-        cache-dependency-path: "./.github/actions/delete-deployments/pnpm-lock.yaml"
+        cache-dependency-path: ".github/actions/delete-deployments/pnpm-lock.yaml"
+
+    - name: Enable pnpm via Corepack
+      shell: bash
+      run: |
+        corepack enable
+        corepack prepare pnpm@10 --activate
+        pnpm --version
+
+    - name: Validate inputs
+      shell: bash
+      run: |
+        error() { echo "::error::$1"; exit 1; }
+        [ -z "${{ inputs.environment }}" ] && error "environment input is required"
+        [ -z "${{ inputs.ref }}" ] && error "ref input is required"
+        if [ "${{ inputs.num-of-pages }}" != "all" ]; then
+          echo "${{ inputs.num-of-pages }}" | grep -Eq '^[0-9]+$' || error "num-of-pages must be a number or 'all'"
+          if [ -n "${{ inputs.starting-page }}" ]; then
+            echo "${{ inputs.starting-page }}" | grep -Eq '^[0-9]+$' || error "starting-page must be numeric"
+            if [ ${{ inputs.starting-page }} -gt ${{ inputs.num-of-pages }} ]; then
+              error "starting-page cannot exceed num-of-pages"
+            fi
+          fi
+        fi
+        # Normalize environment name and export for later steps
+        ENV_LC=$(echo "${{ inputs.environment }}" | tr '[:upper:]' '[:lower:]')
+        echo "ENVIRONMENT_NORMALIZED=$ENV_LC" >> "$GITHUB_ENV"
+        echo "Validated inputs for environment=$ENV_LC ref='${{ inputs.ref }}'"
 
     - name: Install dependencies
       shell: bash
-      run: pnpm i --prod
       working-directory: "./.github/actions/delete-deployments"
+      run: |
+        if [ -f pnpm-lock.yaml ]; then
+          pnpm install --frozen-lockfile --prod
+        else
+          pnpm install --prod
+        fi
 
     - name: Run deployment deleter
       shell: bash
-      run: pnpm start
+      working-directory: "./.github/actions/delete-deployments"
       env:
         NUM_OF_PAGES: ${{ inputs.num-of-pages }}
         STARTING_PAGE: ${{ inputs.starting-page }}
         GITHUB_TOKEN: ${{ inputs.github-token }}
         ENVIRONMENT: ${{ inputs.environment }}
+        ENVIRONMENT_NORMALIZED: ${{ env.ENVIRONMENT_NORMALIZED }}
         REF: ${{ inputs.ref }}
         DRY_RUN: ${{ inputs.dry-run }}
         OWNER: ${{ inputs.owner }}
         REPOSITORY: ${{ inputs.repository }}
-      working-directory: "./.github/actions/delete-deployments"
+      run: pnpm start
@@ -0,0 +1,65 @@
+# Sync Develop Workflow Setup
+
+This document provides instructions for setting up the "Sync develop from smartcontractkit/chainlink" workflow.
+
+## Overview
+
+The `sync-develop-from-smartcontractkit-chainlink.yml` workflow automatically syncs the `develop` branch from the upstream repository (`smartcontractkit/chainlink`) to your fork every 30 minutes.
+
+## Required Setup
+
+To enable this workflow, you need to create a Personal Access Token (PAT) and add it as a repository secret.
+
+### Step 1: Create a Personal Access Token
+
+1. Go to GitHub Settings → Developer settings → Personal access tokens → Tokens (classic)
+   - Direct link: https://github.com/settings/tokens
+2. Click "Generate new token" → "Generate new token (classic)"
+3. Configure the token:
+   - **Note**: `Chainlink Fork Sync Token`
+   - **Expiration**: Choose an appropriate expiration (recommended: 90 days or No expiration for continuous sync)
+   - **Scopes**: Select the following permissions:
+     - ✅ `repo` (Full control of private repositories) - Required to push to your repository
+4. Click "Generate token"
+5. **Important**: Copy the token immediately - you won't be able to see it again!
+
+### Step 2: Add the Token as a Repository Secret
+
+1. Go to your forked repository on GitHub
+2. Navigate to Settings → Secrets and variables → Actions
+3. Click "New repository secret"
+4. Configure the secret:
+   - **Name**: `PAT_TOKEN` (must be exactly this name)
+   - **Value**: Paste the Personal Access Token you created in Step 1
+5. Click "Add secret"
+
+### Step 3: Verify the Setup
+
+After adding the secret, the workflow will automatically use it on the next scheduled run (every 30 minutes).
+
+To manually trigger a test:
+1. Go to Actions tab in your repository
+2. Select "Sync develop from smartcontractkit/chainlink" workflow
+3. If the workflow file includes a `workflow_dispatch` trigger, you can click "Run workflow" to trigger it manually. (By default, this workflow only runs on a schedule.)
+
+Alternatively, wait for the next scheduled run and check the workflow logs to ensure it completes successfully.
+
+## Troubleshooting
+
+### Authentication Failed Error
+- Verify the `PAT_TOKEN` secret exists and is spelled correctly
+- Ensure the token has the `repo` scope enabled
+- Check if the token has expired and create a new one if needed
+
+### Push Permission Denied
+- The PAT must have write access to your fork
+- Verify you're using a token associated with an account that has push permissions to the repository
+
+### Workflow Not Running
+- This workflow only runs on forks (not on `smartcontractkit/chainlink`)
+- Check the Actions tab to see if the workflow is enabled
+- Verify the workflow file is present in the `.github/workflows` directory
+
+## Security Note
+
+Never commit your Personal Access Token directly in code or configuration files. Always use GitHub Secrets to store sensitive credentials.
@@ -2,24 +2,30 @@ name: Cleanup integration deployments
 on:
   workflow_dispatch:
   schedule:
-    # every 10 mins
-    - cron: "*/10 * * * *"
+    # hourly cleanup to reduce API usage vs every 10 mins
+    - cron: "0 * * * *"
 
 jobs:
   cleanup:
     name: Clean up integration environment deployments
     runs-on: ubuntu-latest
+    permissions:
+      deployments: write
+      contents: read
+    concurrency:
+      group: cleanup-deployments
+      cancel-in-progress: false
     steps:
       - name: Checkout repo
         uses: actions/checkout@v4
         with:
           persist-credentials: false
 
-      - name: Clean up integration environment
+      - name: Clean up integration environment deployments
         uses: ./.github/actions/delete-deployments
         with:
           environment: integration
-          # Delete 300 deployments at a time
+          ref: ${{ github.ref_name }}
           num-of-pages: 3
-          # We start with page 2 because usually the first 200 deployments are still active, so we cannot delete them
           starting-page: 2
+          dry-run: false
@@ -0,0 +1,66 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow lets you generate SLSA provenance file for your project.
+# The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements
+# The project is an initiative of the OpenSSF (openssf.org) and is developed at
+# https://github.com/slsa-framework/slsa-github-generator.
+# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
+# For more information about SLSA and how it improves the supply-chain, visit slsa.dev.
+
+name: SLSA generic generator
+on:
+  workflow_dispatch:
+  release:
+    types: [created]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    outputs:
+      digests: ${{ steps.hash.outputs.digests }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      # ========================================================
+      #
+      # Step 1: Build your artifacts.
+      #
+      # ========================================================
+      - name: Build artifacts
+        run: |
+            # These are some amazing artifacts.
+            echo "artifact1" > artifact1
+            echo "artifact2" > artifact2
+
+      # ========================================================
+      #
+      # Step 2: Add a step to generate the provenance subjects
+      #         as shown below. Update the sha256 sum arguments
+      #         to include all binaries that you generate
+      #         provenance for.
+      #
+      # ========================================================
+      - name: Generate subject for provenance
+        id: hash
+        run: |
+          set -euo pipefail
+
+          # List the artifacts the provenance will refer to.
+          files=$(ls artifact*)
+          # Generate the subjects (base64 encoded).
+          echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}"
+
+  provenance:
+    needs: [build]
+    permissions:
+      actions: read   # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0
+    with:
+      base64-subjects: "${{ needs.build.outputs.digests }}"
+      upload-assets: true # Optional: Upload to a new release
@@ -0,0 +1,38 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow lets you compile your Go project using a SLSA3 compliant builder.
+# This workflow will generate a so-called "provenance" file describing the steps
+# that were performed to generate the final binary.
+# The project is an initiative of the OpenSSF (openssf.org) and is developed at
+# https://github.com/slsa-framework/slsa-github-generator.
+# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
+# For more information about SLSA and how it improves the supply-chain, visit slsa.dev.
+
+name: SLSA Go releaser
+on:
+  workflow_dispatch:
+  release:
+    types: [created]
+
+permissions: read-all
+
+jobs:
+  # ========================================================================================================================================
+  #     Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project.
-  #     Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project.
+  #     Prerequisite: Create a .slsa-goreleaser.yml in the root directory of your project.
-  #     Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project.
+  #     Prerequisite: Create a .slsa-goreleaser.yml in the root directory of your project.
+  #       See format in https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md#configuration-file
+  #=========================================================================================================================================
+  build:
+    permissions:
+      id-token: write # To sign.
+      contents: write # To upload release assets.
+      actions: read   # To read workflow path.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.4.0
+    with:
+      go-version: 1.17
-      go-version: 1.17
+      go-version: '1.21'
-      go-version: 1.17
+      go-version: '1.21'
+      # =============================================================================================================
+      #     Optional: For more options, see https://github.com/slsa-framework/slsa-github-generator#golang-projects
+      # =============================================================================================================
+
@@ -0,0 +1,28 @@
+# This workflow will build a golang project
+# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go
+
+name: Go
+
+on:
+  push:
+    branches: [ "develop" ]
+  pull_request:
+    branches: [ "develop" ]
+
+jobs:
+
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Go
+      uses: actions/setup-go@v4
+      with:
+        go-version: '1.20'
-        go-version: '1.20'
+        go-version: '1.21.x'
-        go-version: '1.20'
+        go-version: '1.21.x'
+
+    - name: Build
+      run: go build -v ./...
+
+    - name: Test
+      run: go test -v ./...
@@ -0,0 +1,35 @@
+# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created
+# For more information see: https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages
+
+name: Node.js Package
+
+on:
+  release:
+    types: [created]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+      - run: npm ci
+
+  publish-gpr:
+    needs: build
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 20
-      - run: npm ci
-
-  publish-gpr:
-    needs: build
+  publish-gpr:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 20
-      - run: npm ci
-
-  publish-gpr:
-    needs: build
+  publish-gpr:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          registry-url: https://npm.pkg.github.com/
+      - run: npm ci
+      - run: npm publish
+        env:
+          NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}