From 76f8fa12ec6fbc1321435e27d7a40e27694cafe4 Mon Sep 17 00:00:00 2001 From: Sebastian Lorenz Date: Sat, 29 Mar 2025 10:46:30 +0100 Subject: [PATCH 1/4] harden ci workflows --- .github/workflows/ci.yml | 56 ++++++++++++++++++++++++------ .github/workflows/coverage.yml | 40 --------------------- .github/workflows/docker-image.yml | 32 +++++++++-------- 3 files changed, 62 insertions(+), 66 deletions(-) delete mode 100644 .github/workflows/coverage.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7767eb1c5..48cdd208f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,22 +1,23 @@ name: Continuous Integration - on: push: branches: [main] pull_request: - types: [opened, synchronize, reopened] + branches: [main] + +permissions: + contents: read env: CARGO_TERM_COLOR: always RUST_BACKTRACE: full + RUSTFLAGS: "-D warnings" jobs: unit-tests: name: Unit tests runs-on: nscloud-ubuntu-22.04-amd64-16x32 timeout-minutes: 10 - env: - RUSTFLAGS: "-D warnings" steps: - uses: actions/checkout@v4 - name: Install deps @@ -28,11 +29,6 @@ jobs: name: Integration tests runs-on: nscloud-ubuntu-22.04-amd64-16x32 timeout-minutes: 10 - env: - RUSTFLAGS: "-D warnings" - FIREHOSE_ETH_MAINNET_URL: ${{ secrets.FIREHOSE_ETH_MAINNET_URL }} - FIREHOSE_ETH_MAINNET_TOKEN: ${{ secrets.FIREHOSE_ETH_MAINNET_TOKEN }} - RPC_ETH_MAINNET_URL: ${{ secrets.RPC_ETH_MAINNET_URL }} steps: - uses: actions/checkout@v4 - name: Install deps @@ -47,6 +43,10 @@ jobs: > tests/config/providers/rpc_eth_mainnet.toml - name: Integration tests run: cargo test --verbose -p tests -- --nocapture + env: + FIREHOSE_ETH_MAINNET_URL: ${{ secrets.FIREHOSE_ETH_MAINNET_URL }} + FIREHOSE_ETH_MAINNET_TOKEN: ${{ secrets.FIREHOSE_ETH_MAINNET_TOKEN }} + RPC_ETH_MAINNET_URL: ${{ secrets.RPC_ETH_MAINNET_URL }} rustfmt: name: Check rustfmt style @@ -61,11 +61,45 @@ jobs: name: Build in release mode runs-on: nscloud-ubuntu-22.04-amd64-16x32 timeout-minutes: 60 - env: - RUSTFLAGS: "-D warnings" steps: - uses: actions/checkout@v4 - name: Install deps run: sudo apt-get install -y protobuf-compiler - name: Cargo check (release) run: cargo check --release + + coverage: + name: Coverage + runs-on: nscloud-ubuntu-22.04-amd64-8x16 + container: + image: xd009642/tarpaulin:develop-nightly + options: --security-opt seccomp=unconfined + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Install deps + run: | + apt-get update + apt-get install -y protobuf-compiler cmake gettext + - name: Copy firehose provider file + run: | + envsubst < tests/config/providers/COPY_ME_firehose_eth_mainnet.toml \ + > tests/config/providers/firehose_eth_mainnet.toml + - name: Copy rpc provider file + run: | + envsubst < tests/config/providers/COPY_ME_rpc_eth_mainnet.toml \ + > tests/config/providers/rpc_eth_mainnet.toml + - name: Install cargo-llvm-cov + uses: taiki-e/install-action@cargo-llvm-cov + - name: Generate code coverage + run: cargo llvm-cov --all-features --workspace --lcov --output-path lcov.info + env: + FIREHOSE_ETH_MAINNET_URL: ${{ secrets.FIREHOSE_ETH_MAINNET_URL }} + FIREHOSE_ETH_MAINNET_TOKEN: ${{ secrets.FIREHOSE_ETH_MAINNET_TOKEN }} + RPC_ETH_MAINNET_URL: ${{ secrets.RPC_ETH_MAINNET_URL }} + - name: Upload to codecov.io + uses: codecov/codecov-action@v5 + with: + token: ${{ secrets.CODECOV_TOKEN }} + files: lcov.info + fail_ci_if_error: true diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml deleted file mode 100644 index 6567fe44f..000000000 --- a/.github/workflows/coverage.yml +++ /dev/null @@ -1,40 +0,0 @@ -name: coverage - -on: [push] -jobs: - test: - name: coverage - runs-on: nscloud-ubuntu-22.04-amd64-8x16 - container: - image: xd009642/tarpaulin:develop-nightly - options: --security-opt seccomp=unconfined - env: - RUSTFLAGS: "-D warnings" - FIREHOSE_ETH_MAINNET_URL: ${{ secrets.FIREHOSE_ETH_MAINNET_URL }} - FIREHOSE_ETH_MAINNET_TOKEN: ${{ secrets.FIREHOSE_ETH_MAINNET_TOKEN }} - RPC_ETH_MAINNET_URL: ${{ secrets.RPC_ETH_MAINNET_URL }} - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - name: Install deps - run: | - apt-get update - apt-get install -y protobuf-compiler cmake gettext - - name: Copy firehose provider file - run: | - envsubst < tests/config/providers/COPY_ME_firehose_eth_mainnet.toml \ - > tests/config/providers/firehose_eth_mainnet.toml - - name: Copy rpc provider file - run: | - envsubst < tests/config/providers/COPY_ME_rpc_eth_mainnet.toml \ - > tests/config/providers/rpc_eth_mainnet.toml - - name: Install cargo-llvm-cov - uses: taiki-e/install-action@cargo-llvm-cov - - name: Generate code coverage - run: cargo llvm-cov --all-features --workspace --lcov --output-path lcov.info - - name: Upload to codecov.io - uses: codecov/codecov-action@v5 - with: - token: ${{secrets.CODECOV_TOKEN}} - files: lcov.info - fail_ci_if_error: true diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 0eef389b9..9754c233e 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -1,39 +1,41 @@ name: Docker Image - on: workflow_dispatch: push: branches: ["main"] tags: ["v*"] +permissions: + contents: read + jobs: build: runs-on: nscloud-ubuntu-22.04-amd64-32x32 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - + - name: Login to GitHub Container Registry + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Set up QEMU + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3 - name: Docker meta - id: docker_meta + id: metadata uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5 with: images: ghcr.io/edgeandnode/nozzle tags: | type=ref,event=tag type=sha - - - name: login to GitHub Container Registry - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: build and push Docker image + - name: Build and push Docker image uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6 with: context: . file: Dockerfile pull: true - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.docker_meta.outputs.tags }} - labels: ${{ steps.docker_meta.outputs.labels }} + tags: ${{ steps.metadata.outputs.tags }} + labels: ${{ steps.metadata.outputs.labels }} From 3ac9dde041424358f533df3ce73fffa87a643d72 Mon Sep 17 00:00:00 2001 From: Sebastian Lorenz Date: Sat, 29 Mar 2025 11:02:04 +0100 Subject: [PATCH 2/4] lock action versions --- .github/workflows/ci.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 48cdd208f..b5cc17391 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -19,7 +19,7 @@ jobs: runs-on: nscloud-ubuntu-22.04-amd64-16x32 timeout-minutes: 10 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Install deps run: sudo apt-get install -y protobuf-compiler - name: Unit tests @@ -30,7 +30,7 @@ jobs: runs-on: nscloud-ubuntu-22.04-amd64-16x32 timeout-minutes: 10 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Install deps run: sudo apt-get install -y protobuf-compiler - name: Copy firehose provider file @@ -53,7 +53,7 @@ jobs: runs-on: namespace-profile-default timeout-minutes: 10 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Check formatting run: cargo fmt --all -- --check @@ -62,7 +62,7 @@ jobs: runs-on: nscloud-ubuntu-22.04-amd64-16x32 timeout-minutes: 60 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Install deps run: sudo apt-get install -y protobuf-compiler - name: Cargo check (release) @@ -72,11 +72,11 @@ jobs: name: Coverage runs-on: nscloud-ubuntu-22.04-amd64-8x16 container: + # TODO: Can we lock this image to a specific sha? image: xd009642/tarpaulin:develop-nightly options: --security-opt seccomp=unconfined steps: - - name: Checkout repository - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Install deps run: | apt-get update @@ -90,7 +90,7 @@ jobs: envsubst < tests/config/providers/COPY_ME_rpc_eth_mainnet.toml \ > tests/config/providers/rpc_eth_mainnet.toml - name: Install cargo-llvm-cov - uses: taiki-e/install-action@cargo-llvm-cov + uses: taiki-e/install-action@305d37bb81325225cb9a77b3fcd7c23ff808afe1 # cargo-llvm-cov - name: Generate code coverage run: cargo llvm-cov --all-features --workspace --lcov --output-path lcov.info env: @@ -98,7 +98,7 @@ jobs: FIREHOSE_ETH_MAINNET_TOKEN: ${{ secrets.FIREHOSE_ETH_MAINNET_TOKEN }} RPC_ETH_MAINNET_URL: ${{ secrets.RPC_ETH_MAINNET_URL }} - name: Upload to codecov.io - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5 with: token: ${{ secrets.CODECOV_TOKEN }} files: lcov.info From 3f9f77f6bdd946cb297ae21e2fe464c0549192ad Mon Sep 17 00:00:00 2001 From: Sebastian Lorenz Date: Sat, 29 Mar 2025 11:06:37 +0100 Subject: [PATCH 3/4] fix env --- .github/workflows/ci.yml | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b5cc17391..8394411ac 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -37,16 +37,17 @@ jobs: run: | envsubst < tests/config/providers/COPY_ME_firehose_eth_mainnet.toml \ > tests/config/providers/firehose_eth_mainnet.toml + env: + FIREHOSE_ETH_MAINNET_URL: ${{ secrets.FIREHOSE_ETH_MAINNET_URL }} + FIREHOSE_ETH_MAINNET_TOKEN: ${{ secrets.FIREHOSE_ETH_MAINNET_TOKEN }} - name: Copy rpc provider file run: | envsubst < tests/config/providers/COPY_ME_rpc_eth_mainnet.toml \ > tests/config/providers/rpc_eth_mainnet.toml - - name: Integration tests - run: cargo test --verbose -p tests -- --nocapture env: - FIREHOSE_ETH_MAINNET_URL: ${{ secrets.FIREHOSE_ETH_MAINNET_URL }} - FIREHOSE_ETH_MAINNET_TOKEN: ${{ secrets.FIREHOSE_ETH_MAINNET_TOKEN }} RPC_ETH_MAINNET_URL: ${{ secrets.RPC_ETH_MAINNET_URL }} + - name: Integration tests + run: cargo test --verbose -p tests -- --nocapture rustfmt: name: Check rustfmt style @@ -85,18 +86,19 @@ jobs: run: | envsubst < tests/config/providers/COPY_ME_firehose_eth_mainnet.toml \ > tests/config/providers/firehose_eth_mainnet.toml + env: + FIREHOSE_ETH_MAINNET_URL: ${{ secrets.FIREHOSE_ETH_MAINNET_URL }} + FIREHOSE_ETH_MAINNET_TOKEN: ${{ secrets.FIREHOSE_ETH_MAINNET_TOKEN }} - name: Copy rpc provider file run: | envsubst < tests/config/providers/COPY_ME_rpc_eth_mainnet.toml \ > tests/config/providers/rpc_eth_mainnet.toml + env: + RPC_ETH_MAINNET_URL: ${{ secrets.RPC_ETH_MAINNET_URL }} - name: Install cargo-llvm-cov uses: taiki-e/install-action@305d37bb81325225cb9a77b3fcd7c23ff808afe1 # cargo-llvm-cov - name: Generate code coverage run: cargo llvm-cov --all-features --workspace --lcov --output-path lcov.info - env: - FIREHOSE_ETH_MAINNET_URL: ${{ secrets.FIREHOSE_ETH_MAINNET_URL }} - FIREHOSE_ETH_MAINNET_TOKEN: ${{ secrets.FIREHOSE_ETH_MAINNET_TOKEN }} - RPC_ETH_MAINNET_URL: ${{ secrets.RPC_ETH_MAINNET_URL }} - name: Upload to codecov.io uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5 with: From 541f59c1799e03bd0439399138d2c23895caac30 Mon Sep 17 00:00:00 2001 From: Sebastian Lorenz Date: Sat, 29 Mar 2025 11:11:30 +0100 Subject: [PATCH 4/4] add provenance --- .github/workflows/docker-image.yml | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 9754c233e..de637dbd5 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -10,7 +10,13 @@ permissions: jobs: build: + name: Build and push runs-on: nscloud-ubuntu-22.04-amd64-32x32 + permissions: + contents: read + packages: write + attestations: write + id-token: write steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Login to GitHub Container Registry @@ -24,8 +30,8 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3 - name: Docker meta - id: metadata uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5 + id: metadata with: images: ghcr.io/edgeandnode/nozzle tags: | @@ -33,9 +39,16 @@ jobs: type=sha - name: Build and push Docker image uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6 + id: push with: context: . - file: Dockerfile pull: true + push: true tags: ${{ steps.metadata.outputs.tags }} labels: ${{ steps.metadata.outputs.labels }} + - name: Generate artifact attestation + uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2 + with: + subject-name: ghcr.io/${{ github.repository }} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true