chore(ethereum/test): read mainnet RPC URL from env, drop hardcoded key#3997
Open
piotr-roslaniec wants to merge 2 commits into
Open
chore(ethereum/test): read mainnet RPC URL from env, drop hardcoded key#3997piotr-roslaniec wants to merge 2 commits into
piotr-roslaniec wants to merge 2 commits into
Conversation
The integration test contained a hardcoded Infura URL with an embedded API key. Treat the leaked key as compromised and rotate it on the provider side; this change makes the test read the JSON-RPC URL from the `KEEP_TEST_ETHEREUM_URL` env variable and skip when it is not set. Note: this test was already failing on mainnet against go-ethereum v1.13.x because the latest blocks contain EIP-7702 type-4 transactions that this version cannot decode. Fixing that is tracked separately; the skip behaviour avoids spurious CI failures in the meantime.
Rename the env var to match the existing org secret. Also document explicitly that the URL must point to mainnet (the test asserts against historical mainnet block numbers, so a testnet URL would silently produce wrong results).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
pkg/chain/ethereum/ethereum_integration_test.gocontained a hardcodedhttps://mainnet.infura.io/v3/<key>URL with an embedded Infura API key. The key is in git history and on the public mirror, so it must be treated as compromised and rotated on the Infura side independently of this PR.KEEP_TEST_ETHEREUM_URLenv variable instead, and skip when the variable is not set. That removes the leak from the source tree and avoids relying on a single shared credential.Notes
mainfor a separate reason: mainnet blocks now contain EIP-7702 type-4 transactions thatgo-ethereum v1.13.xcannot decode (cannot get current block: [transaction type not supported]). That's tracked separately and requires ago-ethereumbump.Follow-ups
KEEP_TEST_ETHEREUM_URLinto the relevant CI workflow if/when integration tests should run therego-ethereumto a version with EIP-7702 support to actually unblock the test against current mainnetTest plan
go test -tags=integration -c -o /dev/null ./pkg/chain/ethereum/compilesKEEP_TEST_ETHEREUM_URLis unset