diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 3e0d67120..ca083df98 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -9,18 +9,21 @@ on: - 'v*' pull_request: +permissions: + contents: read + jobs: setup-dependencies: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - - uses: actions/setup-go@v6 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.0.0 with: go-version-file: go.mod - name: Restore Go modules cache - uses: actions/cache@v6 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.0.0 with: path: /go/pkg/mod key: go-mod-${{ hashFiles('**/go.sum') }} @@ -35,7 +38,7 @@ jobs: run: git gc - name: Save source code cache - uses: actions/cache@v6 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.0.0 with: path: .git key: go-src-${{ github.sha }} @@ -45,8 +48,8 @@ jobs: runs-on: ubuntu-latest needs: setup-dependencies steps: - - uses: actions/checkout@v7 - - uses: actions/setup-go@v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.0.0 with: go-version-file: go.mod - name: Check go mod tidy @@ -58,12 +61,12 @@ jobs: runs-on: ubuntu-latest needs: setup-dependencies steps: - - uses: actions/checkout@v7 - - uses: actions/setup-go@v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.0.0 with: go-version-file: go.mod - name: Run golangci-lint - uses: golangci/golangci-lint-action@v9 + uses: golangci/golangci-lint-action@ba0d7d2ec06a0ea1cb5fa41b2e4a3ab91d21278a # v9.2.0 with: version: v2.11.3 args: --tests=false --timeout=5m0s @@ -75,14 +78,14 @@ jobs: matrix: shard: [1, 2, 3, 4] steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - - uses: actions/setup-go@v6 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.0.0 with: go-version-file: go.mod - name: Restore Go modules cache - uses: actions/cache@v6 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.0.0 with: path: /go/pkg/mod key: go-mod-${{ hashFiles('**/go.sum') }} @@ -108,7 +111,7 @@ jobs: fi - name: Upload coverage and logs - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.0 with: name: coverage-${{ matrix.shard }} path: | @@ -119,10 +122,10 @@ jobs: runs-on: ubuntu-latest needs: test-cover steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Download coverage artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.0 with: path: artifacts @@ -132,20 +135,23 @@ jobs: find artifacts -name '*.out' | xargs -I{} tail -n +2 {} >> coverage.txt - name: Upload to Codecov - run: bash <(curl -s https://codecov.io/bash) -f coverage.txt + uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0 + with: + files: coverage.txt + fail_ci_if_error: false test-system: runs-on: ubuntu-latest needs: test-cover steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - - uses: actions/setup-go@v6 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.0.0 with: go-version-file: go.mod - name: Restore Go modules cache - uses: actions/cache@v6 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.0.0 with: path: /go/pkg/mod key: go-mod-${{ hashFiles('**/go.sum') }} @@ -164,7 +170,7 @@ jobs: - name: Upload test system artifacts if: failure() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.0 with: name: test-system-artifacts path: /tmp/test-system-artifacts @@ -174,14 +180,14 @@ jobs: runs-on: ubuntu-latest needs: test-cover steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - - uses: actions/setup-go@v6 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.0.0 with: go-version-file: go.mod - name: Restore Go modules cache - uses: actions/cache@v6 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.0.0 with: path: /go/pkg/mod key: go-mod-${{ hashFiles('**/go.sum') }} @@ -200,9 +206,9 @@ jobs: runs-on: ubuntu-latest needs: setup-dependencies steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - - uses: actions/setup-go@v6 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.0.0 with: go-version-file: go.mod @@ -215,14 +221,14 @@ jobs: env: IMAGE_NAME: cosmwasm/wasmd steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - - uses: actions/setup-go@v6 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.0.0 with: go-version-file: go.mod - name: Set up Docker - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.0.0 - name: Build Docker image run: | @@ -242,7 +248,7 @@ jobs: fi - name: Login to DockerHub - if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') + if: github.repository == 'CosmWasm/wasmd' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')) env: DOCKER_USER: ${{ secrets.DOCKERHUB_USERNAME }} DOCKER_PASS: ${{ secrets.DOCKERHUB_TOKEN }} @@ -250,7 +256,7 @@ jobs: echo $DOCKER_PASS | docker login -u $DOCKER_USER --password-stdin - name: Push Docker image - if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') + if: github.repository == 'CosmWasm/wasmd' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')) run: | SHA=${{ github.sha }} docker push $IMAGE_NAME:$SHA diff --git a/.github/workflows/codeql-analizer.yml b/.github/workflows/codeql-analizer.yml index 1515fb039..296903d3f 100644 --- a/.github/workflows/codeql-analizer.yml +++ b/.github/workflows/codeql-analizer.yml @@ -19,18 +19,18 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@1ad29ea4a422cce9a242a9fae469541dcd08addc # v4.32.6 with: languages: 'go' - queries: crypto-com/cosmos-sdk-codeql@main,security-and-quality + queries: security-and-quality - name: Autobuild - uses: github/codeql-action/autobuild@v4 + uses: github/codeql-action/autobuild@1ad29ea4a422cce9a242a9fae469541dcd08addc # v4.32.6 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@1ad29ea4a422cce9a242a9fae469541dcd08addc # v4.32.6 diff --git a/.github/workflows/proto-buf-linter.yml b/.github/workflows/proto-buf-linter.yml index f2a5a23cf..0b8192d32 100644 --- a/.github/workflows/proto-buf-linter.yml +++ b/.github/workflows/proto-buf-linter.yml @@ -13,10 +13,10 @@ jobs: buf-lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 - - uses: bufbuild/buf-setup-action@v1.50.0 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + - uses: bufbuild/buf-setup-action@a47c93e0b1648d5651a065437926377d060baa99 # v1.50.0 # lint checks - - uses: bufbuild/buf-lint-action@v1 + - uses: bufbuild/buf-lint-action@06f9dd823d873146471cfaaf108a993fe00e5325 # v1.1.1 with: input: "proto" diff --git a/.github/workflows/proto-buf-publisher.yml b/.github/workflows/proto-buf-publisher.yml index 5a2837fd6..ed41e4daa 100644 --- a/.github/workflows/proto-buf-publisher.yml +++ b/.github/workflows/proto-buf-publisher.yml @@ -12,27 +12,24 @@ on: tags: - "v[0-9]+.[0-9]+.[0-9]+.*" # Push events to matching v*, //i.e. v20.15.10, v0.27.0-rc1 +permissions: + contents: read + jobs: push: + if: github.repository == 'CosmWasm/wasmd' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 - - uses: bufbuild/buf-setup-action@v1.50.0 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + - uses: bufbuild/buf-setup-action@a47c93e0b1648d5651a065437926377d060baa99 # v1.50.0 # lint checks - - uses: bufbuild/buf-lint-action@v1 + - uses: bufbuild/buf-lint-action@06f9dd823d873146471cfaaf108a993fe00e5325 # v1.1.1 with: input: 'proto' - # TODO: Add this when project is more stable. - # backward compatibility breaking checks - #- uses: bufbuild/buf-breaking-action@v1 - # with: - # input: 'proto' - # against: 'https://github.com/CosmWasm/wasmd.git#branch=master' - # publish proto files - - uses: bufbuild/buf-push-action@v1 + - uses: bufbuild/buf-push-action@a654ff18effe4641ebea4a4ce242c49800728459 # v1.2.0 with: input: 'proto' buf_token: ${{ secrets.BUF_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c5cb734c3..d463c2d69 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,13 +13,14 @@ env: jobs: release: + if: github.repository == 'CosmWasm/wasmd' runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Set up Docker - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.0.0 - name: Build Docker image run: | diff --git a/.github/workflows/typo-check.yml b/.github/workflows/typo-check.yml index df019f6f6..078d7fc36 100644 --- a/.github/workflows/typo-check.yml +++ b/.github/workflows/typo-check.yml @@ -8,12 +8,15 @@ on: - main workflow_dispatch: +permissions: + contents: read + jobs: check-typos: name: "Spell-check repository source" runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Run spell-check - uses: crate-ci/typos@master + uses: crate-ci/typos@bee27e3a4fd1ea2111cf90ab89cd076c870fce14 # v1.48.0 diff --git a/IPI_FORK_STATUS.md b/IPI_FORK_STATUS.md index 1397bfa99..f74d08fdd 100644 --- a/IPI_FORK_STATUS.md +++ b/IPI_FORK_STATUS.md @@ -3,7 +3,8 @@ - Upstream: [`CosmWasm/wasmd`](https://github.com/CosmWasm/wasmd) - Fork relationship: GitHub-native public fork - Upstream license: Apache License 2.0 -- IPI-specific commits at the time this notice was added: none +- IPI-specific changes: provenance documentation and fork-safe CI permissions; + no consensus or application changes - IPI maturity: research base, not a released node The Git history, upstream contributors, `LICENSE`, `NOTICE`, security guidance, diff --git a/README.md b/README.md index 6afb1bca4..29cdb120d 100644 --- a/README.md +++ b/README.md @@ -2,10 +2,12 @@ This repository is a tracking fork of [`CosmWasm/wasmd`](https://github.com/CosmWasm/wasmd). At the time of this -notice, the fork contains no IPI-specific commits and is not an IPI node binary, -canonical network release, or independent implementation. It is retained as an -upstream engineering base while the IPI node architecture, reproducible build, -genesis binding, upgrade path, and verification suite are defined publicly. +notice, IPI-specific changes are limited to provenance documentation and +fork-safe CI permissions. The fork contains no IPI consensus or application +changes and is not an IPI node binary, canonical network release, or independent +implementation. It is retained as an upstream engineering base while the IPI +node architecture, reproducible build, genesis binding, upgrade path, and +verification suite are defined publicly. Do not infer IPI compatibility, network identity, or production readiness from the repository name. The unmodified upstream documentation follows and remains