From 12e25612763ca61f4d3dc88666959289c4969042 Mon Sep 17 00:00:00 2001 From: ipicoinrepo <119383174+ipicoinrepo@users.noreply.github.com> Date: Wed, 15 Jul 2026 11:47:23 +0200 Subject: [PATCH 1/3] Harden inherited workflows for the IPI fork --- .github/workflows/checks.yml | 7 +++++-- .github/workflows/proto-buf-publisher.yml | 4 ++++ .github/workflows/release.yml | 1 + .github/workflows/typo-check.yml | 3 +++ IPI_FORK_STATUS.md | 3 ++- README.md | 10 ++++++---- 6 files changed, 21 insertions(+), 7 deletions(-) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 3e0d67120..c5c6c2b84 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -9,6 +9,9 @@ on: - 'v*' pull_request: +permissions: + contents: read + jobs: setup-dependencies: runs-on: ubuntu-latest @@ -242,7 +245,7 @@ jobs: fi - name: Login to DockerHub - if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') + if: github.repository == 'CosmWasm/wasmd' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')) env: DOCKER_USER: ${{ secrets.DOCKERHUB_USERNAME }} DOCKER_PASS: ${{ secrets.DOCKERHUB_TOKEN }} @@ -250,7 +253,7 @@ jobs: echo $DOCKER_PASS | docker login -u $DOCKER_USER --password-stdin - name: Push Docker image - if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') + if: github.repository == 'CosmWasm/wasmd' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')) run: | SHA=${{ github.sha }} docker push $IMAGE_NAME:$SHA diff --git a/.github/workflows/proto-buf-publisher.yml b/.github/workflows/proto-buf-publisher.yml index 5a2837fd6..203e7ccaf 100644 --- a/.github/workflows/proto-buf-publisher.yml +++ b/.github/workflows/proto-buf-publisher.yml @@ -12,8 +12,12 @@ on: tags: - "v[0-9]+.[0-9]+.[0-9]+.*" # Push events to matching v*, //i.e. v20.15.10, v0.27.0-rc1 +permissions: + contents: read + jobs: push: + if: github.repository == 'CosmWasm/wasmd' runs-on: ubuntu-latest steps: - uses: actions/checkout@v7 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c5cb734c3..7bc677bdf 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,6 +13,7 @@ env: jobs: release: + if: github.repository == 'CosmWasm/wasmd' runs-on: ubuntu-latest steps: - name: Checkout code diff --git a/.github/workflows/typo-check.yml b/.github/workflows/typo-check.yml index df019f6f6..6650be9df 100644 --- a/.github/workflows/typo-check.yml +++ b/.github/workflows/typo-check.yml @@ -8,6 +8,9 @@ on: - main workflow_dispatch: +permissions: + contents: read + jobs: check-typos: name: "Spell-check repository source" diff --git a/IPI_FORK_STATUS.md b/IPI_FORK_STATUS.md index 1397bfa99..f74d08fdd 100644 --- a/IPI_FORK_STATUS.md +++ b/IPI_FORK_STATUS.md @@ -3,7 +3,8 @@ - Upstream: [`CosmWasm/wasmd`](https://github.com/CosmWasm/wasmd) - Fork relationship: GitHub-native public fork - Upstream license: Apache License 2.0 -- IPI-specific commits at the time this notice was added: none +- IPI-specific changes: provenance documentation and fork-safe CI permissions; + no consensus or application changes - IPI maturity: research base, not a released node The Git history, upstream contributors, `LICENSE`, `NOTICE`, security guidance, diff --git a/README.md b/README.md index 6afb1bca4..29cdb120d 100644 --- a/README.md +++ b/README.md @@ -2,10 +2,12 @@ This repository is a tracking fork of [`CosmWasm/wasmd`](https://github.com/CosmWasm/wasmd). At the time of this -notice, the fork contains no IPI-specific commits and is not an IPI node binary, -canonical network release, or independent implementation. It is retained as an -upstream engineering base while the IPI node architecture, reproducible build, -genesis binding, upgrade path, and verification suite are defined publicly. +notice, IPI-specific changes are limited to provenance documentation and +fork-safe CI permissions. The fork contains no IPI consensus or application +changes and is not an IPI node binary, canonical network release, or independent +implementation. It is retained as an upstream engineering base while the IPI +node architecture, reproducible build, genesis binding, upgrade path, and +verification suite are defined publicly. Do not infer IPI compatibility, network identity, or production readiness from the repository name. The unmodified upstream documentation follows and remains From 06fba43131341744257bfce23a54b246a3d277f8 Mon Sep 17 00:00:00 2001 From: ipicoinrepo <119383174+ipicoinrepo@users.noreply.github.com> Date: Wed, 15 Jul 2026 11:56:10 +0200 Subject: [PATCH 2/3] ci: pin third-party actions and harden coverage upload --- .github/workflows/checks.yml | 59 ++++++++++++----------- .github/workflows/codeql-analizer.yml | 10 ++-- .github/workflows/proto-buf-linter.yml | 6 +-- .github/workflows/proto-buf-publisher.yml | 15 ++---- .github/workflows/release.yml | 4 +- .github/workflows/typo-check.yml | 4 +- 6 files changed, 47 insertions(+), 51 deletions(-) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index c5c6c2b84..7d4f3a96e 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -16,14 +16,14 @@ jobs: setup-dependencies: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - - uses: actions/setup-go@v6 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.0.0 with: go-version-file: go.mod - name: Restore Go modules cache - uses: actions/cache@v6 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.0.0 with: path: /go/pkg/mod key: go-mod-${{ hashFiles('**/go.sum') }} @@ -38,7 +38,7 @@ jobs: run: git gc - name: Save source code cache - uses: actions/cache@v6 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.0.0 with: path: .git key: go-src-${{ github.sha }} @@ -48,8 +48,8 @@ jobs: runs-on: ubuntu-latest needs: setup-dependencies steps: - - uses: actions/checkout@v7 - - uses: actions/setup-go@v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.0.0 with: go-version-file: go.mod - name: Check go mod tidy @@ -61,12 +61,12 @@ jobs: runs-on: ubuntu-latest needs: setup-dependencies steps: - - uses: actions/checkout@v7 - - uses: actions/setup-go@v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.0.0 with: go-version-file: go.mod - name: Run golangci-lint - uses: golangci/golangci-lint-action@v9 + uses: golangci/golangci-lint-action@ba0d7d2ec06a0ea1cb5fa41b2e4a3ab91d21278a # v9.2.0 with: version: v2.11.3 args: --tests=false --timeout=5m0s @@ -78,14 +78,14 @@ jobs: matrix: shard: [1, 2, 3, 4] steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - - uses: actions/setup-go@v6 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.0.0 with: go-version-file: go.mod - name: Restore Go modules cache - uses: actions/cache@v6 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.0.0 with: path: /go/pkg/mod key: go-mod-${{ hashFiles('**/go.sum') }} @@ -111,7 +111,7 @@ jobs: fi - name: Upload coverage and logs - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0 # v7.0.0 with: name: coverage-${{ matrix.shard }} path: | @@ -122,10 +122,10 @@ jobs: runs-on: ubuntu-latest needs: test-cover steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Download coverage artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.0 with: path: artifacts @@ -135,20 +135,23 @@ jobs: find artifacts -name '*.out' | xargs -I{} tail -n +2 {} >> coverage.txt - name: Upload to Codecov - run: bash <(curl -s https://codecov.io/bash) -f coverage.txt + uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0 + with: + files: coverage.txt + fail_ci_if_error: false test-system: runs-on: ubuntu-latest needs: test-cover steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - - uses: actions/setup-go@v6 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.0.0 with: go-version-file: go.mod - name: Restore Go modules cache - uses: actions/cache@v6 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.0.0 with: path: /go/pkg/mod key: go-mod-${{ hashFiles('**/go.sum') }} @@ -167,7 +170,7 @@ jobs: - name: Upload test system artifacts if: failure() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0 # v7.0.0 with: name: test-system-artifacts path: /tmp/test-system-artifacts @@ -177,14 +180,14 @@ jobs: runs-on: ubuntu-latest needs: test-cover steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - - uses: actions/setup-go@v6 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.0.0 with: go-version-file: go.mod - name: Restore Go modules cache - uses: actions/cache@v6 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.0.0 with: path: /go/pkg/mod key: go-mod-${{ hashFiles('**/go.sum') }} @@ -203,9 +206,9 @@ jobs: runs-on: ubuntu-latest needs: setup-dependencies steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - - uses: actions/setup-go@v6 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.0.0 with: go-version-file: go.mod @@ -218,14 +221,14 @@ jobs: env: IMAGE_NAME: cosmwasm/wasmd steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - - uses: actions/setup-go@v6 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.0.0 with: go-version-file: go.mod - name: Set up Docker - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.0.0 - name: Build Docker image run: | diff --git a/.github/workflows/codeql-analizer.yml b/.github/workflows/codeql-analizer.yml index 1515fb039..296903d3f 100644 --- a/.github/workflows/codeql-analizer.yml +++ b/.github/workflows/codeql-analizer.yml @@ -19,18 +19,18 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@1ad29ea4a422cce9a242a9fae469541dcd08addc # v4.32.6 with: languages: 'go' - queries: crypto-com/cosmos-sdk-codeql@main,security-and-quality + queries: security-and-quality - name: Autobuild - uses: github/codeql-action/autobuild@v4 + uses: github/codeql-action/autobuild@1ad29ea4a422cce9a242a9fae469541dcd08addc # v4.32.6 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@1ad29ea4a422cce9a242a9fae469541dcd08addc # v4.32.6 diff --git a/.github/workflows/proto-buf-linter.yml b/.github/workflows/proto-buf-linter.yml index f2a5a23cf..0b8192d32 100644 --- a/.github/workflows/proto-buf-linter.yml +++ b/.github/workflows/proto-buf-linter.yml @@ -13,10 +13,10 @@ jobs: buf-lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 - - uses: bufbuild/buf-setup-action@v1.50.0 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + - uses: bufbuild/buf-setup-action@a47c93e0b1648d5651a065437926377d060baa99 # v1.50.0 # lint checks - - uses: bufbuild/buf-lint-action@v1 + - uses: bufbuild/buf-lint-action@06f9dd823d873146471cfaaf108a993fe00e5325 # v1.1.1 with: input: "proto" diff --git a/.github/workflows/proto-buf-publisher.yml b/.github/workflows/proto-buf-publisher.yml index 203e7ccaf..ed41e4daa 100644 --- a/.github/workflows/proto-buf-publisher.yml +++ b/.github/workflows/proto-buf-publisher.yml @@ -20,23 +20,16 @@ jobs: if: github.repository == 'CosmWasm/wasmd' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 - - uses: bufbuild/buf-setup-action@v1.50.0 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + - uses: bufbuild/buf-setup-action@a47c93e0b1648d5651a065437926377d060baa99 # v1.50.0 # lint checks - - uses: bufbuild/buf-lint-action@v1 + - uses: bufbuild/buf-lint-action@06f9dd823d873146471cfaaf108a993fe00e5325 # v1.1.1 with: input: 'proto' - # TODO: Add this when project is more stable. - # backward compatibility breaking checks - #- uses: bufbuild/buf-breaking-action@v1 - # with: - # input: 'proto' - # against: 'https://github.com/CosmWasm/wasmd.git#branch=master' - # publish proto files - - uses: bufbuild/buf-push-action@v1 + - uses: bufbuild/buf-push-action@a654ff18effe4641ebea4a4ce242c49800728459 # v1.2.0 with: input: 'proto' buf_token: ${{ secrets.BUF_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7bc677bdf..d463c2d69 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -17,10 +17,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Set up Docker - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.0.0 - name: Build Docker image run: | diff --git a/.github/workflows/typo-check.yml b/.github/workflows/typo-check.yml index 6650be9df..078d7fc36 100644 --- a/.github/workflows/typo-check.yml +++ b/.github/workflows/typo-check.yml @@ -17,6 +17,6 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Run spell-check - uses: crate-ci/typos@master + uses: crate-ci/typos@bee27e3a4fd1ea2111cf90ab89cd076c870fce14 # v1.48.0 From 1cdd58815deb632de9c1ba8f86e5fee7b9cab26f Mon Sep 17 00:00:00 2001 From: ipicoinrepo <119383174+ipicoinrepo@users.noreply.github.com> Date: Wed, 15 Jul 2026 12:00:39 +0200 Subject: [PATCH 3/3] ci: use the complete upload-artifact commit SHA --- .github/workflows/checks.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 7d4f3a96e..ca083df98 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -111,7 +111,7 @@ jobs: fi - name: Upload coverage and logs - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0 # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.0 with: name: coverage-${{ matrix.shard }} path: | @@ -170,7 +170,7 @@ jobs: - name: Upload test system artifacts if: failure() - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0 # v7.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.0 with: name: test-system-artifacts path: /tmp/test-system-artifacts