diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml index 014d39ff..e6ac41dc 100644 --- a/.github/workflows/commitlint.yml +++ b/.github/workflows/commitlint.yml @@ -8,17 +8,20 @@ on: dev testnet-goerli +permissions: + contents: read + jobs: commitlint: runs-on: ubuntu-latest + timeout-minutes: 10 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - - name: Install node dependencies - run: | - npm install conventional-changelog-conventionalcommits - npm install commitlint@18.2.0 + + - name: Install dependencies + run: npm ci - name: Validate current commit (last commit) with commitlint if: github.event_name == 'push' diff --git a/.github/workflows/forge-test-intense.yml b/.github/workflows/forge-test-intense.yml index 5f17cf63..b370bbfd 100644 --- a/.github/workflows/forge-test-intense.yml +++ b/.github/workflows/forge-test-intense.yml @@ -8,6 +8,9 @@ on: - testnet-holesky - dev +permissions: + contents: read + env: FOUNDRY_PROFILE: intense @@ -19,15 +22,16 @@ jobs: forge-test-intense: name: Test (Intense) runs-on: ubuntu-latest + timeout-minutes: 240 # 4 hours for intense testing steps: # Check out repository with all submodules for complete codebase access. - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: recursive # Install the Foundry toolchain. - name: Install Foundry - uses: foundry-rs/foundry-toolchain@v1 + uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de # v1.4.0 with: version: stable diff --git a/.github/workflows/foundry.yml b/.github/workflows/foundry.yml index 0ea35815..f732be9a 100644 --- a/.github/workflows/foundry.yml +++ b/.github/workflows/foundry.yml @@ -9,6 +9,10 @@ on: - dev pull_request: +permissions: + contents: read + actions: read # Required for artifact upload + env: FOUNDRY_PROFILE: ci RPC_MAINNET: ${{ secrets.RPC_MAINNET }} @@ -23,15 +27,16 @@ jobs: test: name: Test runs-on: ubuntu-latest + timeout-minutes: 30 steps: # Check out repository with all submodules for complete codebase access. - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: recursive # Install the Foundry toolchain. - name: Install Foundry - uses: foundry-rs/foundry-toolchain@v1 + uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de # v1.4.0 with: version: stable @@ -63,15 +68,16 @@ jobs: run-coverage: name: Coverage runs-on: ubuntu-latest + timeout-minutes: 45 steps: # Check out repository with all submodules for complete codebase access. - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: recursive # Install the Foundry toolchain. - name: Install Foundry - uses: foundry-rs/foundry-toolchain@v1 + uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de # v1.4.0 with: version: stable @@ -96,10 +102,11 @@ jobs: # Upload coverage report as artifact before potential failure - name: Upload Coverage Report - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: code-coverage-report path: report/* + retention-days: 30 # Check coverage threshold after uploading report - name: Check Coverage Threshold for >=90% diff --git a/.github/workflows/storage-report.yml b/.github/workflows/storage-report.yml index ddd22a2e..e8d423e0 100644 --- a/.github/workflows/storage-report.yml +++ b/.github/workflows/storage-report.yml @@ -10,17 +10,21 @@ on: - dev pull_request: +permissions: + contents: read + jobs: check_storage: name: CI runs-on: "ubuntu-latest" + timeout-minutes: 20 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: recursive - name: Install Foundry - uses: foundry-rs/foundry-toolchain@v1 + uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de # v1.4.0 with: version: nightly @@ -32,8 +36,17 @@ jobs: env: TARGET: ${{ github.event.pull_request.base.sha }} run: | - git fetch origin $TARGET - git checkout $TARGET + # Validate TARGET is a valid SHA (enhanced validation) + if [ -z "$TARGET" ]; then + echo "::error::TARGET SHA is empty" + exit 1 + fi + if ! echo "$TARGET" | grep -qE '^[a-f0-9]{40}$'; then + echo "::error::Invalid SHA format: $TARGET" + exit 1 + fi + git fetch origin "$TARGET" + git checkout "$TARGET" - name: "Generate and prepare the storage reports for target branch" run: | @@ -46,4 +59,4 @@ jobs: else echo "::error::Differences found between PR and target branch storage layouts" exit 1 - fi \ No newline at end of file + fi diff --git a/package-lock.json b/package-lock.json index db549482..56a1d932 100644 --- a/package-lock.json +++ b/package-lock.json @@ -676,10 +676,11 @@ } }, "node_modules/cross-spawn": { - "version": "7.0.3", - "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz", - "integrity": "sha512-iRDPJKUPVEND7dHPO8rkbOnPpyDygcDFtWjpeWNCgy8WP2rXcxXL8TskReQl6OrB2G7+UJrags1q15Fudc7G6w==", + "version": "7.0.6", + "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz", + "integrity": "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==", "dev": true, + "license": "MIT", "dependencies": { "path-key": "^3.1.0", "shebang-command": "^2.0.0",