diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml index c6754107..218a7c3c 100644 --- a/.github/actions/setup/action.yml +++ b/.github/actions/setup/action.yml @@ -6,27 +6,10 @@ inputs: description: "Skip Compact compiler installation" required: false default: "false" - gh-token: - description: "The GITHUB_TOKEN created by the calling workflow" - required: true - -outputs: - compact-home: - description: "Path to Compact compiler installation" - value: ${{ steps.compact-outputs.outputs.compact-home }} - compact-version: - description: "Installed Compact compiler version" - value: ${{ steps.compact-outputs.outputs.version }} runs: using: "composite" steps: - - name: Set shared environment variables - shell: bash - run: | - echo "COMPILER_VERSION=0.26.0" >> $GITHUB_ENV - echo "LANGUAGE_VERSION=0.18.0" >> $GITHUB_ENV - - name: Enable corepack shell: bash run: corepack enable @@ -35,18 +18,9 @@ runs: uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: .turbo - key: ${{ runner.os }}-turbo-${{ hashFiles('.turbo/*') }}-${{ github.sha }} + key: ${{ runner.os }}-turbo-${{ github.sha }} restore-keys: | - ${{ runner.os }}-turbo-${{ hashFiles('.turbo/*') }} - - - name: Cache Compact compiler - if: inputs.skip-compact != 'true' - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 - id: compact-cache - with: - path: | - ~/.local/bin/compact - key: compact-compiler-${{ env.COMPILER_VERSION }}-${{ runner.os }} + ${{ runner.os }}-turbo- - name: Setup Node.js uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 @@ -65,80 +39,8 @@ runs: TURBO_TELEMETRY_DISABLED: 1 run: npm install turbo@${{ env.TURBO_MAJOR_VERSION }} -g - - name: Install Compact compiler - env: - GITHUB_TOKEN: ${{ inputs.gh-token }} # avoid rate limiting - if: inputs.skip-compact != 'true' && steps.compact-cache.outputs.cache-hit != 'true' - shell: bash - run: | - set -euo pipefail - COMPACT_HOME="$HOME/.local/bin" - mkdir -p "$COMPACT_HOME" - - # Require COMPACT_INSTALLER_URL to be provided by the caller - if [ -z "${COMPACT_INSTALLER_URL:-}" ]; then - echo "::error::COMPACT_INSTALLER_URL is required but not set. Provide it via env or secrets." - exit 1 - fi - - echo "🔧 Installing Compact compiler from $COMPACT_INSTALLER_URL ..." - curl --proto '=https' --tlsv1.2 -LsSf "$COMPACT_INSTALLER_URL" | sh - - echo "🔧 Updating Compact compiler to $COMPILER_VERSION..." - "$COMPACT_HOME/compact" update "$COMPILER_VERSION" - - echo "✅ Compact compiler installed" - - - name: Setup Compact environment - if: inputs.skip-compact != 'true' - shell: bash - run: | - COMPACT_HOME="$HOME/.local/bin" - echo "📁 Setting Compact environment variables..." - echo "COMPACT_HOME=$COMPACT_HOME" >> "$GITHUB_ENV" - echo "$COMPACT_HOME" >> "$GITHUB_PATH" - - if [ -f "$COMPACT_HOME/compact" ]; then - echo "✅ Compact compiler is installed at $COMPACT_HOME" - else - echo "::error::❌ Compact compiler not found in $COMPACT_HOME" - exit 1 - fi - - - name: Set Compact outputs - if: inputs.skip-compact != 'true' - id: compact-outputs - shell: bash - run: | - echo "compact-home=$HOME/.local/bin" >> $GITHUB_OUTPUT - echo "version=$COMPILER_VERSION" >> $GITHUB_OUTPUT - - - name: Check compiler and language version - if: inputs.skip-compact != 'true' - shell: bash - run: | - set -euo pipefail - - echo "🔧 Updating Compact compiler to $COMPILER_VERSION..." - "$COMPACT_HOME/compact" update "$COMPILER_VERSION" - - echo "🔍 Checking Compact compiler version..." - COMPILER_OUTPUT=$("$COMPACT_HOME/compact" compile --version) - COMPUTED_COMPILER_VERSION=$(echo "$COMPILER_OUTPUT" | grep -oP '\b0\.[0-9]+\.[0-9]+\b' | head -n 1) - - if [ "$COMPUTED_COMPILER_VERSION" != "$COMPILER_VERSION" ]; then - echo "::error::❌ Compiler version mismatch!%0AExpected: $COMPILER_VERSION%0AGot: $COMPUTED_COMPILER_VERSION" - exit 1 - fi - echo "✅ Compiler version matches: $COMPUTED_COMPILER_VERSION" - - echo "🔍 Checking Compact language version..." - LANGUAGE_OUTPUT=$("$COMPACT_HOME/compact" compile --language-version) - COMPUTED_LANGUAGE_VERSION=$(echo "$LANGUAGE_OUTPUT" | grep -oP '\b0\.[0-9]+\.[0-9]+\b' | tail -n 1) - - if [ "$COMPUTED_LANGUAGE_VERSION" != "$LANGUAGE_VERSION" ]; then - echo "::error::❌ Language version mismatch!%0AExpected: $LANGUAGE_VERSION%0AGot: $COMPUTED_LANGUAGE_VERSION" - exit 1 - fi - echo "✅ Language version matches: $COMPUTED_LANGUAGE_VERSION" - \ No newline at end of file + - name: Setup Compact Compiler + if: ${{ inputs.skip-compact != 'true' }} + uses: midnightntwrk/setup-compact-action@4130145456ad3f45934788dd4a65647eb283e658 + with: + compact-version: "0.26.0" diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 24577adb..a26bfe30 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -13,11 +13,15 @@ jobs: checks: name: Run Checks runs-on: ubuntu-24.04 - - env: - COMPACT_INSTALLER_URL: ${{ vars.COMPACT_INSTALLER_URL }} + permissions: + contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + - name: Check out code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: @@ -26,8 +30,7 @@ jobs: - name: Setup Environment uses: ./.github/actions/setup with: - skip-compact: 'true' - gh-token: ${{ secrets.GITHUB_TOKEN }} # secrets must be passed to composite actions + skip-compact: "true" - name: Format & Lint run: turbo fmt-and-lint:ci diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 43d46589..67e4100f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -22,10 +22,12 @@ jobs: matrix: language: ["javascript-typescript", "actions"] - env: - COMPACT_INSTALLER_URL: ${{ vars.COMPACT_INSTALLER_URL }} - steps: + - name: Harden Runner + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + - name: Check out code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: @@ -34,7 +36,6 @@ jobs: - name: Setup Environment uses: ./.github/actions/setup with: - gh-token: ${{ secrets.GITHUB_TOKEN }} # secrets must be passed to composite actions skip-compact: "true" - name: Initialize CodeQL diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml index 8ee330e6..5c5b3fea 100644 --- a/.github/workflows/prepare-release.yml +++ b/.github/workflows/prepare-release.yml @@ -13,83 +13,88 @@ jobs: runs-on: ubuntu-24.04 steps: - - name: Checkout repository - uses: actions/checkout@v6 - - - name: Enable Corepack - run: corepack enable - - - name: Setup Node.js - uses: actions/setup-node@v6 - with: - node-version-file: ".nvmrc" - cache: "yarn" - - - name: Extract current version - run: | - CURRENT_VERSION=$(node -p "require('./contracts/package.json').version") - echo "CURRENT_VERSION=$CURRENT_VERSION" >> "$GITHUB_ENV" - - - name: Extract new version number - run: echo "NEW_VERSION=${GITHUB_REF#refs/heads/release-v}" >> "$GITHUB_ENV" - - - name: Validate new version - run: | - BRANCH="${GITHUB_REF#refs/heads/}" - echo "Branch: $BRANCH" - echo "Current version: $CURRENT_VERSION" - echo "New version: $NEW_VERSION" - - # 1) Branch must match release-v - if ! echo "$BRANCH" | grep -Eq '^release-v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?(\+[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?$'; then - echo "Error: Branch '$BRANCH' must match 'release-v' (e.g., release-v1.2.3)." >&2 - exit 1 - fi - - # 2) NEW_VERSION must be valid semver - node -e "const v=process.env.NEW_VERSION; const semver=/^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-([0-9A-Za-z-]+(?:\\.[0-9A-Za-z-]+)*))?(?:\\+([0-9A-Za-z-]+(?:\\.[0-9A-Za-z-]+)*))?$/; if(!semver.test(v)){ console.error('Error: NEW_VERSION is not valid semver:', v); process.exit(1); }" - if [ $? -ne 0 ]; then - exit 1 - fi - - # 3) NEW_VERSION must differ from CURRENT_VERSION - if [ "$NEW_VERSION" = "$CURRENT_VERSION" ]; then - echo "Error: NEW_VERSION equals CURRENT_VERSION ($CURRENT_VERSION). Nothing to release." >&2 - exit 1 - fi - - - name: Replace version in files - env: - NEW_VERSION: ${{ env.NEW_VERSION }} - run: | - echo "Current version: $CURRENT_VERSION" - echo "New version: $NEW_VERSION" - - # Update package.json version field - node -e ' - const fs = require("fs"); - const path = "./contracts/package.json"; - const pkg = JSON.parse(fs.readFileSync(path, "utf8")); - pkg.version = process.env.NEW_VERSION; - fs.writeFileSync(path, JSON.stringify(pkg, null, 2) + "\n"); - ' - - # Escape special characters for sed - ESCAPED_CURRENT=$(printf '%s' "$CURRENT_VERSION" | sed -e 's/[\/&]/\\&/g') - ESCAPED_NEW=$(printf '%s' "$NEW_VERSION" | sed -e 's/[\/&]/\\&/g') - - # Pattern to match version + optional prerelease (-alpha.1) and build (+build) suffixes - VERSION_SUFFIX='(-[A-Za-z0-9.]+)?(\+[A-Za-z0-9.]+)?' - - # Replace version in contracts/src/ - find ./contracts/src/ -type d -name '.*' -prune -o \ - -type f -exec sed -Ei "s#${ESCAPED_CURRENT}${VERSION_SUFFIX}#$ESCAPED_NEW#g" {} + - - # Replace version in docs/, excluding package-lock.json - find ./docs/ -type d -name '.*' -prune -o \ - -type f ! -name 'package-lock.json' -exec sed -Ei "s#${ESCAPED_CURRENT}${VERSION_SUFFIX}#$ESCAPED_NEW#g" {} + - - - name: Auto-commit changes - uses: stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 #v7.0.0 - with: - commit_message: Bump version to ${{ env.NEW_VERSION }} + - name: Harden Runner + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + + - name: Enable Corepack + run: corepack enable + + - name: Setup Node.js + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 + with: + node-version-file: ".nvmrc" + cache: "yarn" + + - name: Extract current version + run: | + CURRENT_VERSION=$(node -p "require('./contracts/package.json').version") + echo "CURRENT_VERSION=$CURRENT_VERSION" >> "$GITHUB_ENV" + + - name: Extract new version number + run: echo "NEW_VERSION=${GITHUB_REF#refs/heads/release-v}" >> "$GITHUB_ENV" + + - name: Validate new version + run: | + BRANCH="${GITHUB_REF#refs/heads/}" + echo "Branch: $BRANCH" + echo "Current version: $CURRENT_VERSION" + echo "New version: $NEW_VERSION" + + # 1) Branch must match release-v + if ! echo "$BRANCH" | grep -Eq '^release-v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?(\+[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?$'; then + echo "Error: Branch '$BRANCH' must match 'release-v' (e.g., release-v1.2.3)." >&2 + exit 1 + fi + + # 2) NEW_VERSION must be valid semver + node -e "const v=process.env.NEW_VERSION; const semver=/^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-([0-9A-Za-z-]+(?:\\.[0-9A-Za-z-]+)*))?(?:\\+([0-9A-Za-z-]+(?:\\.[0-9A-Za-z-]+)*))?$/; if(!semver.test(v)){ console.error('Error: NEW_VERSION is not valid semver:', v); process.exit(1); }" + if [ $? -ne 0 ]; then + exit 1 + fi + + # 3) NEW_VERSION must differ from CURRENT_VERSION + if [ "$NEW_VERSION" = "$CURRENT_VERSION" ]; then + echo "Error: NEW_VERSION equals CURRENT_VERSION ($CURRENT_VERSION). Nothing to release." >&2 + exit 1 + fi + + - name: Replace version in files + env: + NEW_VERSION: ${{ env.NEW_VERSION }} + run: | + echo "Current version: $CURRENT_VERSION" + echo "New version: $NEW_VERSION" + + # Update package.json version field + node -e ' + const fs = require("fs"); + const path = "./contracts/package.json"; + const pkg = JSON.parse(fs.readFileSync(path, "utf8")); + pkg.version = process.env.NEW_VERSION; + fs.writeFileSync(path, JSON.stringify(pkg, null, 2) + "\n"); + ' + + # Escape special characters for sed + ESCAPED_CURRENT=$(printf '%s' "$CURRENT_VERSION" | sed -e 's/[\/&]/\\&/g') + ESCAPED_NEW=$(printf '%s' "$NEW_VERSION" | sed -e 's/[\/&]/\\&/g') + + # Pattern to match version + optional prerelease (-alpha.1) and build (+build) suffixes + VERSION_SUFFIX='(-[A-Za-z0-9.]+)?(\+[A-Za-z0-9.]+)?' + + # Replace version in contracts/src/ + find ./contracts/src/ -type d -name '.*' -prune -o \ + -type f -exec sed -Ei "s#${ESCAPED_CURRENT}${VERSION_SUFFIX}#$ESCAPED_NEW#g" {} + + + # Replace version in docs/, excluding package-lock.json + find ./docs/ -type d -name '.*' -prune -o \ + -type f ! -name 'package-lock.json' -exec sed -Ei "s#${ESCAPED_CURRENT}${VERSION_SUFFIX}#$ESCAPED_NEW#g" {} + + + - name: Auto-commit changes + uses: stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 #v7.0.0 + with: + commit_message: Bump version to ${{ env.NEW_VERSION }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bb48dabe..925226b9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,17 +11,17 @@ jobs: contents: read id-token: write - env: - COMPACT_INSTALLER_URL: ${{ vars.COMPACT_INSTALLER_URL }} - steps: + - name: Harden Runner + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup - with: - gh-token: ${{ secrets.GITHUB_TOKEN }} # secrets must be passed to composite actions - name: Build contracts run: turbo build --filter=!'docs' diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index f505df1e..11b52008 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -16,21 +16,20 @@ on: - "biome.json" - "turbo.json" -env: - TURBO_TELEMETRY_DISABLED: 1 - COMPILER_VERSION: "0.26.0" - LANGUAGE_VERSION: "0.18.0" - jobs: run-suite: name: Run Test Suite runs-on: ubuntu-24.04 + permissions: + contents: read timeout-minutes: 15 - env: - COMPACT_INSTALLER_URL: ${{ vars.COMPACT_INSTALLER_URL }} - steps: + - name: Harden Runner + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + - name: Check out code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: @@ -38,10 +37,8 @@ jobs: - name: Setup Environment uses: ./.github/actions/setup - with: - gh-token: ${{ secrets.GITHUB_TOKEN }} # secrets must be passed to composite actions - - name: Compile contracts (with retry) + - name: Compile contracts run: turbo compact --filter=@openzeppelin/compact-contracts - name: Run type checks