imua-xyz · MaxMustermann2 · Mar 12, 2024 · Mar 11, 2024 · Mar 11, 2024 · Mar 11, 2024
diff --git a/.checkov.yaml b/.checkov.yaml
@@ -0,0 +1,3 @@
+skip-path:
+  # auto generated
+  - client/docs
diff --git a/.github/workflows/ante-benchmark.yml b/.github/workflows/ante-benchmark.yml
@@ -1,5 +1,8 @@
 name: AnteHandler Benchmark Tests
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -11,6 +11,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -11,6 +11,11 @@
 #
 name: "CodeQL"
 
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 on:
   push:
     branches: [develop, main, master]

diff --git a/.github/workflows/consensuswarn.yml b/.github/workflows/consensuswarn.yml
@@ -7,9 +7,14 @@ on:
       - edited
       - synchronize
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   main:
     permissions:
+      contents: read
       pull-requests: write  # For reading the PR and posting comment
     runs-on: ubuntu-latest
     steps:

diff --git a/.github/workflows/e2e-test-release.yml b/.github/workflows/e2e-test-release.yml
@@ -1,4 +1,8 @@
 name: E2E Test Release
+
+permissions:
+  contents: read
+
 on:
   pull_request:
     branches:

diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml
@@ -1,4 +1,8 @@
 name: E2E Test
+
+permissions:
+  contents: read
+
 on:
   pull_request:
     branches:

diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml
@@ -1,5 +1,9 @@
 name: goreleaser
 
+permissions:
+  # github releases
+  contents: write
+
 on:
   push:
     tags:

diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -1,5 +1,9 @@
 name: "Pull Request Labeler"
 
+permissions:
+  contents: read
+  pull-requests: write
+
 on:
   pull_request_target:
 

diff --git a/.github/workflows/markdown-links.yml b/.github/workflows/markdown-links.yml
@@ -1,5 +1,9 @@
 name: Check Markdown links
-on: 
+
+permissions:
+  contents: read
+
+on:
   pull_request:
     paths:
       - '**.md'
@@ -10,6 +14,9 @@ on:
       - master
     paths:
       - '**.md'
+  # runs every monday at 9 am
+  schedule:
+    - cron: "0 9 * * 1"
 
 jobs:
   markdown-link-check:
@@ -18,7 +25,5 @@ jobs:
       - uses: actions/checkout@v4
       - uses: gaurav-nelson/github-action-markdown-link-check@master
         with:
-          check-modified-files-only: "yes"
-          use-quiet-mode: "yes"
           base-branch: "main"
           config-file: "mlc_config.json"
diff --git a/.github/workflows/proto.yml b/.github/workflows/proto.yml
@@ -6,6 +6,9 @@ on:
     paths:
       - "proto/**"
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -7,9 +7,14 @@ on:
       - main
       - master
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   Gosec:
     permissions:
+      contents: read
       security-events: write
 
     runs-on: ubuntu-latest

diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -1,4 +1,6 @@
 name: Semgrep
+permissions:
+  contents: read
 on:
   # Scan changed files in PRs, block on new issues only (existing issues ignored)
   pull_request: {}

diff --git a/.github/workflows/slither.yml b/.github/workflows/slither.yml
@@ -8,6 +8,10 @@ on:
       - main
       - master
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   analyze:
     # disabled for now, since we don't have any Solidity files.

diff --git a/.github/workflows/solhint.yml b/.github/workflows/solhint.yml
@@ -1,10 +1,13 @@
 name: Solhint
-# This workflow is only run when a .sol file has been changed
+# This workflow is only run when a file in the contracts folder changes.
 on:
   pull_request:
     paths:
       - "contracts/**"
 
+permissions:
+  contents: read
+
 jobs:
   solhint:
     name: runner / solhint

diff --git a/.github/workflows/solidity-test.yml b/.github/workflows/solidity-test.yml
@@ -7,6 +7,9 @@ on:
       - master
       - release/**
 
+permissions:
+  contents: read
+
 jobs:
   test-solidity:
     # disabled for now, since we don't have any Solidity files.

diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -3,6 +3,10 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   stale:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml
@@ -7,6 +7,9 @@
 ---
 name: Lint Code Base
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: ["develop", "main", "master"]
@@ -33,9 +36,10 @@ jobs:
           VALIDATE_NATURAL_LANGUAGE: false
           VALIDATE_OPENAPI: false
           VALIDATE_JSCPD: false
+          # The JSON files in the repo are generated (abis or swagger)
+          # or are linting files. So this can be safely disabled.
+          VALIDATE_JSON: false
           # separate workflow
           VALIDATE_GO: false
           VALIDATE_GO_MODULES: false
-          # TODO: enable docker coverage later
-          VALIDATE_CHECKOV: false
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -1,13 +1,18 @@
 name: Tests
 on:
-  pull_request:
+  # for write permission, use pull_request_target and not pull_request.
+  pull_request_target:
   push:
     branches:
       - develop
       - main
       - master
       - release/**
 
+permissions:
+  contents: write
+  pull-requests: write
+
 # Automatically cancel run if another commit to the same ref is detected.
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -29,14 +34,32 @@ jobs:
             **/**.go
             go.mod
             go.sum
-      - name: Test and Create Coverage Report
+      - name: Test and create coverage report
         run: |
           make test-unit-cover
         if: env.GIT_DIFF
-      - uses: codecov/codecov-action@v3
-        # disabled for now, since we don't have any codecov
-        if: ${{ false }}
+      - name: Check if test coverage is above threshold
+        id: output-coverage
+        uses: vladopajic/go-test-coverage@v2
+        with:
+          profile: cover.out
+          local-prefix: github.com/ExocoreNetwork/exocore
+          # TODO: increase this threshold with time to 80
+          threshold-total: 10
+        if: env.GIT_DIFF
+      - name: Find comment
+        id: find-comment
+        uses: peter-evans/find-comment@v2
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          comment-author: 'github-actions[bot]'
+        if: env.GIT_DIFF && github.event_name == 'pull_request'
+      - name: Comment coverage on PR
+        uses: peter-evans/create-or-update-comment@v3
         with:
-          file: ./coverage.txt
-          fail_ci_if_error: true
-        # if: env.GIT_DIFF
+          issue-number: ${{ github.event.pull_request.number }}
+          comment-id: ${{ steps.find-comment.outputs.comment-id }}
+          body: |
+            Coverage as of ${{ github.sha }}: ${{ steps.output-coverage.outputs.total-coverage }}%
+          edit-mode: append
+        if: env.GIT_DIFF && github.event_name == 'pull_request'
diff --git a/.gitignore b/.gitignore
@@ -49,7 +49,6 @@ localnet-setup
 .testnets
 
 # Testing
-coverage.txt
 *.out
 sim_log_file
 tests/**/tmp/*

diff --git a/.golangci.yml b/.golangci.yml
@@ -67,4 +67,4 @@ issues:
     # however, other linters have not yet caught up.
     - text: 'leading space'
       linters:
-        - nolintlint
+        - nolintlint