Merge pull request #6452 from smartcontractkit/release/1.3.0-rc5

1.3.0-rc5 -> master

.dockerignore

@@ -11,11 +11,14 @@ tmp/
 
 contracts/node_modules
 examples/
-integration/node_modules
+
+integration/
+integration-scripts/
+integration-tests/
 
 tools/gethnet/datadir/geth
 tools/clroot/db.bolt
-tools/clroot/*.jsonl
+tools/clroot/*.log
 tools/clroot/tempkeys
 
 core/sgx/target/

.github/actions/build-sign-publish-chainlink/action.yml

@@ -38,13 +38,18 @@ inputs:
     description: When set to the string boolean value of "true", the resulting build image will be signed
     default: "false"
     required: false
-
   cosign-private-key:
     description: The private key to be used with cosign to sign the image
     required: false
-
   cosign-password:
     description: The password to decrypt the cosign private key needed to sign the image
+  sign-method:
+    description: Build image will be signed using keypair or keyless methods
+    default: "keypair"
+    required: true
+  verify-signature:
+    description: When set to the string boolean value of "true", the resulting build image signature will be verified
+    default: "false"
     required: false
 
 runs:
@@ -65,7 +70,6 @@ runs:
 
       SHARED_BUILD_ARGS=$(cat << EOF
       COMMIT_SHA=${{ github.sha }}
-      ENVIRONMENT=release
       EOF
       )
 
@@ -108,19 +112,26 @@ runs:
       images: ${{ env.shared-images }}
       tags: ${{ env.shared-tag-list }}
 
-
   - name: Build and push root docker image
     id: buildpush-root
-    uses: docker/build-push-action@a66e35b9cbcf4ad0ea91ffcaf7bbad63ad9e0229 # v2.7.0
+    uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a # v2.10.0
     with:
       push: ${{ inputs.publish }}
+      load: ${{ contains(inputs.publish, false) }}
       tags: ${{ steps.meta-root.outputs.tags }}
       labels: ${{ steps.meta-root.outputs.labels }}
       file: core/chainlink.Dockerfile
       build-args: |
         CHAINLINK_USER=root
         ${{ env.shared-build-args }}
 
+  - name: Save root image name in GITHUB_ENV
+    id: save-root-image-name-env
+    shell: sh
+    run: |
+      IMAGES_NAME_RAW=${{ fromJSON(steps.buildpush-root.outputs.metadata)['image.name'] }}
+      echo "root_image_name=$(echo "$IMAGES_NAME_RAW" | cut -d"," -f1)" >> $GITHUB_ENV
+
   - name: Generate docker metadata for non-root image
     id: meta-nonroot
     uses: docker/metadata-action@e5622373a38e60fb6d795a4421e56882f2d7a681 # v3.6.2
@@ -134,46 +145,108 @@ runs:
 
   - name: Build and push non-root docker image
     id: buildpush-nonroot
-    uses: docker/build-push-action@a66e35b9cbcf4ad0ea91ffcaf7bbad63ad9e0229 # v2.7.0
+    uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a # v2.10.0
     with:
       push: ${{ inputs.publish }}
+      load: ${{ contains(inputs.publish, false) }}
       tags: ${{ steps.meta-nonroot.outputs.tags }}
       labels: ${{ steps.meta-nonroot.outputs.labels }}
       file: core/chainlink.Dockerfile
       build-args: |
         CHAINLINK_USER=chainlink
         ${{ env.shared-build-args }}
 
+  - name: Save non-root image name in GITHUB_ENV
+    id: save-non-root-image-name-env
+    shell: sh
+    run: |
+      IMAGES_NAME_RAW=${{ fromJSON(steps.buildpush-nonroot.outputs.metadata)['image.name'] }}
+      echo "nonroot_image_name=$(echo "$IMAGES_NAME_RAW" | cut -d"," -f1)" >> $GITHUB_ENV
+
+  - name: Check if non-root image runs as root
+    id: check-nonroot-runs-root
+    shell: sh
+    env:
+      PUBLISH: ${{ inputs.publish }}
+    run: |
+      echo "Fail build if non-root image runs as user: root"
+      # if we're publishing the image, it doesn't get loaded into the local docker daemon
+      # so we need to pull the image into our daemon
+      if [ $PUBLISH = "true" ]; then 
+       docker pull "${nonroot_image_name}"
+      fi
+      docker inspect "${nonroot_image_name}" | jq -r '.[].Config.User' | ( ! grep "root" )
+
   - if: inputs.sign-images == 'true'
     name: Install cosign
     uses: sigstore/cosign-installer@1e95c1de343b5b0c23352d6417ee3e48d5bcd422 # v1.4.0
     with:
       cosign-release: 'v1.4.0'
 
-  - if: inputs.sign-images == 'true'
-    name: Write signing key to disk (only needed for `cosign sign --key`)
+  - if: inputs.sign-images == 'true' && inputs.sign-method == 'keypair'
+    name: Sign the published root Docker image using keypair method
     shell: sh
-    run: echo "${{ inputs.cosign-private-key }}" > cosign.key
+    env:
+      COSIGN_PASSWORD: "${{ inputs.cosign-password }}"
+    run: |
+      echo "${{ inputs.cosign-private-key }}" > cosign.key
+      cosign sign --key cosign.key "${{ env.root_image_name }}"
+      rm -f cosign.key
 
-  - if: inputs.sign-images == 'true'
-    name: Sign the published root Docker image
+  - if: inputs.verify-signature == 'true' && inputs.sign-method == 'keypair'
+    name: Verify the signature of the published root Docker image using keypair
+    shell: sh
+    run: |
+      echo "${{ inputs.cosign-public-key }}" > cosign.key
+      cosign verify --key cosign.key "${{ env.root_image_name }}"
+      rm -f cosign.key
+
+  - if: inputs.sign-images == 'true' && inputs.sign-method == 'keyless'
+    name: Sign the published root Docker image using keyless method
     shell: sh
     env:
-      COSIGN_PASSWORD: "${{ inputs.cosign-password }}"
+      COSIGN_EXPERIMENTAL: 1
     run: |
-      IMAGES_NAME_RAW=${{ fromJSON(steps.buildpush-root.outputs.metadata)['image.name'] }}
-      IMAGE_NAME=$(echo "$IMAGES_NAME_RAW" | cut -d"," -f1)
+      cosign sign "${{ env.root_image_name }}"
 
-      cosign sign --key cosign.key "$IMAGE_NAME"
+  - if: inputs.verify-signature == 'true' && inputs.sign-method == 'keyless'
+    name: Verify the signature of the published root Docker image using keyless
+    shell: sh
+    env:
+      COSIGN_EXPERIMENTAL: 1
+    run: |
+      cosign verify "${{ env.root_image_name }}"
 
-  - if: inputs.sign-images == 'true'
-    name: Sign the published non-root Docker image
+  - if: inputs.sign-images == 'true' && inputs.sign-method == 'keypair'
+    name: Sign the published non-root Docker image using keypair method
     shell: sh
     env:
       COSIGN_PASSWORD: "${{ inputs.cosign-password }}"
     run: |
-      IMAGES_NAME_RAW=${{ fromJSON(steps.buildpush-nonroot.outputs.metadata)['image.name'] }}
-      IMAGE_NAME=$(echo "$IMAGES_NAME_RAW" | cut -d"," -f1)
+      echo "${{ inputs.cosign-private-key }}" > cosign.key
+      cosign sign --key cosign.key "${{ env.nonroot_image_name }}"
+      rm -f cosign.key
 
-      cosign sign --key cosign.key "$IMAGE_NAME"
+  - if: inputs.verify-signature == 'true' && inputs.sign-method == 'keypair'
+    name: Verify the signature of the published non-root Docker image using keypair
+    shell: sh
+    run: |
+      echo "${{ inputs.cosign-public-key }}" > cosign.key
+      cosign verify --key cosign.key "${{ env.nonroot_image_name }}"
+      rm -f cosign.key
+
+  - if: inputs.sign-images == 'true' && inputs.sign-method == 'keyless'
+    name: Sign the published non-root Docker image using keyless method
+    shell: sh
+    env:
+      COSIGN_EXPERIMENTAL: 1
+    run: |
+      cosign sign "${{ env.nonroot_image_name }}"
 
+  - if: inputs.verify-signature == 'true' && inputs.sign-method == 'keyless'
+    name: Verify the signature of the published non-root Docker image using keyless
+    shell: sh
+    env:
+      COSIGN_EXPERIMENTAL: 1
+    run: |
+      cosign verify "${{ env.nonroot_image_name }}"

.github/dependabot.yml

@@ -5,6 +5,11 @@ updates:
     schedule:
       interval: monthly
     open-pull-requests-limit: 10
+    ignore:
+      # Old versions are pinned for libocr.
+      - dependency-name: github.com/libp2p/go-libp2p-core
+      - dependency-name: github.com/libp2p/go-libp2p-peerstore
+      - dependency-name: github.com/multiformats/go-multiaddr
   - package-ecosystem: npm
     directory: '/'
     schedule:

.github/workflows/README.md

@@ -0,0 +1,11 @@
+# GitHub Workflows
+
+## Required Checks and Path Filters
+
+We want to run certain workflows only when certain file paths change. We can accomplish this with [path based filtering on GitHub actions](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore). The problem that we run into is that we have certain required checks on GitHub that will not run or pass if we have path based filtering that never executes the workflow.
+
+The [solution that GitHub recommends](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/troubleshooting-required-status-checks#handling-skipped-but-required-checks) is to create a "dummy" workflow with the same workflow name and job names as the required workflow/jobs with the jobs running a command to simply exit zero immediately to indicate success.
+
+### Solution
+
+If your workflow is named `solidity.yml`, create a `solidity-paths-ignore.yml` file with the same workflow name, event triggers (except for the path filters, use `paths-ignore` instead of `paths`), same job names, and then in the steps feel free to echo a command or explicitly `exit 0` to make sure it passes. See the workflow file names with the `-paths-ignore.yml` suffix in this directory for examples.

.github/workflows/build-custom.yml

@@ -57,7 +57,7 @@ jobs:
           ref: ${{ github.event.inputs.cl_ref }}
       - uses: actions/setup-go@v2
         with:
-          go-version: '1.17.2'
+          go-version: ~1.17
       - name: Replace Solana deps manual flow
         if: ${{ github.event.inputs.dep_solana_sha }}
         run: |
@@ -99,6 +99,7 @@ jobs:
         with:
           context: .
           file: core/chainlink.Dockerfile
-          build-args: COMMIT_SHA=${{ github.sha }},ENVIRONMENT=release
+          # comma separated like: KEY1=VAL1,KEY2=VAL2,...
+          build-args: COMMIT_SHA=${{ github.sha }}
           tags: 795953128386.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/chainlink:custom.${{ github.sha }}
           push: true

.github/workflows/build-publish-release-ignore.yml

@@ -0,0 +1,19 @@
+##
+# This workflow needs to be ran because `build-sign-publish-chainlink` is 
+# a required check but we do not want our release branches to build and
+# publish images. Instead we use tags.
+# If the workflow does not run, the required check will never pass.
+##
+
+name: 'Build Chainlink and Publish'
+
+on:
+  push:
+    branches:
+      - release/*
+
+jobs:
+  build-sign-publish-chainlink:
+    runs-on: ubuntu-latest
+    steps:
+      - run: 'echo "No job required"'

.github/workflows/build-publish.yml

@@ -8,7 +8,6 @@ on:
     branches:
       - master
       - develop
-      - 'release/*'
 
 jobs:
   build-sign-publish-chainlink:
@@ -29,5 +28,8 @@ jobs:
           aws-role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }}
           aws-region: ${{ secrets.AWS_REGION }}
           sign-images: true
+          sign-method: 'keypair'
           cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          cosign-public-key: ${{ secrets.COSIGN_PUBLIC_KEY }}
           cosign-password: ${{ secrets.COSIGN_PASSWORD }}
+          verify-signature: true

.github/workflows/continuous-integration-workflow.yml → .github/workflows/ci-core.yml

@@ -1,13 +1,13 @@
-name: CI
+name: CI Core
 
-on: [push]
+on: push
 
 jobs:
   core:
     strategy:
       fail-fast: false
       matrix:
-        cmd: ['go_core_tests', 'go_core_race_tests']
+        cmd: ["go_core_tests", "go_core_race_tests"]
     name: Core Tests
     runs-on: ubuntu-latest
     env:
@@ -35,7 +35,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: ^1.17
+          go-version: ~1.17
       - name: Cache Go vendor packages
         uses: actions/cache@v2
         with:
@@ -67,30 +67,3 @@ jobs:
         with:
           args: logs ${{ job.services.postgres.id }}
 
-  prepublish_npm:
-    name: Prepublish NPM
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout the repo
-        uses: actions/checkout@v2
-      - name: Setup node
-        uses: actions/setup-node@v2
-        with:
-          node-version: "16"
-      - name: Yarn cache
-        uses: actions/cache@v2
-        env:
-          cache-name: yarn-cache
-        with:
-          path: |
-            ~/.npm
-            ~/.cache
-            **/node_modules
-          key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('yarn.lock') }}
-          restore-keys: |
-            ${{ runner.os }}-build-${{ env.cache-name }}-
-            ${{ runner.os }}-build-
-            ${{ runner.os }}-
-      - run: yarn install --frozen-lockfile
-      - name: Run prepublish NPM test
-        run: ./tools/ci/prepublish_npm_test

.github/workflows/code-quality.yml

@@ -3,8 +3,8 @@ name: Code Quality
 on:
   push:
     branches:
-      - auto
-      - try
+      - staging
+      - trying
       - rollup
   pull_request:
 

.github/workflows/codeql-analysis.yml

@@ -4,8 +4,8 @@ on:
   push:
     branches:
       - develop
-      - auto
-      - try
+      - staging
+      - trying
       - rollup
   pull_request:
     # The branches below must be a subset of the branches above
@@ -33,7 +33,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: ^1.17
+          go-version: ~1.17
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL

.github/workflows/dependency-check-paths-ignore.yml

@@ -0,0 +1,24 @@
+##
+# This workflow needs to be ran in case it is a required check and
+# we conditionally only run the `dependency-check` workflow when certain
+# paths change.
+# If the workflow does not run, and it is ever marked as required,
+# then the check will never pass.
+# This is GitHub's workaround:
+# https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/troubleshooting-required-status-checks#example
+##
+
+name: Dependency Vulnerability Check
+
+on: 
+  push:
+    paths-ignore:
+      - '**/go.mod'
+      - '**/go.sum'
+jobs:
+  Go:
+    runs-on: ubuntu-latest
+    steps:
+      - run: 'echo "No job required" '
+
+