diff --git a/.github/actions/build-chainlink-image/action.yml b/.github/actions/build-chainlink-image/action.yml index 7cd3751306d..114573f9931 100644 --- a/.github/actions/build-chainlink-image/action.yml +++ b/.github/actions/build-chainlink-image/action.yml @@ -29,12 +29,13 @@ runs: - name: Check if image exists if: ${{ inputs.dep_evm_sha != '' || inputs.check_image_exists == 'true'}} id: check-image - uses: smartcontractkit/chainlink-github-actions/docker/image-exists@75a9005952a9e905649cfb5a6971fd9429436acd # v2.3.25 + uses: smartcontractkit/.github/actions/ecr-image-exists@ecr-image-exists/0.2.0 with: repository: chainlink tag: ${{ inputs.git_commit_sha }}${{ inputs.tag_suffix }} - AWS_REGION: ${{ inputs.AWS_REGION }} - AWS_ROLE_TO_ASSUME: ${{ inputs.AWS_ROLE_TO_ASSUME }} + aws-region: ${{ inputs.AWS_REGION }} + aws-role-arn: ${{ inputs.AWS_ROLE_TO_ASSUME }} + - name: Build Image if: steps.check-image.outputs.exists != 'true' uses: smartcontractkit/.github/actions/ctf-build-image@ctf-build-image/0.2.0 diff --git a/.github/actions/golangci-lint/action.yml b/.github/actions/golangci-lint/action.yml index 4e90254e1b9..c77fb3e7dbc 100644 --- a/.github/actions/golangci-lint/action.yml +++ b/.github/actions/golangci-lint/action.yml @@ -65,7 +65,7 @@ runs: fi - name: Golangci-lint - uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0 + uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 env: # golangci-lint runs with absolute path mode: --path-mode=abs REPORT_PATH: ${{ github.workspace }}/${{ steps.set-working-directory.outputs.golangci-lint-working-directory }}golangci-lint-report.xml diff --git a/.github/actions/setup-cre-e2e-test-dependencies/action.yml b/.github/actions/setup-cre-e2e-test-dependencies/action.yml index 7ad59c5a418..3504d69a908 100644 --- a/.github/actions/setup-cre-e2e-test-dependencies/action.yml +++ b/.github/actions/setup-cre-e2e-test-dependencies/action.yml @@ -48,7 +48,7 @@ runs: - name: Restore Cache id: cache-restore - uses: actions/cache/restore@v4 + uses: actions/cache/restore@v5 with: key: ${{ steps.setup-cache-dir-key.outputs.cache-key }} path: ${{ steps.setup-cache-dir-key.outputs.download-path }} @@ -82,7 +82,7 @@ runs: - name: Save cache if: ${{ steps.cache-restore.outputs.cache-hit != 'true' }} - uses: actions/cache/save@v4 + uses: actions/cache/save@v5 with: key: ${{ steps.setup-cache-dir-key.outputs.cache-key }} path: ${{ steps.setup-cache-dir-key.outputs.download-path }} diff --git a/.github/actions/setup-go/action.yml b/.github/actions/setup-go/action.yml index b975bddf80a..ea370855c91 100644 --- a/.github/actions/setup-go/action.yml +++ b/.github/actions/setup-go/action.yml @@ -105,7 +105,7 @@ runs: - name: Get branch name if: ${{ inputs.only-modules == 'false' }} id: branch-name - uses: smartcontractkit/.github/actions/branch-names@branch-names/1.0.0 + uses: smartcontractkit/.github/actions/branch-names@branch-names/v1 # 2. Build the cache keys # --- diff --git a/.github/actions/setup-nodejs/action.yaml b/.github/actions/setup-nodejs/action.yaml index 27f1f05590e..46c69e84d93 100644 --- a/.github/actions/setup-nodejs/action.yaml +++ b/.github/actions/setup-nodejs/action.yaml @@ -11,11 +11,11 @@ description: Setup pnpm for contracts runs: using: composite steps: - - uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0 + - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 with: version: ^10.0.0 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v6 with: node-version: "20" cache: "pnpm" diff --git a/.github/workflows/bash-scripts.yml b/.github/workflows/bash-scripts.yml index 25cacfe5e01..4f4556a50f1 100644 --- a/.github/workflows/bash-scripts.yml +++ b/.github/workflows/bash-scripts.yml @@ -32,7 +32,7 @@ jobs: persist-credentials: false - name: Run ShellCheck if: needs.changes.outputs.bash-scripts-src == 'true' - uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0 + uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0 with: scandir: "./tools/bin" # Consider changing this to check for warnings once all warnings are fixed. diff --git a/.github/workflows/build-publish.yml b/.github/workflows/build-publish.yml index de9dcaeae62..c9f13fb9736 100644 --- a/.github/workflows/build-publish.yml +++ b/.github/workflows/build-publish.yml @@ -26,7 +26,7 @@ jobs: - name: Check release tag id: release-tag-check - uses: smartcontractkit/.github/actions/release-tag-check@c5c4a8186da4218cff6cac8184e47dd3dec69ba3 # release-tag-check@0.1.0 + uses: smartcontractkit/.github/actions/release-tag-check@9fc306ac63d8997c9ca0da283e56caaf71589f83 # release-tag-check/1.0.0 - name: Compute CCIP image tag id: compute-ccip-tag diff --git a/.github/workflows/changeset.yml b/.github/workflows/changeset.yml index d540e7a9ad2..72cc331a63c 100644 --- a/.github/workflows/changeset.yml +++ b/.github/workflows/changeset.yml @@ -63,13 +63,13 @@ jobs: run: bash ./.github/scripts/check-changeset-tags.sh ${{ steps.files-changed.outputs.core-changeset_files }} - name: Setup pnpm - uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 if: ${{ steps.files-changed.outputs.core == 'true' || steps.files-changed.outputs.shared == 'true' }} with: version: ^10.0.0 - name: Setup node - uses: actions/setup-node@v4 + uses: actions/setup-node@v6 if: ${{ steps.files-changed.outputs.core == 'true' || steps.files-changed.outputs.shared == 'true' }} with: node-version: 20 @@ -102,7 +102,7 @@ jobs: path: ./dot_github - name: Make a comment - uses: thollander/actions-comment-pull-request@fabd468d3a1a0b97feee5f6b9e499eab0dd903f6 # v2.5.0 + uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1 if: ${{ steps.files-changed.outputs.core == 'true' || steps.files-changed.outputs.shared == 'true' }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -111,12 +111,12 @@ jobs: I see you updated files related to `core`. Please run `make gocs` in the root directory to add a changeset as well as in the text include at least one of the following tags: ${{ env.TAGS }} reactions: eyes - comment_tag: changeset-core + comment-tag: changeset-core mode: ${{ steps.files-changed.outputs.core-changeset == 'false' && 'upsert' || 'delete' }} - create_if_not_exists: ${{ steps.files-changed.outputs.core-changeset == 'false' && 'true' || 'false' }} + create-if-not-exists: ${{ steps.files-changed.outputs.core-changeset == 'false' && 'true' || 'false' }} - name: Make a comment - uses: thollander/actions-comment-pull-request@fabd468d3a1a0b97feee5f6b9e499eab0dd903f6 # v2.5.0 + uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1 if: ${{ steps.files-changed.outputs.core-changeset == 'true' }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -125,9 +125,9 @@ jobs: I see you added a changeset file but it does not contain a tag. Please edit the text include at least one of the following tags: ${{ env.TAGS }} reactions: eyes - comment_tag: changeset-core-tags + comment-tag: changeset-core-tags mode: ${{ steps.changeset-tags.outputs.has_tags == 'false' && 'upsert' || 'delete' }} - create_if_not_exists: ${{ steps.changeset-tags.outputs.has_tags == 'false' && 'true' || 'false' }} + create-if-not-exists: ${{ steps.changeset-tags.outputs.has_tags == 'false' && 'true' || 'false' }} - name: Check for new changeset tags for core if: ${{ steps.files-changed.outputs.core-changeset == 'true' && steps.changeset-tags.outputs.has_tags == 'false' }} diff --git a/.github/workflows/changesets-preview-pr.yml b/.github/workflows/changesets-preview-pr.yml index 19787d7faf2..9692e4b0039 100644 --- a/.github/workflows/changesets-preview-pr.yml +++ b/.github/workflows/changesets-preview-pr.yml @@ -30,13 +30,13 @@ jobs: - '.changeset/**' - name: Setup pnpm - uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 if: steps.change.outputs.core-changeset == 'true' with: version: ^10.0.0 - name: Setup node - uses: actions/setup-node@v4 + uses: actions/setup-node@v6 if: steps.change.outputs.core-changeset == 'true' with: node-version: 20 @@ -52,9 +52,9 @@ jobs: - name: Create release preview PR if: steps.change.outputs.core-changeset == 'true' - uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5 + uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 with: - git-token: ${{ secrets.GITHUB_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} add-paths: | .changeset/** CHANGELOG.md diff --git a/.github/workflows/ci-core.yml b/.github/workflows/ci-core.yml index 5cbcb530503..104a8d53d04 100644 --- a/.github/workflows/ci-core.yml +++ b/.github/workflows/ci-core.yml @@ -179,9 +179,7 @@ jobs: modules: ${{ fromJson(needs.filter.outputs.affected-modules) }} steps: - name: Enable S3 Cache for Self-Hosted Runners - uses: runs-on/action@742bf56072eb4845a0f94b3394673e4903c90ff0 # v2.1.0 - with: - metrics: cpu,network,memory,disk + uses: runs-on/action@d141ef83eb66d096ce8afc767e09115a65c63b60 # v2.1.2 - name: Checkout uses: actions/checkout@v6 @@ -315,9 +313,8 @@ jobs: actions: read steps: - name: Enable S3 Cache for Self-Hosted Runners - uses: runs-on/action@742bf56072eb4845a0f94b3394673e4903c90ff0 # v2.1.0 - with: - metrics: cpu,network,memory,disk + uses: runs-on/action@d141ef83eb66d096ce8afc767e09115a65c63b60 # v2.1.2 + - name: Checkout the repo if: ${{ matrix.type.should-run == 'true' }} @@ -344,7 +341,7 @@ jobs: - name: Setup Aptos if: ${{ matrix.type.should-run == 'true' && matrix.type.setup-aptos == 'true' }} - uses: aptos-labs/actions/install-aptos-cli@63740b290d839b87ecfafbcf75ed03a36a54a29f # jan 15, 2025 + uses: aptos-labs/actions/install-aptos-cli@528ef7ad9427a8c0720ea3eea790a9190d6e377d # 2026-04-07 with: CLI_VERSION: 8.1.0 @@ -525,7 +522,7 @@ jobs: fetch-depth: 0 # fetches all history for all tags and branches to provide more metadata for sonar reports - name: Download all workflow artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v8 - name: Check and Set SonarQube Report Paths shell: bash @@ -610,7 +607,7 @@ jobs: - name: SonarQube Scan if: ${{ env.SONARQUBE_ARGS != '' }} - uses: sonarsource/sonarqube-scan-action@aecaf43ae57e412bd97d70ef9ce6076e672fe0a9 # v2.3.0 + uses: sonarsource/sonarqube-scan-action@59db25f34e16620e48ab4bb9e4a5dce155cb5432 # v8.0.0 with: args: ${{ env.SONARQUBE_ARGS }} env: diff --git a/.github/workflows/ci-deployments.yml b/.github/workflows/ci-deployments.yml index 4b689a7072a..df989283b61 100644 --- a/.github/workflows/ci-deployments.yml +++ b/.github/workflows/ci-deployments.yml @@ -143,9 +143,8 @@ jobs: actions: read steps: - name: Enable S3 Cache for Self-Hosted Runners - uses: runs-on/action@742bf56072eb4845a0f94b3394673e4903c90ff0 # v2.1.0 - with: - metrics: cpu,network,memory,disk + uses: runs-on/action@d141ef83eb66d096ce8afc767e09115a65c63b60 # v2.1.2 + - name: Checkout the repo uses: actions/checkout@v6 with: @@ -160,7 +159,7 @@ jobs: - name: Setup Solana uses: ./.github/actions/setup-solana - name: Setup Aptos - uses: aptos-labs/actions/install-aptos-cli@63740b290d839b87ecfafbcf75ed03a36a54a29f # jan 15, 2025 + uses: aptos-labs/actions/install-aptos-cli@528ef7ad9427a8c0720ea3eea790a9190d6e377d # 2026-04-07 with: CLI_VERSION: 8.1.0 - name: Setup Sui CLI v1.69.2 diff --git a/.github/workflows/ci-protobuf.yml b/.github/workflows/ci-protobuf.yml index 0e55c192d39..1f527ffad7a 100644 --- a/.github/workflows/ci-protobuf.yml +++ b/.github/workflows/ci-protobuf.yml @@ -13,7 +13,7 @@ jobs: persist-credentials: false - name: Setup buf - uses: bufbuild/buf-setup-action@35c243d7f2a909b1d4e40399b348a7fdab27d78d # v1.34.0 + uses: bufbuild/buf-setup-action@a47c93e0b1648d5651a065437926377d060baa99 # v1.50.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 267f8fe7563..f265efc2126 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -43,9 +43,8 @@ jobs: build-mode: none steps: - name: Enable S3 Cache for Self-Hosted Runners - uses: runs-on/action@742bf56072eb4845a0f94b3394673e4903c90ff0 # v2.1.0 - with: - metrics: cpu,network,memory,disk + uses: runs-on/action@d141ef83eb66d096ce8afc767e09115a65c63b60 # v2.1.2 + - name: Checkout repository uses: actions/checkout@v6 @@ -63,7 +62,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@v4 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} @@ -83,7 +82,7 @@ jobs: echo "::endgroup::" - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@v4 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/cre-local-env-tests.yaml b/.github/workflows/cre-local-env-tests.yaml index c9af5d738ad..2ec64321b08 100644 --- a/.github/workflows/cre-local-env-tests.yaml +++ b/.github/workflows/cre-local-env-tests.yaml @@ -77,9 +77,8 @@ jobs: ref: ${{ github.event_name == 'pull_request' && github.sha || inputs.chainlink_version }} - name: Enable S3 Cache for Self-Hosted Runners - uses: runs-on/action@742bf56072eb4845a0f94b3394673e4903c90ff0 # v2.1.0 - with: - metrics: cpu,network,memory,disk + uses: runs-on/action@d141ef83eb66d096ce8afc767e09115a65c63b60 # v2.1.2 + - name: Set up Go id: setup-go @@ -109,7 +108,7 @@ jobs: # We need to login to ECR to allow the test to pull the Job Distributor and Chainlink images - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 + uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1 with: aws-region: ${{ secrets.QA_AWS_REGION }} role-to-assume: ${{ secrets.AWS_CTF_READ_ACCESS_ROLE_ARN }} @@ -118,7 +117,7 @@ jobs: - name: Login to Amazon ECR id: login-ecr - uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1 + uses: aws-actions/amazon-ecr-login@fa648b43de3d4d023bcb3f89ed6940096949c419 # v2.1.5 with: registries: ${{ format('{0},{1}', secrets.QA_AWS_ACCOUNT_NUMBER, secrets.AWS_ACCOUNT_ID_PROD) }} env: @@ -131,7 +130,7 @@ jobs: - name: Setup GitHub token using GATI id: github-token - uses: smartcontractkit/.github/actions/setup-github-token@setup-github-token/1.0.0 + uses: smartcontractkit/.github/actions/setup-github-token@setup-github-token/v1 with: aws-role-arn: ${{ secrets.AWS_OIDC_CHAINLINK_READ_ONLY_TOKEN_ISSUER_ROLE_ARN }} aws-lambda-url: ${{ secrets.AWS_INFRA_RELENG_TOKEN_ISSUER_LAMBDA_URL }} diff --git a/.github/workflows/cre-regression-system-tests.yaml b/.github/workflows/cre-regression-system-tests.yaml index aed50ab91e1..36f436eb120 100644 --- a/.github/workflows/cre-regression-system-tests.yaml +++ b/.github/workflows/cre-regression-system-tests.yaml @@ -68,9 +68,7 @@ jobs: persist-credentials: false - name: Enable S3 Cache for Self-Hosted Runners - uses: runs-on/action@742bf56072eb4845a0f94b3394673e4903c90ff0 # v2.1.0 - with: - metrics: cpu,network,memory,disk + uses: runs-on/action@d141ef83eb66d096ce8afc767e09115a65c63b60 # v2.1.2 - name: Set up Go id: setup-go @@ -138,9 +136,7 @@ jobs: steps: - name: Enable S3 Cache for Self-Hosted Runners - uses: runs-on/action@742bf56072eb4845a0f94b3394673e4903c90ff0 # v2.1.0 - with: - metrics: cpu,network,memory,disk + uses: runs-on/action@d141ef83eb66d096ce8afc767e09115a65c63b60 # v2.1.2 - name: Checkout uses: actions/checkout@v6 @@ -158,7 +154,7 @@ jobs: # Required to pull private ECR images such as Job Distributor (main) and Chip Ingress (main), # and also the Chainlink image when inputs.ecr is "sdlc". - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 + uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1 with: aws-region: ${{ secrets.QA_AWS_REGION }} role-to-assume: ${{ secrets.AWS_CTF_READ_ACCESS_ROLE_ARN }} @@ -167,7 +163,7 @@ jobs: - name: Login to Amazon ECR id: login-ecr - uses: aws-actions/amazon-ecr-login@183a1442edf41672e66566b7fc560e297a290896 # v2.1.1 + uses: aws-actions/amazon-ecr-login@fa648b43de3d4d023bcb3f89ed6940096949c419 # v2.1.5 with: registries: ${{ format('{0},{1}', secrets.QA_AWS_ACCOUNT_NUMBER, secrets.AWS_ACCOUNT_ID_PROD) }} @@ -177,7 +173,7 @@ jobs: # Required to allow pulling public images - name: Authenticate to ECR (public) id: login-ecr-public - uses: aws-actions/amazon-ecr-login@183a1442edf41672e66566b7fc560e297a290896 # v2.1.1 + uses: aws-actions/amazon-ecr-login@fa648b43de3d4d023bcb3f89ed6940096949c419 # v2.1.5 with: registry-type: public env: diff --git a/.github/workflows/cre-soak-memory-leak.yml b/.github/workflows/cre-soak-memory-leak.yml index 087908e4d15..98fb271cc5b 100644 --- a/.github/workflows/cre-soak-memory-leak.yml +++ b/.github/workflows/cre-soak-memory-leak.yml @@ -37,9 +37,7 @@ jobs: steps: - name: Enable S3 Cache for Self-Hosted Runners - uses: runs-on/action@742bf56072eb4845a0f94b3394673e4903c90ff0 # v2.1.0 - with: - metrics: cpu,network,memory,disk + uses: runs-on/action@d141ef83eb66d096ce8afc767e09115a65c63b60 # v2.1.2 - name: Checkout uses: actions/checkout@v6 @@ -55,7 +53,7 @@ jobs: cache: true - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 + uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1 with: aws-region: ${{ secrets.QA_AWS_REGION }} role-to-assume: ${{ secrets.AWS_CTF_READ_ACCESS_ROLE_ARN }} @@ -64,7 +62,7 @@ jobs: - name: Login to Amazon ECR id: login-ecr - uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1 + uses: aws-actions/amazon-ecr-login@fa648b43de3d4d023bcb3f89ed6940096949c419 # v2.1.5 with: registries: ${{ format('{0},{1}', secrets.QA_AWS_ACCOUNT_NUMBER, secrets.AWS_ACCOUNT_ID_PROD) }} diff --git a/.github/workflows/cre-system-tests.yaml b/.github/workflows/cre-system-tests.yaml index 5b973233efd..0de7cd8c98f 100644 --- a/.github/workflows/cre-system-tests.yaml +++ b/.github/workflows/cre-system-tests.yaml @@ -68,9 +68,7 @@ jobs: persist-credentials: false - name: Enable S3 Cache for Self-Hosted Runners - uses: runs-on/action@742bf56072eb4845a0f94b3394673e4903c90ff0 # v2.1.0 - with: - metrics: cpu,network,memory,disk + uses: runs-on/action@d141ef83eb66d096ce8afc767e09115a65c63b60 # v2.1.2 - name: Set up Go id: setup-go @@ -182,9 +180,7 @@ jobs: steps: - name: Enable S3 Cache for Self-Hosted Runners - uses: runs-on/action@742bf56072eb4845a0f94b3394673e4903c90ff0 # v2.1.0 - with: - metrics: cpu,network,memory,disk + uses: runs-on/action@d141ef83eb66d096ce8afc767e09115a65c63b60 # v2.1.2 - name: Checkout uses: actions/checkout@v6 @@ -201,7 +197,7 @@ jobs: # Required to pull Job Distributor (main), Chip Ingress (main) and Chainlink (sdlc) private images - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 + uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1 with: aws-region: ${{ secrets.QA_AWS_REGION }} role-to-assume: ${{ secrets.AWS_CTF_READ_ACCESS_ROLE_ARN }} @@ -210,7 +206,7 @@ jobs: - name: Login to Amazon ECR id: login-ecr - uses: aws-actions/amazon-ecr-login@183a1442edf41672e66566b7fc560e297a290896 # v2.1.1 + uses: aws-actions/amazon-ecr-login@fa648b43de3d4d023bcb3f89ed6940096949c419 # v2.1.5 with: registries: ${{ format('{0},{1}', secrets.QA_AWS_ACCOUNT_NUMBER, secrets.AWS_ACCOUNT_ID_PROD) }} @@ -220,7 +216,7 @@ jobs: # Required to allow pulling public images - name: Authenticate to ECR (public) id: login-ecr-public - uses: aws-actions/amazon-ecr-login@183a1442edf41672e66566b7fc560e297a290896 # v2.1.1 + uses: aws-actions/amazon-ecr-login@fa648b43de3d4d023bcb3f89ed6940096949c419 # v2.1.5 with: registry-type: public env: @@ -235,7 +231,7 @@ jobs: - name: Install Aptos CLI if: ${{ matrix.tests.test_name == 'Test_CRE_V2_Aptos_Suite' }} - uses: aptos-labs/actions/install-aptos-cli@63740b290d839b87ecfafbcf75ed03a36a54a29f # jan 15, 2025 + uses: aptos-labs/actions/install-aptos-cli@528ef7ad9427a8c0720ea3eea790a9190d6e377d # 2026-04-07 with: CLI_VERSION: 7.8.0 @@ -356,7 +352,7 @@ jobs: - name: Setup GitHub token using GATI id: github-token - uses: smartcontractkit/.github/actions/setup-github-token@setup-github-token/1.0.0 + uses: smartcontractkit/.github/actions/setup-github-token@setup-github-token/v1 with: aws-role-arn: ${{ secrets.AWS_OIDC_CHAINLINK_READ_ONLY_TOKEN_ISSUER_ROLE_ARN }} aws-lambda-url: ${{ secrets.AWS_INFRA_RELENG_TOKEN_ISSUER_LAMBDA_URL }} diff --git a/.github/workflows/cre-workflow-don-benchmark.yaml b/.github/workflows/cre-workflow-don-benchmark.yaml index 004c38cba04..c1450969ffc 100644 --- a/.github/workflows/cre-workflow-don-benchmark.yaml +++ b/.github/workflows/cre-workflow-don-benchmark.yaml @@ -51,7 +51,7 @@ jobs: # We need to login to ECR to allow the test to pull the Job Distributor and Chainlink images - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 + uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1 with: aws-region: ${{ secrets.QA_AWS_REGION }} role-to-assume: ${{ secrets.QA_AWS_ROLE_TO_ASSUME }} @@ -60,7 +60,7 @@ jobs: - name: Login to Amazon ECR id: login-ecr - uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1 + uses: aws-actions/amazon-ecr-login@fa648b43de3d4d023bcb3f89ed6940096949c419 # v2.1.5 with: registries: ${{ format('{0},{1}', secrets.QA_AWS_ACCOUNT_NUMBER, secrets.AWS_ACCOUNT_ID_PROD) }} env: diff --git a/.github/workflows/devenv-compat.yml b/.github/workflows/devenv-compat.yml index 5999ea2ba8e..18597c07d9d 100644 --- a/.github/workflows/devenv-compat.yml +++ b/.github/workflows/devenv-compat.yml @@ -114,21 +114,21 @@ jobs: secrets.QA_AWS_REGION }}.amazonaws.com/local-cre-chip-router:v1.0.1" steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: fetch-depth: 0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Install Just - uses: extractions/setup-just@e33e0265a09d6d736e2ee1e0eb685ef1de4669ff # v3 + uses: extractions/setup-just@53165ef7e734c5c07cb06b3c8e7b647c5aa16db3 # v4.0.0 with: just-version: "1.40.0" # We need to login to ECR to allow the test to pull the Job Distributor (main) and Chainlink (sdlc) images - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 + uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1 with: aws-region: ${{ secrets.QA_AWS_REGION }} role-to-assume: ${{ secrets.AWS_CTF_READ_ACCESS_ROLE_ARN }} @@ -137,7 +137,7 @@ jobs: - name: Login to private Amazon ECRs id: login-ecr - uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1 + uses: aws-actions/amazon-ecr-login@fa648b43de3d4d023bcb3f89ed6940096949c419 # v2.1.5 with: registries: ${{ format('{0},{1}', secrets.QA_AWS_ACCOUNT_NUMBER, secrets.AWS_ACCOUNT_ID_PROD) }} @@ -146,14 +146,14 @@ jobs: - name: Login to public Amazon ECR id: login-ecr-public - uses: aws-actions/amazon-ecr-login@183a1442edf41672e66566b7fc560e297a290896 # v2.1.1 + uses: aws-actions/amazon-ecr-login@fa648b43de3d4d023bcb3f89ed6940096949c419 # v2.1.5 with: registry-type: public env: AWS_REGION: us-east-1 - name: Set up Go - uses: actions/setup-go@v6 # v6 + uses: actions/setup-go@v6 with: cache: true go-version-file: ${{ env.WORKING_DIR }}/go.mod @@ -275,7 +275,7 @@ jobs: - name: Upload logs if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: container-logs-smoke-${{ job.check_run_id }} path: ${{ env.LOGS_DIR }} diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 548e677bfd2..e97e9c616d2 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -282,7 +282,7 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - name: Deploy uses: ./.github/actions/deploy-image with: @@ -305,7 +305,7 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - name: Deploy uses: ./.github/actions/deploy-image with: diff --git a/.github/workflows/find-flaky-tests.yml b/.github/workflows/find-flaky-tests.yml index adf89cf504f..c6a8829cf59 100644 --- a/.github/workflows/find-flaky-tests.yml +++ b/.github/workflows/find-flaky-tests.yml @@ -44,8 +44,6 @@ jobs: ref: ${{ github.sha }} - name: Enable S3 Cache for Self-Hosted Runners uses: runs-on/action@d141ef83eb66d096ce8afc767e09115a65c63b60 # v2.1.2 - with: - metrics: cpu,network,memory,disk - name: Run `diagnose` run: | go -C tools/test run . diagnose --iterations "${ITERATIONS}" --parallel-iterations "${PARALLEL_ITERATIONS}" -- "${DIR}" diff --git a/.github/workflows/go-mod-cache.yml b/.github/workflows/go-mod-cache.yml index c1b7e65508f..fb21e86ff66 100644 --- a/.github/workflows/go-mod-cache.yml +++ b/.github/workflows/go-mod-cache.yml @@ -53,9 +53,7 @@ jobs: pull-requests: read steps: - name: Enable S3 Cache for Self-Hosted Runners - uses: runs-on/action@742bf56072eb4845a0f94b3394673e4903c90ff0 # v2.1.0 - with: - metrics: cpu,network,memory,disk + uses: runs-on/action@d141ef83eb66d096ce8afc767e09115a65c63b60 # v2.1.2 - name: Checkout the repo uses: actions/checkout@v6 diff --git a/.github/workflows/gomod-local-updater.yml b/.github/workflows/gomod-local-updater.yml index 8e3895409be..821ce19a3a7 100644 --- a/.github/workflows/gomod-local-updater.yml +++ b/.github/workflows/gomod-local-updater.yml @@ -27,7 +27,7 @@ jobs: contents: read id-token: write steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 with: persist-credentials: false fetch-depth: 0 @@ -52,7 +52,7 @@ jobs: - name: Create PR id: create-pr - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 + uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 with: base: develop branch: ${{ env.BRANCH_HEAD}} diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index 758a58c4c13..d12631eb5bb 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -301,13 +301,11 @@ jobs: }} steps: - name: Enable S3 Cache for Self-Hosted Runners - uses: runs-on/action@742bf56072eb4845a0f94b3394673e4903c90ff0 # v2.1.0 - with: - metrics: cpu,network,memory,disk + uses: runs-on/action@d141ef83eb66d096ce8afc767e09115a65c63b60 # v2.1.2 - name: Check if image exists in ECR id: check-image-exists - uses: smartcontractkit/.github/actions/ecr-image-exists@ecr-image-exists/0.0.1 + uses: smartcontractkit/.github/actions/ecr-image-exists@ecr-image-exists/0.2.0 with: repository: ${{ inputs.ecr_name || 'chainlink-integration-tests' }} tag: ${{ inputs.evm-ref || env.CHAINLINK_REF }}${{ matrix.image.tag-suffix }} diff --git a/.github/workflows/legacy-non-functional-tests.yml b/.github/workflows/legacy-non-functional-tests.yml index e1a5a59b4d5..f2500bfed76 100644 --- a/.github/workflows/legacy-non-functional-tests.yml +++ b/.github/workflows/legacy-non-functional-tests.yml @@ -64,7 +64,7 @@ jobs: deployment: false steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@v6 with: ref: ${{ inputs.chainlink_version || github.sha }} # we cannot pass this resolved image to `test-nightly` job, because when it contains secrets @@ -122,25 +122,25 @@ jobs: logs_archive_name: "df1-chaos" steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@v6 with: fetch-depth: 0 ref: ${{ inputs.chainlink_version || github.sha }} - name: Install Just - uses: extractions/setup-just@e33e0265a09d6d736e2ee1e0eb685ef1de4669ff # v3 + uses: extractions/setup-just@53165ef7e734c5c07cb06b3c8e7b647c5aa16db3 # v4.0.0 with: just-version: "1.40.0" - name: Configure AWS credentials using OIDC - uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0 + uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1 with: role-to-assume: ${{ secrets.AWS_CTF_READ_ACCESS_ROLE_ARN }} aws-region: us-west-2 - name: Login to Amazon ECRs (private) id: login-ecr - uses: aws-actions/amazon-ecr-login@183a1442edf41672e66566b7fc560e297a290896 # v2.1.1 + uses: aws-actions/amazon-ecr-login@fa648b43de3d4d023bcb3f89ed6940096949c419 # v2.1.5 with: registries: ${{ secrets.QA_AWS_ACCOUNT_NUMBER }} env: @@ -148,14 +148,14 @@ jobs: - name: Login to Amazon ECR (public) id: login-ecr-public - uses: aws-actions/amazon-ecr-login@183a1442edf41672e66566b7fc560e297a290896 # v2.1.1 + uses: aws-actions/amazon-ecr-login@fa648b43de3d4d023bcb3f89ed6940096949c419 # v2.1.5 with: registry-type: public env: AWS_REGION: us-east-1 - name: Set up Go - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + uses: actions/setup-go@v6 with: cache: true go-version-file: devenv/go.mod @@ -204,7 +204,7 @@ jobs: - name: Upload Logs if: always() - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + uses: actions/upload-artifact@v7 with: name: non-functional-tests-container-logs-${{ matrix.logs_archive_name }}-${{ github.run_id }}-${{ github.run_attempt }} path: devenv/tests/${{ matrix.tests_dir }}/logs @@ -212,7 +212,7 @@ jobs: - name: Upload Go pprof if: always() - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + uses: actions/upload-artifact@v7 with: name: alloc-${{ matrix.logs_archive_name }}-${{ github.run_id }}-${{ github.run_attempt }}.pprof path: devenv/tests/${{ matrix.tests_dir }}/alloc.pprof diff --git a/.github/workflows/legacy-system-tests.yml b/.github/workflows/legacy-system-tests.yml index d4e3af6321f..45b4293531f 100644 --- a/.github/workflows/legacy-system-tests.yml +++ b/.github/workflows/legacy-system-tests.yml @@ -64,7 +64,7 @@ jobs: deployment: false steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@v6 with: ref: ${{ inputs.chainlink_version || github.sha }} # we cannot pass this resolved image to `test-nightly` job, because when it contains secrets @@ -263,25 +263,25 @@ jobs: logs_archive_name: "logpoller-finality-tag" steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@v6 with: fetch-depth: 0 ref: ${{ inputs.chainlink_version || github.sha }} - name: Install Just - uses: extractions/setup-just@e33e0265a09d6d736e2ee1e0eb685ef1de4669ff # v3 + uses: extractions/setup-just@53165ef7e734c5c07cb06b3c8e7b647c5aa16db3 # v4.0.0 with: just-version: "1.40.0" - name: Configure AWS credentials using OIDC - uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0 + uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1 with: role-to-assume: ${{ secrets.AWS_CTF_READ_ACCESS_ROLE_ARN }} aws-region: us-west-2 - name: Login to Amazon ECRs (private) id: login-ecr - uses: aws-actions/amazon-ecr-login@183a1442edf41672e66566b7fc560e297a290896 # v2.1.1 + uses: aws-actions/amazon-ecr-login@fa648b43de3d4d023bcb3f89ed6940096949c419 # v2.1.5 with: registries: ${{ secrets.QA_AWS_ACCOUNT_NUMBER }} env: @@ -289,14 +289,14 @@ jobs: - name: Login to Amazon ECR (public) id: login-ecr-public - uses: aws-actions/amazon-ecr-login@183a1442edf41672e66566b7fc560e297a290896 # v2.1.1 + uses: aws-actions/amazon-ecr-login@fa648b43de3d4d023bcb3f89ed6940096949c419 # v2.1.5 with: registry-type: public env: AWS_REGION: us-east-1 - name: Set up Go - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + uses: actions/setup-go@v6 with: cache: true go-version-file: devenv/go.mod @@ -345,7 +345,7 @@ jobs: - name: Upload Logs if: always() - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + uses: actions/upload-artifact@v7 with: name: system-tests-container-logs-${{ matrix.logs_archive_name }}-${{ github.run_id }}-${{ github.run_attempt }} path: devenv/tests/${{ matrix.tests_dir }}/logs diff --git a/.github/workflows/operator-ui-ci.yml b/.github/workflows/operator-ui-ci.yml index 6a2e728b5f3..8457ad60156 100644 --- a/.github/workflows/operator-ui-ci.yml +++ b/.github/workflows/operator-ui-ci.yml @@ -16,20 +16,15 @@ jobs: name: Breaking Changes GQL Check runs-on: ubuntu-latest steps: - - name: Assume role capable of dispatching action - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 + - name: Setup GitHub Token + id: setup-github-token + uses: smartcontractkit/.github/actions/setup-github-token@setup-github-token/v1 with: - role-to-assume: ${{ secrets.AWS_OIDC_CHAINLINK_CI_OPERATOR_UI_ACCESS_TOKEN_ISSUER_ROLE_ARN }} + aws-role-arn: ${{ secrets.AWS_OIDC_CHAINLINK_CI_OPERATOR_UI_ACCESS_TOKEN_ISSUER_ROLE_ARN }} + aws-lambda-url: ${{ secrets.AWS_INFRA_RELENG_TOKEN_ISSUER_LAMBDA_URL }} aws-region: ${{ secrets.AWS_REGION }} - role-duration-seconds: 3600 - role-session-name: operator-ui-ci.check-gql - mask-aws-account-id: true + aws-role-duration-seconds: 3600 - - name: Get Github Token - id: get-gh-token - uses: smartcontractkit/chainlink-github-actions/github-app-token-issuer@5874ff7211cf5a5a2670bb010fbff914eaaae138 # v2.3.12 - with: - url: ${{ secrets.AWS_INFRA_RELENG_TOKEN_ISSUER_LAMBDA_URL }} - name: Checkout repository uses: actions/checkout@v6 @@ -51,6 +46,6 @@ jobs: with: owner: smartcontractkit repo: operator-ui - github_token: ${{ steps.get-gh-token.outputs.access-token }} + github_token: ${{ steps.setup-github-token.outputs.access-token }} workflow_file_name: chainlink-ci.yml client_payload: '{"ref": "${{ github.event.pull_request.head.sha }}", "tag": "${{ steps.get-operator-ui-tag.outputs.TAG }}"}' diff --git a/.github/workflows/release-attest.yml b/.github/workflows/release-attest.yml index e4f5963a640..c904bfa5aa6 100644 --- a/.github/workflows/release-attest.yml +++ b/.github/workflows/release-attest.yml @@ -32,7 +32,7 @@ jobs: id-token: write steps: - name: Publish attestation to GitHub - uses: actions/attest-build-provenance@v3 + uses: actions/attest-build-provenance@v4 with: subject-name: ${{ inputs.docker-image-name }} subject-digest: ${{ inputs.docker-image-digest }}