-
Notifications
You must be signed in to change notification settings - Fork 2
ci(security): Safe-route main Diamond upgrades + add CODEOWNERS (CPL-291) #516
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
GTC6244
wants to merge
3
commits into
main
Choose a base branch
from
zurich
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
3 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Some comments aren't visible on the classic Files Changed page.
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| # CODEOWNERS — required reviewers for security-critical surfaces. | ||
| # | ||
| # CPL-291: changes to on-chain contract code and to CI/CD workflows must not | ||
| # land on a single self-approval. A PR touching any path below requires review | ||
| # from the listed owner(s). | ||
| # | ||
| # IMPORTANT — this file only takes effect once branch protection on the default | ||
| # branch enables "Require review from Code Owners". Configure that in | ||
| # Settings → Branches. Note this gates the DEFAULT branch only: the `next` | ||
| # branch that upgrade-next deploys from gets no CODEOWNERS coverage unless it | ||
| # also receives branch protection (acceptable for staging). | ||
| # | ||
| # TODO(CPL-291 follow-up): replace the individual owner with a proper GitHub | ||
| # team slug (e.g. @LIT-Protocol/contracts, @LIT-Protocol/platform-security) | ||
| # once the teams exist. An unknown team here is silently ignored by GitHub, so | ||
| # a real, verified handle is used in the meantime to keep the rule enforceable. | ||
|
|
||
| # --- CI / CD pipeline ------------------------------------------------------- | ||
| /.github/ @GTC6244 | ||
| /.github/workflows/ @GTC6244 | ||
| /.github/CODEOWNERS @GTC6244 | ||
|
|
||
| # --- On-chain Diamond contract code + deployer ------------------------------ | ||
| /lit-api-server/blockchain/ @GTC6244 | ||
|
|
||
| # Node config files drive which network/Diamond a deploy targets. | ||
| /lit-api-server/NodeConfig.*.toml @GTC6244 |
121 changes: 121 additions & 0 deletions
121
.github/workflows/manual_contract-upgrade-main-2-verify.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,121 @@ | ||
| # Contract Upgrade Main — Phase 2: Verify | ||
| # | ||
| # Run this AFTER Safe multisig signers have approved and executed the | ||
| # diamondCut transaction proposed by the `main` branch of | ||
| # manual_contract-upgrade.yml (the "propose-main" job). | ||
| # | ||
| # This workflow: | ||
| # 1. Verifies the Safe transaction was executed on-chain | ||
| # 2. Compiles contracts from the current source code | ||
| # 3. Compares on-chain facet bytecode and selectors against compiled artifacts | ||
| # | ||
| # Network and contract address are read from: | ||
| # lit-api-server/NodeConfig.main.toml | ||
| # | ||
| # Required secrets: | ||
| # BASE_CHAIN_RPC - RPC endpoint for Base | ||
|
|
||
| name: "Contract Upgrade Main 2: Verify" | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| inputs: | ||
| safe_tx_hash: | ||
| description: "Safe transaction hash from the propose-main job" | ||
| required: true | ||
| type: string | ||
|
|
||
| concurrency: | ||
| group: contract-upgrade-main | ||
| cancel-in-progress: false | ||
|
|
||
| jobs: | ||
| verify-safe-tx: | ||
| runs-on: self-hosted | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| ref: main | ||
|
|
||
| - uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: 22 | ||
|
|
||
| - name: Install contract dependencies | ||
| working-directory: lit-api-server/blockchain/lit_node_express | ||
| run: npm ci | ||
|
|
||
| - name: Compile contracts | ||
| working-directory: lit-api-server/blockchain/lit_node_express | ||
| run: | | ||
| npx hardhat clean | ||
| npx hardhat compile | ||
|
|
||
| - name: Verify Safe transaction was executed | ||
| id: safe | ||
| working-directory: lit-api-server/blockchain/lit_node_express | ||
| env: | ||
| BASE_RPC_URL: ${{ secrets.BASE_CHAIN_RPC }} | ||
| # Pass dispatcher-controlled input via env: rather than interpolating | ||
| # it into the shell script, and validate its shape first. | ||
| SAFE_TX_HASH: ${{ inputs.safe_tx_hash }} | ||
| SAFE_ADDRESS: ${{ vars.SAFE_ADDRESS_CHIPOTLE_MAIN }} | ||
| run: | | ||
| if ! printf '%s' "$SAFE_TX_HASH" | grep -Eq '^0x[a-fA-F0-9]{64}$'; then | ||
| echo "::error::Invalid safe_tx_hash '$SAFE_TX_HASH' (expected 0x + 64 hex chars)." | ||
| exit 1 | ||
| fi | ||
| if [ -z "$SAFE_ADDRESS" ]; then | ||
| echo "::error::vars.SAFE_ADDRESS_CHIPOTLE_MAIN is not configured — cannot bind the tx to the expected Safe." | ||
| exit 1 | ||
| fi | ||
| # --safe pins verification to our Safe: execute-safe-tx asserts the tx | ||
| # actually belongs to it, so an executed hash from any other Safe on | ||
| # Base cannot pass this gate. | ||
| OUTPUT=$(npx hardhat execute-safe-tx \ | ||
| --network base \ | ||
| --safe "$SAFE_ADDRESS" \ | ||
| --safe-tx-hash "$SAFE_TX_HASH" \ | ||
| 2>&1 | tee /dev/stderr) | ||
| TX_HASH=$(echo "$OUTPUT" | grep '^TX_HASH=' | cut -d= -f2) | ||
| if [ -z "$TX_HASH" ]; then | ||
| echo "::error::Safe transaction has not been executed yet." | ||
| exit 1 | ||
| fi | ||
| echo "tx_hash=$TX_HASH" >> "$GITHUB_OUTPUT" | ||
|
|
||
| - name: Read contract address from NodeConfig | ||
| id: config | ||
| run: | | ||
| CONFIG="lit-api-server/NodeConfig.main.toml" | ||
| if [ ! -f "$CONFIG" ]; then | ||
| echo "::error::$CONFIG not found." | ||
| exit 1 | ||
| fi | ||
| ADDRESS=$(grep '^contract_address' "$CONFIG" | head -1 | sed 's/.*= *"\(.*\)"/\1/') | ||
| if [ -z "$ADDRESS" ]; then | ||
| echo "::error::contract_address not found in $CONFIG — cannot verify facets." | ||
| exit 1 | ||
| fi | ||
| echo "address=$ADDRESS" >> "$GITHUB_OUTPUT" | ||
|
|
||
| - name: Verify diamond facets match source code | ||
| working-directory: lit-api-server/blockchain/lit_node_express | ||
| env: | ||
| BASE_RPC_URL: ${{ secrets.BASE_CHAIN_RPC }} | ||
| run: | | ||
| npx hardhat verify-diamond-facets \ | ||
| --network base \ | ||
| --diamond "${{ steps.config.outputs.address }}" | ||
|
|
||
| - name: Summary | ||
| if: always() | ||
| run: | | ||
| echo "## Contract Upgrade Verification (main)" >> "$GITHUB_STEP_SUMMARY" | ||
| echo "" >> "$GITHUB_STEP_SUMMARY" | ||
| echo "**Safe TX Hash:** \`${{ inputs.safe_tx_hash }}\`" >> "$GITHUB_STEP_SUMMARY" | ||
| echo "**On-chain TX:** \`${{ steps.safe.outputs.tx_hash }}\`" >> "$GITHUB_STEP_SUMMARY" | ||
| echo "**Diamond:** \`${{ steps.config.outputs.address }}\`" >> "$GITHUB_STEP_SUMMARY" | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.