From 3675bdad2c20d1cf6c4a441d6d1ca5abe9e3f0ea Mon Sep 17 00:00:00 2001 From: Rodrigo Date: Fri, 19 Jun 2026 20:16:56 -0300 Subject: [PATCH 1/4] feat(ci): ci load trigger via comment --- .github/actions/ccip-load-test/action.yml | 168 ++++++++++++++++++++++ .github/workflows/ccip-load-command.yml | 123 ++++++++++++++++ .github/workflows/ccip-load-tests.yml | 104 ++++++++++---- .github/workflows/chatops.yml | 3 + 4 files changed, 368 insertions(+), 30 deletions(-) create mode 100644 .github/actions/ccip-load-test/action.yml create mode 100644 .github/workflows/ccip-load-command.yml diff --git a/.github/actions/ccip-load-test/action.yml b/.github/actions/ccip-load-test/action.yml new file mode 100644 index 000000000..323fea007 --- /dev/null +++ b/.github/actions/ccip-load-test/action.yml @@ -0,0 +1,168 @@ +name: Run CCIP load test +description: >- + Shared setup and execution for CCIP WASP load tests against local devenv or + prod-testnet infrastructure. + +inputs: + ccip_env: + description: "Target environment: devenv or prod-testnet" + required: false + default: prod-testnet + direction: + description: "Load test direction" + required: false + default: canton2evm + message_rate: + description: "CANTON_LOAD_MESSAGE_RATE" + required: false + default: "1/45s" + load_duration: + description: "CANTON_LOAD_DURATION" + required: false + default: "2m" + test_timeout: + description: "go test -timeout value" + required: false + default: "30m" + config_file: + description: "CCIP_CONFIG_FILE basename under ccip/devenv (prod-testnet only)" + required: false + default: env-prod-testnet.ci.toml + canton_path: + description: "Checkout path for chainlink-canton (`.` for PR root, `chainlink-canton` for nested devenv checkout)" + required: false + default: . + canton_ref: + description: "chainlink-canton git ref for devenv setup (empty = workflow SHA)" + required: false + default: "" + skip_exec_confirm: + description: "CANTON_LOAD_SKIP_EXEC_CONFIRM" + required: false + default: "false" + confirm_exec_timeout: + description: "CANTON_CONFIRM_EXEC_TIMEOUT" + required: false + default: "10m" + party_id: + description: "CANTON_PARTY_ID" + required: false + default: "u_d53a15c42af6::1220c250c23c55120f7c758bccc5cbc739629015ab921594e1c29656981f985bffa7" + grpc_url: + description: "CANTON_GRPC_URL" + required: false + default: "testnet.cv1.bcy-v.metalhosts.com:443" + auth_type: + description: "CANTON_AUTH_TYPE" + required: false + default: clientCredentials + auth_url: + description: "CANTON_AUTH_URL override (defaults to CANTON_OKTA_AUTHORIZER_TESTNET input)" + required: false + default: "" + client_id: + description: "CANTON_CLIENT_ID override (defaults to CANTON_OKTA_CLIENT_ID_TESTNET input)" + required: false + default: "" + CANTON_OKTA_AUTHORIZER_TESTNET: + description: "GitHub secret CANTON_OKTA_AUTHORIZER_TESTNET" + required: false + CANTON_OKTA_CLIENT_ID_TESTNET: + description: "GitHub secret CANTON_OKTA_CLIENT_ID_TESTNET" + required: false + CANTON_OKTA_CLIENT_SECRET_TESTNET: + description: "GitHub secret CANTON_OKTA_CLIENT_SECRET_TESTNET" + required: false + CCIP_PROD_TESTNET_PRIVATE_KEY: + description: "GitHub secret CCIP_PROD_TESTNET_PRIVATE_KEY" + required: false + ccv-iam-role: + description: "AWS IAM role for CCV ECR authentication (devenv only)" + required: false + jd-registry: + description: "JD private ECR registry ID (devenv only)" + required: false + jd-image: + description: "JD Docker image reference (devenv only)" + required: false + +runs: + using: composite + steps: + - name: Setup CCIP devenv + if: inputs.ccip_env == 'devenv' + uses: ./.github/actions/setup-ccip-devenv + with: + canton-ref: ${{ inputs.canton_ref }} + canton-path: ${{ inputs.canton_path }} + ccv-iam-role: ${{ inputs.ccv-iam-role }} + jd-registry: ${{ inputs.jd-registry }} + jd-image: ${{ inputs.jd-image }} + + - name: Install Go (prod-testnet) + if: inputs.ccip_env == 'prod-testnet' + uses: actions/setup-go@v6 + with: + cache: true + go-version-file: ${{ inputs.canton_path }}/go.mod + cache-dependency-path: ${{ inputs.canton_path }}/go.sum + + - name: Download Go dependencies (prod-testnet) + if: inputs.ccip_env == 'prod-testnet' + shell: bash + working-directory: ${{ inputs.canton_path }} + run: go mod download + + - name: Run load tests (devenv) + if: inputs.ccip_env == 'devenv' + shell: bash + working-directory: ${{ inputs.canton_path }}/ccip/devenv/tests/load + env: + CANTON_LOAD_MESSAGE_RATE: ${{ inputs.message_rate }} + CANTON_LOAD_DURATION: ${{ inputs.load_duration }} + run: | + case "${{ inputs.direction }}" in + canton2evm) TEST_RUN='^TestCanton2EVM_Load$' ;; + evm2canton) TEST_RUN='^TestEVM2Canton_Load$' ;; + canton2evm-token) TEST_RUN='^TestCanton2EVM_TokenLoad$' ;; + evm2canton-token) TEST_RUN='^TestEVM2Canton_TokenLoad$' ;; + *) echo "unknown direction: ${{ inputs.direction }}" >&2; exit 1 ;; + esac + go test -timeout "${{ inputs.test_timeout }}" -v -count 1 -ccip-env=devenv -run "$TEST_RUN" + + - name: Run load tests (prod-testnet) + if: inputs.ccip_env == 'prod-testnet' + shell: bash + working-directory: ${{ inputs.canton_path }}/ccip/devenv/tests/load + env: + CCIP_ENV: prod-testnet + CCIP_CONFIG_FILE: ${{ inputs.config_file }} + CANTON_AUTH_TYPE: ${{ inputs.auth_type }} + CANTON_AUTH_URL: ${{ inputs.auth_url != '' && inputs.auth_url || inputs.CANTON_OKTA_AUTHORIZER_TESTNET }} + CANTON_CLIENT_ID: ${{ inputs.client_id != '' && inputs.client_id || inputs.CANTON_OKTA_CLIENT_ID_TESTNET }} + CANTON_CLIENT_SECRET: ${{ inputs.CANTON_OKTA_CLIENT_SECRET_TESTNET }} + CANTON_PARTY_ID: ${{ inputs.party_id }} + CANTON_GRPC_URL: ${{ inputs.grpc_url }} + CANTON_LOAD_MESSAGE_RATE: ${{ inputs.message_rate }} + CANTON_LOAD_DURATION: ${{ inputs.load_duration }} + CANTON_CONFIRM_EXEC_TIMEOUT: ${{ inputs.confirm_exec_timeout }} + CANTON_LOAD_SKIP_EXEC_CONFIRM: ${{ inputs.skip_exec_confirm }} + PRIVATE_KEY: ${{ inputs.CCIP_PROD_TESTNET_PRIVATE_KEY }} + run: | + case "${{ inputs.direction }}" in + canton2evm) TEST_RUN='^TestCanton2EVM_Load$' ;; + evm2canton) TEST_RUN='^TestEVM2Canton_Load$' ;; + canton2evm-token) TEST_RUN='^TestCanton2EVM_TokenLoad$' ;; + evm2canton-token) TEST_RUN='^TestEVM2Canton_TokenLoad$' ;; + *) echo "unknown direction: ${{ inputs.direction }}" >&2; exit 1 ;; + esac + go test -timeout "${{ inputs.test_timeout }}" -v -count 1 -ccip-env=prod-testnet -run "$TEST_RUN" + + - name: Upload devenv logs + if: always() && inputs.ccip_env == 'devenv' + uses: ./.github/actions/upload-ccip-devenv-logs + with: + canton-path: ${{ inputs.canton_path }} + test-package-dir: load + log-dump-suffix: ccip-load-tests + artifact-name: container-logs-ccip-load-tests diff --git a/.github/workflows/ccip-load-command.yml b/.github/workflows/ccip-load-command.yml new file mode 100644 index 000000000..e52a7ef6a --- /dev/null +++ b/.github/workflows/ccip-load-command.yml @@ -0,0 +1,123 @@ +name: CCIP Load (ChatOps) +on: + repository_dispatch: + types: [ccip-load-command] + +concurrency: + group: ccip-load-pr-${{ github.event.client_payload.pull_request.number }} + cancel-in-progress: false + +permissions: {} + +jobs: + load: + name: CCIP load (ChatOps) + if: github.event.client_payload.slash_command.command == 'ccip-load' + permissions: + contents: read + id-token: write + pull-requests: write + runs-on: ubuntu-latest-8cores-32GB + timeout-minutes: 120 + steps: + - name: Setup GitHub Token + id: setup-github-token + uses: smartcontractkit/.github/actions/setup-github-token@ef78fa97bf3c77de6563db1175422703e9e6674f # setup-github-token@0.2.1 + with: + aws-role-arn: ${{ secrets.GATI_AWS_ROLE_CANTON_CICD }} + aws-lambda-url: ${{ secrets.GATI_AWS_LABDA_URL_INTEGRATIONS }} + aws-region: ${{ secrets.GATI_AWS_REGION }} + + - name: Post comment + uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2.8.2 + with: + repo-token: ${{ steps.setup-github-token.outputs.access-token }} + refresh-message-position: true + issue: ${{ github.event.client_payload.github.payload.issue.number }} + message: | + CCIP load test running... + Workflow run: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} + + - name: Check out PR branch + uses: actions/checkout@v6 + with: + ref: ${{ github.event.client_payload.pull_request.head.ref }} + token: ${{ steps.setup-github-token.outputs.access-token }} + + - name: Resolve inputs + id: params + env: + NAMED_CCIP_ENV: ${{ github.event.client_payload.slash_command.args.named.ccip_env }} + NAMED_DIRECTION: ${{ github.event.client_payload.slash_command.args.named.direction }} + NAMED_MESSAGE_RATE: ${{ github.event.client_payload.slash_command.args.named.message_rate }} + NAMED_LOAD_DURATION: ${{ github.event.client_payload.slash_command.args.named.load_duration }} + NAMED_TEST_TIMEOUT: ${{ github.event.client_payload.slash_command.args.named.test_timeout }} + NAMED_CONFIG_FILE: ${{ github.event.client_payload.slash_command.args.named.config_file }} + NAMED_SKIP_EXEC_CONFIRM: ${{ github.event.client_payload.slash_command.args.named.skip_exec_confirm }} + NAMED_CONFIRM_EXEC_TIMEOUT: ${{ github.event.client_payload.slash_command.args.named.confirm_exec_timeout }} + NAMED_PARTY_ID: ${{ github.event.client_payload.slash_command.args.named.party_id }} + NAMED_GRPC_URL: ${{ github.event.client_payload.slash_command.args.named.grpc_url }} + NAMED_AUTH_TYPE: ${{ github.event.client_payload.slash_command.args.named.auth_type }} + NAMED_AUTH_URL: ${{ github.event.client_payload.slash_command.args.named.auth_url }} + NAMED_CLIENT_ID: ${{ github.event.client_payload.slash_command.args.named.client_id }} + run: | + echo "ccip_env=${NAMED_CCIP_ENV:-prod-testnet}" >> "$GITHUB_OUTPUT" + echo "direction=${NAMED_DIRECTION:-canton2evm}" >> "$GITHUB_OUTPUT" + echo "message_rate=${NAMED_MESSAGE_RATE:-1/45s}" >> "$GITHUB_OUTPUT" + echo "load_duration=${NAMED_LOAD_DURATION:-2m}" >> "$GITHUB_OUTPUT" + echo "config_file=${NAMED_CONFIG_FILE:-env-prod-testnet.ci.toml}" >> "$GITHUB_OUTPUT" + echo "skip_exec_confirm=${NAMED_SKIP_EXEC_CONFIRM:-true}" >> "$GITHUB_OUTPUT" + echo "confirm_exec_timeout=${NAMED_CONFIRM_EXEC_TIMEOUT:-10m}" >> "$GITHUB_OUTPUT" + echo "party_id=${NAMED_PARTY_ID:-u_d53a15c42af6::1220c250c23c55120f7c758bccc5cbc739629015ab921594e1c29656981f985bffa7}" >> "$GITHUB_OUTPUT" + echo "grpc_url=${NAMED_GRPC_URL:-testnet.cv1.bcy-v.metalhosts.com:443}" >> "$GITHUB_OUTPUT" + echo "auth_type=${NAMED_AUTH_TYPE:-clientCredentials}" >> "$GITHUB_OUTPUT" + echo "auth_url=${NAMED_AUTH_URL}" >> "$GITHUB_OUTPUT" + echo "client_id=${NAMED_CLIENT_ID}" >> "$GITHUB_OUTPUT" + + direction="${NAMED_DIRECTION:-canton2evm}" + if [ -n "${NAMED_TEST_TIMEOUT}" ]; then + echo "test_timeout=${NAMED_TEST_TIMEOUT}" >> "$GITHUB_OUTPUT" + elif [ "$direction" = "evm2canton" ]; then + echo "test_timeout=45m" >> "$GITHUB_OUTPUT" + else + echo "test_timeout=30m" >> "$GITHUB_OUTPUT" + fi + + - name: Run CCIP load test + uses: ./.github/actions/ccip-load-test + with: + ccip_env: ${{ steps.params.outputs.ccip_env }} + direction: ${{ steps.params.outputs.direction }} + message_rate: ${{ steps.params.outputs.message_rate }} + load_duration: ${{ steps.params.outputs.load_duration }} + test_timeout: ${{ steps.params.outputs.test_timeout }} + config_file: ${{ steps.params.outputs.config_file }} + canton_path: . + skip_exec_confirm: ${{ steps.params.outputs.skip_exec_confirm }} + confirm_exec_timeout: ${{ steps.params.outputs.confirm_exec_timeout }} + party_id: ${{ steps.params.outputs.party_id }} + grpc_url: ${{ steps.params.outputs.grpc_url }} + auth_type: ${{ steps.params.outputs.auth_type }} + auth_url: ${{ steps.params.outputs.auth_url }} + client_id: ${{ steps.params.outputs.client_id }} + CANTON_OKTA_AUTHORIZER_TESTNET: ${{ secrets.CANTON_OKTA_AUTHORIZER_TESTNET }} + CANTON_OKTA_CLIENT_ID_TESTNET: ${{ secrets.CANTON_OKTA_CLIENT_ID_TESTNET }} + CANTON_OKTA_CLIENT_SECRET_TESTNET: ${{ secrets.CANTON_OKTA_CLIENT_SECRET_TESTNET }} + CCIP_PROD_TESTNET_PRIVATE_KEY: ${{ secrets.CCIP_PROD_TESTNET_PRIVATE_KEY }} + + - name: Update comment + if: always() + uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2.8.2 + with: + repo-token: ${{ steps.setup-github-token.outputs.access-token }} + refresh-message-position: true + issue: ${{ github.event.client_payload.github.payload.issue.number }} + message-success: | + CCIP load test passed. + Workflow run: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} + message-failure: | + CCIP load test failed. + Workflow run: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} + message-cancelled: | + CCIP load test cancelled. + Workflow run: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} diff --git a/.github/workflows/ccip-load-tests.yml b/.github/workflows/ccip-load-tests.yml index c00286ca8..77e9b655b 100644 --- a/.github/workflows/ccip-load-tests.yml +++ b/.github/workflows/ccip-load-tests.yml @@ -3,6 +3,14 @@ name: CCIP Canton Load Tests on: workflow_dispatch: inputs: + ccip_env: + description: 'Target environment' + required: true + default: devenv + type: choice + options: + - devenv + - prod-testnet direction: description: 'Load test direction' required: true @@ -14,12 +22,12 @@ on: - canton2evm-token - evm2canton-token message_rate: - description: 'CANTON_LOAD_MESSAGE_RATE (e.g. 1/1s, 1/20s)' + description: 'CANTON_LOAD_MESSAGE_RATE (e.g. 1/1s, 1/45s)' required: false default: '1/1s' type: string load_duration: - description: 'CANTON_LOAD_DURATION (Go duration, e.g. 90s, 10m)' + description: 'CANTON_LOAD_DURATION (Go duration, e.g. 90s, 2m)' required: false default: '90s' type: string @@ -29,10 +37,25 @@ on: default: '40m' type: string canton_ref: - description: 'chainlink-canton git ref (empty = workflow ref)' + description: 'chainlink-canton git ref (empty = workflow ref; devenv only)' required: false default: '' type: string + config_file: + description: 'CCIP_CONFIG_FILE basename under ccip/devenv (prod-testnet only)' + required: false + default: env-prod-testnet.ci.toml + type: string + skip_exec_confirm: + description: 'CANTON_LOAD_SKIP_EXEC_CONFIRM (prod-testnet only)' + required: false + default: 'true' + type: string + confirm_exec_timeout: + description: 'CANTON_CONFIRM_EXEC_TIMEOUT (prod-testnet only)' + required: false + default: '10m' + type: string concurrency: group: ccip-load-${{ github.actor }} @@ -43,40 +66,61 @@ jobs: permissions: id-token: write contents: read - name: CCIP load (${{ inputs.direction }}) + name: CCIP load (${{ inputs.ccip_env }}, ${{ inputs.direction }}) runs-on: ubuntu-latest-8cores-32GB timeout-minutes: 120 steps: - name: Check out workflow ref uses: actions/checkout@v6 - - name: Setup CCIP devenv - uses: ./.github/actions/setup-ccip-devenv + - name: Resolve prod-testnet load defaults + id: prod_defaults + run: | + if [ "${{ inputs.ccip_env }}" = "prod-testnet" ]; then + echo "canton_path=." >> "$GITHUB_OUTPUT" + if [ "${{ inputs.message_rate }}" = "1/1s" ]; then + echo "message_rate=1/45s" >> "$GITHUB_OUTPUT" + else + echo "message_rate=${{ inputs.message_rate }}" >> "$GITHUB_OUTPUT" + fi + if [ "${{ inputs.load_duration }}" = "90s" ]; then + echo "load_duration=2m" >> "$GITHUB_OUTPUT" + else + echo "load_duration=${{ inputs.load_duration }}" >> "$GITHUB_OUTPUT" + fi + if [ "${{ inputs.test_timeout }}" = "40m" ]; then + if [ "${{ inputs.direction }}" = "evm2canton" ]; then + echo "test_timeout=45m" >> "$GITHUB_OUTPUT" + else + echo "test_timeout=30m" >> "$GITHUB_OUTPUT" + fi + else + echo "test_timeout=${{ inputs.test_timeout }}" >> "$GITHUB_OUTPUT" + fi + else + echo "canton_path=chainlink-canton" >> "$GITHUB_OUTPUT" + echo "message_rate=${{ inputs.message_rate }}" >> "$GITHUB_OUTPUT" + echo "load_duration=${{ inputs.load_duration }}" >> "$GITHUB_OUTPUT" + echo "test_timeout=${{ inputs.test_timeout }}" >> "$GITHUB_OUTPUT" + fi + + - name: Run CCIP load test + uses: ./.github/actions/ccip-load-test with: - canton-ref: ${{ inputs.canton_ref }} + ccip_env: ${{ inputs.ccip_env }} + direction: ${{ inputs.direction }} + message_rate: ${{ steps.prod_defaults.outputs.message_rate }} + load_duration: ${{ steps.prod_defaults.outputs.load_duration }} + test_timeout: ${{ steps.prod_defaults.outputs.test_timeout }} + config_file: ${{ inputs.config_file }} + canton_path: ${{ steps.prod_defaults.outputs.canton_path }} + canton_ref: ${{ inputs.canton_ref }} + skip_exec_confirm: ${{ inputs.skip_exec_confirm }} + confirm_exec_timeout: ${{ inputs.confirm_exec_timeout }} + CANTON_OKTA_AUTHORIZER_TESTNET: ${{ secrets.CANTON_OKTA_AUTHORIZER_TESTNET }} + CANTON_OKTA_CLIENT_ID_TESTNET: ${{ secrets.CANTON_OKTA_CLIENT_ID_TESTNET }} + CANTON_OKTA_CLIENT_SECRET_TESTNET: ${{ secrets.CANTON_OKTA_CLIENT_SECRET_TESTNET }} + CCIP_PROD_TESTNET_PRIVATE_KEY: ${{ secrets.CCIP_PROD_TESTNET_PRIVATE_KEY }} ccv-iam-role: ${{ secrets.CCV_IAM_ROLE }} jd-registry: ${{ secrets.JD_REGISTRY }} jd-image: ${{ secrets.JD_IMAGE }} - - - name: Run load tests - working-directory: chainlink-canton/ccip/devenv/tests/load - env: - CANTON_LOAD_MESSAGE_RATE: ${{ inputs.message_rate }} - CANTON_LOAD_DURATION: ${{ inputs.load_duration }} - run: | - case "${{ inputs.direction }}" in - canton2evm) TEST_RUN='^TestCanton2EVM_Load$' ;; - evm2canton) TEST_RUN='^TestEVM2Canton_Load$' ;; - canton2evm-token) TEST_RUN='^TestCanton2EVM_TokenLoad$' ;; - evm2canton-token) TEST_RUN='^TestEVM2Canton_TokenLoad$' ;; - *) echo "unknown direction: ${{ inputs.direction }}" >&2; exit 1 ;; - esac - go test -timeout ${{ inputs.test_timeout }} -v -count 1 -run "$TEST_RUN" - - - name: Upload devenv logs - if: always() - uses: ./chainlink-canton/.github/actions/upload-ccip-devenv-logs - with: - test-package-dir: load - log-dump-suffix: ccip-load-tests - artifact-name: container-logs-ccip-load-tests diff --git a/.github/workflows/chatops.yml b/.github/workflows/chatops.yml index bad73e698..8205c3ee2 100644 --- a/.github/workflows/chatops.yml +++ b/.github/workflows/chatops.yml @@ -26,3 +26,6 @@ jobs: permission: write commands: | auto-fix + ccip-load + named-args: | + ccip-load From d4cd6787d92e6bde85dfba429855b2d297aff77c Mon Sep 17 00:00:00 2001 From: Rodrigo Date: Fri, 19 Jun 2026 22:03:41 -0300 Subject: [PATCH 2/4] fix --- .github/actions/ccip-load-test/action.yml | 18 +++--------------- .github/workflows/ccip-load-command.yml | 9 --------- .github/workflows/chatops.yml | 2 -- 3 files changed, 3 insertions(+), 26 deletions(-) diff --git a/.github/actions/ccip-load-test/action.yml b/.github/actions/ccip-load-test/action.yml index 323fea007..18ededfb7 100644 --- a/.github/actions/ccip-load-test/action.yml +++ b/.github/actions/ccip-load-test/action.yml @@ -52,18 +52,6 @@ inputs: description: "CANTON_GRPC_URL" required: false default: "testnet.cv1.bcy-v.metalhosts.com:443" - auth_type: - description: "CANTON_AUTH_TYPE" - required: false - default: clientCredentials - auth_url: - description: "CANTON_AUTH_URL override (defaults to CANTON_OKTA_AUTHORIZER_TESTNET input)" - required: false - default: "" - client_id: - description: "CANTON_CLIENT_ID override (defaults to CANTON_OKTA_CLIENT_ID_TESTNET input)" - required: false - default: "" CANTON_OKTA_AUTHORIZER_TESTNET: description: "GitHub secret CANTON_OKTA_AUTHORIZER_TESTNET" required: false @@ -137,9 +125,9 @@ runs: env: CCIP_ENV: prod-testnet CCIP_CONFIG_FILE: ${{ inputs.config_file }} - CANTON_AUTH_TYPE: ${{ inputs.auth_type }} - CANTON_AUTH_URL: ${{ inputs.auth_url != '' && inputs.auth_url || inputs.CANTON_OKTA_AUTHORIZER_TESTNET }} - CANTON_CLIENT_ID: ${{ inputs.client_id != '' && inputs.client_id || inputs.CANTON_OKTA_CLIENT_ID_TESTNET }} + CANTON_AUTH_TYPE: clientCredentials + CANTON_AUTH_URL: ${{ inputs.CANTON_OKTA_AUTHORIZER_TESTNET }} + CANTON_CLIENT_ID: ${{ inputs.CANTON_OKTA_CLIENT_ID_TESTNET }} CANTON_CLIENT_SECRET: ${{ inputs.CANTON_OKTA_CLIENT_SECRET_TESTNET }} CANTON_PARTY_ID: ${{ inputs.party_id }} CANTON_GRPC_URL: ${{ inputs.grpc_url }} diff --git a/.github/workflows/ccip-load-command.yml b/.github/workflows/ccip-load-command.yml index e52a7ef6a..6af39cf6a 100644 --- a/.github/workflows/ccip-load-command.yml +++ b/.github/workflows/ccip-load-command.yml @@ -57,9 +57,6 @@ jobs: NAMED_CONFIRM_EXEC_TIMEOUT: ${{ github.event.client_payload.slash_command.args.named.confirm_exec_timeout }} NAMED_PARTY_ID: ${{ github.event.client_payload.slash_command.args.named.party_id }} NAMED_GRPC_URL: ${{ github.event.client_payload.slash_command.args.named.grpc_url }} - NAMED_AUTH_TYPE: ${{ github.event.client_payload.slash_command.args.named.auth_type }} - NAMED_AUTH_URL: ${{ github.event.client_payload.slash_command.args.named.auth_url }} - NAMED_CLIENT_ID: ${{ github.event.client_payload.slash_command.args.named.client_id }} run: | echo "ccip_env=${NAMED_CCIP_ENV:-prod-testnet}" >> "$GITHUB_OUTPUT" echo "direction=${NAMED_DIRECTION:-canton2evm}" >> "$GITHUB_OUTPUT" @@ -70,9 +67,6 @@ jobs: echo "confirm_exec_timeout=${NAMED_CONFIRM_EXEC_TIMEOUT:-10m}" >> "$GITHUB_OUTPUT" echo "party_id=${NAMED_PARTY_ID:-u_d53a15c42af6::1220c250c23c55120f7c758bccc5cbc739629015ab921594e1c29656981f985bffa7}" >> "$GITHUB_OUTPUT" echo "grpc_url=${NAMED_GRPC_URL:-testnet.cv1.bcy-v.metalhosts.com:443}" >> "$GITHUB_OUTPUT" - echo "auth_type=${NAMED_AUTH_TYPE:-clientCredentials}" >> "$GITHUB_OUTPUT" - echo "auth_url=${NAMED_AUTH_URL}" >> "$GITHUB_OUTPUT" - echo "client_id=${NAMED_CLIENT_ID}" >> "$GITHUB_OUTPUT" direction="${NAMED_DIRECTION:-canton2evm}" if [ -n "${NAMED_TEST_TIMEOUT}" ]; then @@ -97,9 +91,6 @@ jobs: confirm_exec_timeout: ${{ steps.params.outputs.confirm_exec_timeout }} party_id: ${{ steps.params.outputs.party_id }} grpc_url: ${{ steps.params.outputs.grpc_url }} - auth_type: ${{ steps.params.outputs.auth_type }} - auth_url: ${{ steps.params.outputs.auth_url }} - client_id: ${{ steps.params.outputs.client_id }} CANTON_OKTA_AUTHORIZER_TESTNET: ${{ secrets.CANTON_OKTA_AUTHORIZER_TESTNET }} CANTON_OKTA_CLIENT_ID_TESTNET: ${{ secrets.CANTON_OKTA_CLIENT_ID_TESTNET }} CANTON_OKTA_CLIENT_SECRET_TESTNET: ${{ secrets.CANTON_OKTA_CLIENT_SECRET_TESTNET }} diff --git a/.github/workflows/chatops.yml b/.github/workflows/chatops.yml index 8205c3ee2..6b0fae541 100644 --- a/.github/workflows/chatops.yml +++ b/.github/workflows/chatops.yml @@ -27,5 +27,3 @@ jobs: commands: | auto-fix ccip-load - named-args: | - ccip-load From 34eb73215d5151b41b4dde0024f07cdbcae09ee6 Mon Sep 17 00:00:00 2001 From: Rodrigo Date: Fri, 19 Jun 2026 22:33:55 -0300 Subject: [PATCH 3/4] restrict workflow run --- .github/workflows/ccip-load-command.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ccip-load-command.yml b/.github/workflows/ccip-load-command.yml index 6af39cf6a..6925a9743 100644 --- a/.github/workflows/ccip-load-command.yml +++ b/.github/workflows/ccip-load-command.yml @@ -12,7 +12,9 @@ permissions: {} jobs: load: name: CCIP load (ChatOps) - if: github.event.client_payload.slash_command.command == 'ccip-load' + if: | + github.event.client_payload.slash_command.command == 'ccip-load' && + github.event.client_payload.pull_request.head.repo.full_name == github.repository permissions: contents: read id-token: write From 2d474852d90de3a12216714a0ded224a8fd289d2 Mon Sep 17 00:00:00 2001 From: Rodrigo Date: Fri, 19 Jun 2026 22:38:52 -0300 Subject: [PATCH 4/4] improve permissions --- .github/workflows/ccip-load-command.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ccip-load-command.yml b/.github/workflows/ccip-load-command.yml index 6925a9743..1016f0022 100644 --- a/.github/workflows/ccip-load-command.yml +++ b/.github/workflows/ccip-load-command.yml @@ -43,7 +43,7 @@ jobs: - name: Check out PR branch uses: actions/checkout@v6 with: - ref: ${{ github.event.client_payload.pull_request.head.ref }} + ref: ${{ github.event.client_payload.pull_request.head.sha }} token: ${{ steps.setup-github-token.outputs.access-token }} - name: Resolve inputs