From 43ef7ccbd0e067c430da0701c842eedaeb582346 Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Wed, 11 Feb 2026 10:01:22 -0600 Subject: [PATCH 1/7] [StepSecurity] Apply security best practices (#966) Signed-off-by: StepSecurity Bot Co-authored-by: stepsecurity-app[bot] <188008098+stepsecurity-app[bot]@users.noreply.github.com> --- .github/workflows/stale.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 04bee16e0..f2cd59025 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -4,6 +4,9 @@ on: schedule: - cron: '30 0 * * *' workflow_dispatch: +permissions: + contents: read + jobs: stale: runs-on: ubuntu-latest @@ -12,6 +15,11 @@ jobs: issues: write pull-requests: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0 with: days-before-stale: 14 From 5d47f18690ea40cc6cbb0ddb6b2fb4f77e9daf6d Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 11 Feb 2026 10:01:41 -0600 Subject: [PATCH 2/7] chore: updated base, nethermind, op-geth, optimism, reth (#937) Co-authored-by: danyalprout <672580+danyalprout@users.noreply.github.com> --- versions.env | 20 ++++++++++---------- versions.json | 20 ++++++++++---------- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/versions.env b/versions.env index 535b158e7..7a1d118d9 100644 --- a/versions.env +++ b/versions.env @@ -1,15 +1,15 @@ -export BASE_RETH_NODE_COMMIT=bb1b4571bebb8a9cd8ff1ec8758001fdc32758e8 +export BASE_RETH_NODE_COMMIT=fa6d3444debd96977ae14ccae502b91cbbe3f463 export BASE_RETH_NODE_REPO=https://github.com/base/base.git -export BASE_RETH_NODE_TAG=v0.3.0 -export NETHERMIND_COMMIT=d9febbce240491e8f918d41a4ffd06385a746b6c +export BASE_RETH_NODE_TAG=v0.3.1 +export NETHERMIND_COMMIT=31cb81b7328026791cdfaccd9db230c82f1db02d export NETHERMIND_REPO=https://github.com/NethermindEth/nethermind.git -export NETHERMIND_TAG=1.35.3 -export OP_GETH_COMMIT=904a088c5cc1eeec21a1ffa47327dc20a809e642 +export NETHERMIND_TAG=1.36.0 +export OP_GETH_COMMIT=32cc3b8caf8647dbefbd29b2c3ed862132e53ad2 export OP_GETH_REPO=https://github.com/ethereum-optimism/op-geth.git -export OP_GETH_TAG=v1.101603.5 -export OP_NODE_COMMIT=1b8c541060f0d323a7023fbc68fbbc8daf674340 +export OP_GETH_TAG=v1.101608.0 +export OP_NODE_COMMIT=b66cc587b4185089e6f81bf6a4fc4233f2a7505d export OP_NODE_REPO=https://github.com/ethereum-optimism/optimism.git -export OP_NODE_TAG=op-node/v1.16.2 -export OP_RETH_COMMIT=27a8c0f5a6dfb27dea84c5751776ecabdd069646 +export OP_NODE_TAG=op-node/v1.16.6 +export OP_RETH_COMMIT=8e3b5e6a99439561b73c5dd31bd3eced2e994d60 export OP_RETH_REPO=https://github.com/paradigmxyz/reth.git -export OP_RETH_TAG=v1.9.3 \ No newline at end of file +export OP_RETH_TAG=v1.10.2 \ No newline at end of file diff --git a/versions.json b/versions.json index 82698cbfc..3b88fd5c2 100644 --- a/versions.json +++ b/versions.json @@ -1,36 +1,36 @@ { "base_reth_node": { - "tag": "v0.3.0", - "commit": "bb1b4571bebb8a9cd8ff1ec8758001fdc32758e8", + "tag": "v0.3.1", + "commit": "fa6d3444debd96977ae14ccae502b91cbbe3f463", "owner": "base", "repo": "base", "tracking": "release" }, "nethermind": { - "tag": "1.35.3", - "commit": "d9febbce240491e8f918d41a4ffd06385a746b6c", + "tag": "1.36.0", + "commit": "31cb81b7328026791cdfaccd9db230c82f1db02d", "owner": "NethermindEth", "repo": "nethermind", "tracking": "release" }, "op_geth": { - "tag": "v1.101603.5", - "commit": "904a088c5cc1eeec21a1ffa47327dc20a809e642", + "tag": "v1.101608.0", + "commit": "32cc3b8caf8647dbefbd29b2c3ed862132e53ad2", "owner": "ethereum-optimism", "repo": "op-geth", "tracking": "release" }, "op_node": { - "tag": "op-node/v1.16.2", - "commit": "1b8c541060f0d323a7023fbc68fbbc8daf674340", + "tag": "op-node/v1.16.6", + "commit": "b66cc587b4185089e6f81bf6a4fc4233f2a7505d", "tagPrefix": "op-node", "owner": "ethereum-optimism", "repo": "optimism", "tracking": "release" }, "op_reth": { - "tag": "v1.9.3", - "commit": "27a8c0f5a6dfb27dea84c5751776ecabdd069646", + "tag": "v1.10.2", + "commit": "8e3b5e6a99439561b73c5dd31bd3eced2e994d60", "owner": "paradigmxyz", "repo": "reth", "tracking": "release" From 5598217c5e5f6d44f909529a7c2e5a2568fa581c Mon Sep 17 00:00:00 2001 From: Danyal Prout Date: Wed, 11 Feb 2026 10:29:32 -0600 Subject: [PATCH 3/7] fix: update dotnet images to 10.0 for Nethermind 1.36.0 (#967) Nethermind 1.36.0 requires .NET SDK 10.0.100 (via global.json), but the Dockerfile was still using 9.0 images, causing the build to fail with exit code 145. --- nethermind/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nethermind/Dockerfile b/nethermind/Dockerfile index 729b9264c..f03032f76 100644 --- a/nethermind/Dockerfile +++ b/nethermind/Dockerfile @@ -13,7 +13,7 @@ RUN . /tmp/versions.env && git clone $OP_NODE_REPO --branch $OP_NODE_TAG --singl RUN . /tmp/versions.env && cd op-node && \ just VERSION=$OP_NODE_TAG op-node -FROM mcr.microsoft.com/dotnet/sdk:9.0-noble AS build +FROM mcr.microsoft.com/dotnet/sdk:10.0-noble AS build ARG BUILD_CONFIG=release ARG TARGETARCH @@ -31,7 +31,7 @@ RUN TARGETARCH=${TARGETARCH#linux/} && \ echo "Using architecture: $arch" && \ dotnet publish src/Nethermind/Nethermind.Runner -c $BUILD_CONFIG -a $arch -o /publish --sc false -FROM mcr.microsoft.com/dotnet/aspnet:9.0-noble +FROM mcr.microsoft.com/dotnet/aspnet:10.0-noble RUN apt-get update && \ apt-get install -y jq curl supervisor && \ From 2d8c44cc02d92fc09773289ead5a7d7db5fee3bb Mon Sep 17 00:00:00 2001 From: Danyal Prout Date: Tue, 17 Feb 2026 14:25:01 -0600 Subject: [PATCH 4/7] chore: update base reth to v0.4.0 (#972) --- versions.env | 4 ++-- versions.json | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/versions.env b/versions.env index 7a1d118d9..16067ad09 100644 --- a/versions.env +++ b/versions.env @@ -1,6 +1,6 @@ -export BASE_RETH_NODE_COMMIT=fa6d3444debd96977ae14ccae502b91cbbe3f463 +export BASE_RETH_NODE_COMMIT=00087fd960f65a79b6ce87e55e3b3440c99237fa export BASE_RETH_NODE_REPO=https://github.com/base/base.git -export BASE_RETH_NODE_TAG=v0.3.1 +export BASE_RETH_NODE_TAG=v0.4.0 export NETHERMIND_COMMIT=31cb81b7328026791cdfaccd9db230c82f1db02d export NETHERMIND_REPO=https://github.com/NethermindEth/nethermind.git export NETHERMIND_TAG=1.36.0 diff --git a/versions.json b/versions.json index 3b88fd5c2..f30e3c844 100644 --- a/versions.json +++ b/versions.json @@ -1,7 +1,7 @@ { "base_reth_node": { - "tag": "v0.3.1", - "commit": "fa6d3444debd96977ae14ccae502b91cbbe3f463", + "tag": "v0.4.0", + "commit": "00087fd960f65a79b6ce87e55e3b3440c99237fa", "owner": "base", "repo": "base", "tracking": "release" From a294d4a0cad590d4664e15d72e69c7da3a7a8ce8 Mon Sep 17 00:00:00 2001 From: Danyal Prout Date: Wed, 18 Feb 2026 12:58:41 -0600 Subject: [PATCH 5/7] chore: update base reth to v0.4.1 (#975) --- versions.env | 4 ++-- versions.json | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/versions.env b/versions.env index 16067ad09..1a6972f58 100644 --- a/versions.env +++ b/versions.env @@ -1,6 +1,6 @@ -export BASE_RETH_NODE_COMMIT=00087fd960f65a79b6ce87e55e3b3440c99237fa +export BASE_RETH_NODE_COMMIT=5e5260c26a1d1af7a74a79a692a56b5d73d5363b export BASE_RETH_NODE_REPO=https://github.com/base/base.git -export BASE_RETH_NODE_TAG=v0.4.0 +export BASE_RETH_NODE_TAG=v0.4.1 export NETHERMIND_COMMIT=31cb81b7328026791cdfaccd9db230c82f1db02d export NETHERMIND_REPO=https://github.com/NethermindEth/nethermind.git export NETHERMIND_TAG=1.36.0 diff --git a/versions.json b/versions.json index f30e3c844..001541ff2 100644 --- a/versions.json +++ b/versions.json @@ -1,7 +1,7 @@ { "base_reth_node": { - "tag": "v0.4.0", - "commit": "00087fd960f65a79b6ce87e55e3b3440c99237fa", + "tag": "v0.4.1", + "commit": "5e5260c26a1d1af7a74a79a692a56b5d73d5363b", "owner": "base", "repo": "base", "tracking": "release" From fccea225ed0c4807c05267d1a68bdebb316cc5d3 Mon Sep 17 00:00:00 2001 From: Julian Meyer Date: Wed, 25 Feb 2026 15:27:12 -0800 Subject: [PATCH 6/7] chore: remove unused op-reth repo (#981) --- versions.env | 5 +---- versions.json | 7 ------- 2 files changed, 1 insertion(+), 11 deletions(-) diff --git a/versions.env b/versions.env index 1a6972f58..7a0173993 100644 --- a/versions.env +++ b/versions.env @@ -9,7 +9,4 @@ export OP_GETH_REPO=https://github.com/ethereum-optimism/op-geth.git export OP_GETH_TAG=v1.101608.0 export OP_NODE_COMMIT=b66cc587b4185089e6f81bf6a4fc4233f2a7505d export OP_NODE_REPO=https://github.com/ethereum-optimism/optimism.git -export OP_NODE_TAG=op-node/v1.16.6 -export OP_RETH_COMMIT=8e3b5e6a99439561b73c5dd31bd3eced2e994d60 -export OP_RETH_REPO=https://github.com/paradigmxyz/reth.git -export OP_RETH_TAG=v1.10.2 \ No newline at end of file +export OP_NODE_TAG=op-node/v1.16.6 \ No newline at end of file diff --git a/versions.json b/versions.json index 001541ff2..02e133598 100644 --- a/versions.json +++ b/versions.json @@ -27,12 +27,5 @@ "owner": "ethereum-optimism", "repo": "optimism", "tracking": "release" - }, - "op_reth": { - "tag": "v1.10.2", - "commit": "8e3b5e6a99439561b73c5dd31bd3eced2e994d60", - "owner": "paradigmxyz", - "repo": "reth", - "tracking": "release" } } \ No newline at end of file From 6e9cb084e94d6177035340e452578525bd9c6dd3 Mon Sep 17 00:00:00 2001 From: Julian Meyer Date: Thu, 26 Feb 2026 10:59:44 -0800 Subject: [PATCH 7/7] feat: support proofs ExEx (#980) --- reth/reth-entrypoint | 77 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 76 insertions(+), 1 deletion(-) diff --git a/reth/reth-entrypoint b/reth/reth-entrypoint index 6948731f6..12d9b9cf8 100755 --- a/reth/reth-entrypoint +++ b/reth/reth-entrypoint @@ -11,6 +11,9 @@ DISCOVERY_PORT="${DISCOVERY_PORT:-30303}" P2P_PORT="${P2P_PORT:-30303}" ADDITIONAL_ARGS="" BINARY="./base-reth-node" +RETH_HISTORICAL_PROOFS="${RETH_HISTORICAL_PROOFS:-false}" +RETH_HISTORICAL_PROOFS_STORAGE_PATH="${RETH_HISTORICAL_PROOFS_STORAGE_PATH:-}" +LOG_LEVEL="${LOG_LEVEL:-info}" if [[ -z "${RETH_CHAIN:-}" ]]; then echo "expected RETH_CHAIN to be set" 1>&2 @@ -25,18 +28,90 @@ else echo "Running in vanilla node mode (no Flashblocks URL provided)" fi +case "$LOG_LEVEL" in + "error") + LOG_LEVEL="v" + ;; + "warn") + LOG_LEVEL="vv" + ;; + "info"|*) + LOG_LEVEL="vvv" + ;; + "debug") + LOG_LEVEL="vvvv" + ;; + "trace") + LOG_LEVEL="vvvvv" + ;; +esac + # Add pruning for base if [[ "${RETH_PRUNING_ARGS+x}" = x ]]; then echo "Adding pruning arguments: $RETH_PRUNING_ARGS" ADDITIONAL_ARGS="$ADDITIONAL_ARGS $RETH_PRUNING_ARGS" fi +if [[ "$RETH_HISTORICAL_PROOFS" == "true" && -n "$RETH_HISTORICAL_PROOFS_STORAGE_PATH" ]]; then + # reth doesn't like starting an old database in RO mode, so we have to start the reth node, wait for it to start up, then shut it down first + "$BINARY" node \ + -$LOG_LEVEL \ + --datadir="$RETH_DATA_DIR" \ + --log.stdout.format json \ + --http \ + --http.addr=127.0.0.1 \ + --http.port="$RPC_PORT" \ + --http.api=eth \ + --chain "$RETH_CHAIN" & + + PID=$! + + MAX_WAIT=$((60 * 60 * 6)) # 6 hours (static file manager init is slow) + + # wait for json-rpc to return a block number greater than 0 (synced beyond genesis) + while true; do + RESPONSE=$(curl -s -X POST -H "Content-Type: application/json" -d '{"jsonrpc":"2.0","method":"eth_getBlockByNumber","params":["latest", false],"id":1}' http://127.0.0.1:"$RPC_PORT" 2>/dev/null || true) + + if echo "$RESPONSE" | grep -q '"number":"0x0"'; then + echo "waiting for reth node to sync beyond genesis block" + elif echo "$RESPONSE" | grep -q '"result"'; then + # curl succeeded and returned a valid result with block number != 0x0 + break + else + echo "waiting for reth node to start up" + fi + + sleep 1 + MAX_WAIT=$((MAX_WAIT - 1)) + if [ "$MAX_WAIT" -eq 0 ]; then + echo "timed out waiting for reth node to start up" + kill "$PID" + exit 1 + fi + done + + # shut down gracefully + kill "$PID" + + (wait "$PID" && echo "reth node initialized") || echo "warning: reth node exited with code $?" + + ADDITIONAL_ARGS="$ADDITIONAL_ARGS --proofs-history --proofs-history.storage-path=$RETH_HISTORICAL_PROOFS_STORAGE_PATH" + + # in this case, we need to run the init script first (idempotent) + "$BINARY" proofs init \ + -$LOG_LEVEL \ + --log.stdout.format json \ + --chain "$RETH_CHAIN" \ + --datadir="$RETH_DATA_DIR" \ + --proofs-history.storage-path=$RETH_HISTORICAL_PROOFS_STORAGE_PATH +fi + mkdir -p "$RETH_DATA_DIR" echo "Starting reth with additional args: $ADDITIONAL_ARGS" echo "$OP_NODE_L2_ENGINE_AUTH_RAW" > "$OP_NODE_L2_ENGINE_AUTH" exec "$BINARY" node \ - -vvv \ + -$LOG_LEVEL \ --datadir="$RETH_DATA_DIR" \ --log.stdout.format json \ --ws \