From 71768d6aeff5159a35d8f300c7fc68047a150751 Mon Sep 17 00:00:00 2001 From: Vladimir Rogojin Date: Fri, 24 Apr 2026 09:07:27 +0200 Subject: [PATCH] =?UTF-8?q?ci:=20harden=20nightly=20integration=20workflow?= =?UTF-8?q?=20=E2=80=94=20drop=20artifact=20upload?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Steelman warning from post-merge review: the on-failure upload-artifact step harvested /tmp/sphere-cli-it-*/ into 7-day GitHub Actions storage. Those dirs hold secp256k1 testnet wallet material (mnemonic + private key) that the integration helpers explicitly shred on exit for hygiene reasons — uploading the same material as an artifact defeats that. Even though the keys are throwaway and hold no funds, harvesting them fails principle-of-least-privilege and could leak into CI logs, Slack paste-backs, or tickets. Also while here: * permissions: contents: read — least-privilege default * concurrency: group:integration-nightly — prevent cron+dispatch double-hammering public testnet infra * sphere-sdk SHA pin — aligned with ci.yml (was branch-pinned) --- .github/workflows/integration-nightly.yml | 50 +++++++++++++++-------- 1 file changed, 33 insertions(+), 17 deletions(-) diff --git a/.github/workflows/integration-nightly.yml b/.github/workflows/integration-nightly.yml index 1121d04..9b67c98 100644 --- a/.github/workflows/integration-nightly.yml +++ b/.github/workflows/integration-nightly.yml @@ -19,6 +19,19 @@ on: - cron: '7 3 * * *' workflow_dispatch: +# Read-only repo access — this workflow only clones, builds, and tests. +# No pushes, no release writes, no PR comments. Principle of least privilege. +permissions: + contents: read + +# Serialize integration runs: if a manual workflow_dispatch fires during the +# 03:07 UTC cron window, queue it behind the scheduled run instead of +# double-hammering public testnet infra. cancel-in-progress=false because we +# want both runs to complete — the second provides a fresh signal. +concurrency: + group: integration-nightly + cancel-in-progress: false + jobs: integration: name: integration (testnet) @@ -34,14 +47,21 @@ jobs: node-version: 22.x cache: npm - # See ci.yml for the rationale behind the sibling-clone workaround. - # Kept identical here so a nightly run is hermetic w.r.t. ci.yml state. - name: Clone sphere-sdk sibling + # Pin to a specific commit SHA (not a branch name) for supply-chain + # integrity — a branch pointer can be force-pushed or rebased, + # silently changing the code CI builds against. Kept in sync with + # ci.yml so both workflows build against the same sphere-sdk tree. + # + # Bump this SHA when a new sphere-sdk commit is required; remove + # this whole workaround once sphere-sdk publishes v0.7.1+ to npm. + env: + SPHERE_SDK_SHA: 86468103ac25271b96a338f64349dd0eb472689f run: | - git clone --depth 1 --branch refactor/extract-cli-to-sphere-cli \ - https://github.com/unicity-sphere/sphere-sdk.git ../../sphere-sdk + git clone https://github.com/unicity-sphere/sphere-sdk.git ../../sphere-sdk + git -C ../../sphere-sdk checkout --detach "$SPHERE_SDK_SHA" - - name: Build sphere-sdk (required for file: dependency to resolve types) + - name: "Build sphere-sdk (required for file: dependency to resolve types)" run: | cd ../../sphere-sdk npm ci @@ -58,15 +78,11 @@ jobs: # a slow testnet day without leaving a hung job indefinitely. timeout-minutes: 20 - # Upload the tmp wallet dirs + logs on failure so a flake is debuggable - # without re-running. Path covers the vitest test-timeout stderr spew - # plus anything the integration helpers leave in os.tmpdir(). - - name: Collect logs on failure - if: failure() - uses: actions/upload-artifact@v4 - with: - name: integration-logs-${{ github.run_id }} - path: | - /tmp/sphere-cli-it-*/ - retention-days: 7 - if-no-files-found: ignore + # NOTE: intentionally NO artifact upload of /tmp/sphere-cli-it-*/. Those + # dirs hold secp256k1 wallet material (testnet mnemonics + private keys) + # created by the integration helpers. Even though the keys are throwaway + # and hold no funds, harvesting them into 7-day GitHub Actions artifacts + # is poor hygiene: the helpers (test/integration/helpers.ts) explicitly + # shred them on exit/SIGINT/SIGTERM for the same reason. For nightly + # failure triage, the vitest stderr in the job log is sufficient; re-run + # locally via `npm run test:integration` if deeper investigation needed.