Skip to content

Commit

Permalink
CCIP-3873: merge v2.17 into ccip-develop (#1506)
Browse files Browse the repository at this point in the history
## Motivation

https://smartcontract-it.atlassian.net/browse/CCIP-3873

## Solution

Merge v2.17

Worthy mentions of changes:
* core/capabilities/ccip has been deleted in this fork to ease the merge
process. Development here continues as usual in chainlink.
* Due to the above, integration-tests/deployment is also deleted, since
it imports a lot of stuff from core/capabilities/ccip. These are also
not being developed in this fork.
  • Loading branch information
mateusz-sekara authored Oct 28, 2024
2 parents 80eb41b + d4537bb commit d888177
Show file tree
Hide file tree
Showing 1,232 changed files with 77,036 additions and 28,423 deletions.
5 changes: 5 additions & 0 deletions .changeset/tough-boats-shop.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
"chainlink": minor
---

start of next release
23 changes: 15 additions & 8 deletions .github/CODEOWNERS
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,9 @@

# Services
/core/services/directrequest @smartcontractkit/keepers
/core/services/feeds @smartcontractkit/FMS
/core/services/feeds @smartcontractkit/op-core @eutopian @yevshev
/core/services/synchronization/telem @smartcontractkit/realtime
/core/capabilities/ccip @smartcontractkit/ccip-offchain

# To be deprecated in Chainlink V3
/core/services/fluxmonitorv2 @smartcontractkit/foundations
Expand All @@ -23,9 +24,9 @@
/core/services/pg @smartcontractkit/foundations @samsondav
/core/services/pipeline @smartcontractkit/foundations @smartcontractkit/bix-framework
/core/services/telemetry @smartcontractkit/realtime
/core/services/relay/evm/mercury @smartcontractkit/mercury-team
/core/services/relay/evm/mercury @smartcontractkit/data-streams-engineers
/core/services/webhook @smartcontractkit/foundations @smartcontractkit/bix-framework
/core/services/llo @smartcontractkit/mercury-team
/core/services/llo @smartcontractkit/data-streams-engineers

# VRF-related services
/core/services/vrf @smartcontractkit/vrf-team
Expand Down Expand Up @@ -67,17 +68,16 @@ core/scripts/gateway @smartcontractkit/functions

/contracts/src/v0.8/functions @smartcontractkit/functions
/contracts/**/*functions* @smartcontractkit/functions
/contracts/**/*llo-feeds* @smartcontrackit/mercury-team
/contracts/**/*llo-feeds* @smartcontractkit/data-streams-engineers
/contracts/**/*vrf* @smartcontractkit/vrf-team
/contracts/**/*l2ep* @smartcontractkit/bix-ship
# TODO: replace with a team tag when ready
/contracts/**/*keystone* @archseer @bolekk @patrick-dowell
/contracts/**/*keystone* @smartcontractkit/keystone

/contracts/src/v0.8/automation @smartcontractkit/keepers
/contracts/src/v0.8/functions @smartcontractkit/functions
# TODO: interfaces folder, folder should be removed and files moved to the correct folders
/contracts/src/v0.8/l2ep @chris-de-leon-cll
/contracts/src/v0.8/llo-feeds @smartcontractkit/mercury-team
/contracts/src/v0.8/llo-feeds @smartcontractkit/data-streams-engineers
# TODO: mocks folder, folder should be removed and files moved to the correct folders
/contracts/src/v0.8/operatorforwarder @smartcontractkit/data-feeds-engineers
/contracts/src/v0.8/shared @RensR @matYang @RayXpub @elatoskinas
Expand All @@ -93,11 +93,18 @@ core/scripts/gateway @smartcontractkit/functions


# Tests
/integration-tests/**/*ccip* @smartcontractkit/test-tooling-team @jasonmci @smartcontractkit/ccip
/integration-tests/ @smartcontractkit/test-tooling-team
/integration-tests/ccip-tests @smartcontractkit/ccip-offchain
/integration-tests/**/*keeper* @smartcontractkit/keepers
/integration-tests/**/*automation* @smartcontractkit/keepers
/integration-tests/**/*lm_* @smartcontractkit/liquidity-manager

# Deployment tooling
# Initially the common structures owned by CCIP
/integration-tests/deployment @smartcontractkit/ccip
/integration-tests/deployment/ccip @smartcontractkit/ccip
# TODO: As more products add their deployment logic here, add the team as an owner

# CI/CD
/.github/** @smartcontractkit/releng @smartcontractkit/test-tooling-team @jasonmci @smartcontractkit/ccip
/.github/workflows/integration-tests.yml @smartcontractkit/test-tooling-team @jasonmci
Expand Down
58 changes: 58 additions & 0 deletions .github/E2E_TESTS_ON_GITHUB_CI.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
# E2E Tests on GitHub CI

E2E tests are executed on GitHub CI using the [E2E Tests Reusable Workflow](#about-the-reusable-workflow) or dedicated workflows.

## Automatic workflows

These workflows are designed to run automatically at crucial stages of the software development process, such as on every commit in a PR, nightly or before release.

### PR E2E Tests

Run on every commit in a PR to ensure changes do not introduce regressions.

[Link](https://github.com/smartcontractkit/chainlink/blob/develop/.github/workflows/integration-tests.yml)

### Nightly E2E Tests

Conducted nightly to catch issues that may develop over time or with accumulated changes.

[Link](https://github.com/smartcontractkit/chainlink/blob/develop/.github/workflows/run-nightly-e2e-tests.yml)

### Release E2E Tests

This section contains automatic workflows triggering E2E tests at release.

#### Client Compatibility Tests

[Link](https://github.com/smartcontractkit/chainlink/actions/workflows/client-compatibility-tests.yml)

## On-Demand Workflows

Triggered manually by QA for specific testing needs.

**Examples:**

- [On-Demand Automation Tests](https://github.com/smartcontractkit/chainlink/actions/workflows/automation-ondemand-tests.yml)
- [CCIP Chaos Tests](https://github.com/smartcontractkit/chainlink/actions/workflows/ccip-chaos-tests.yml)
- [OCR Soak Tests](https://github.com/smartcontractkit/chainlink/actions/workflows/on-demand-ocr-soak-test.yml)
- [VRFv2Plus Smoke Tests](https://github.com/smartcontractkit/chainlink/actions/workflows/on-demand-vrfv2plus-smoke-tests.yml)

## Test Configs

E2E tests utilize TOML files to define their parameters. Each test is equipped with a default TOML config, which can be overridden by specifying an alternative TOML config. This allows for running tests with varied parameters, such as on a non-default blockchain network. For tests executed on GitHub CI, both the default configs and any override configs must reside within the git repository. The `test_config_override_path` workflow input is used to provide a path to an override config.

Config overrides should be stored in `testconfig/*/overrides/*.toml`. Placing files here will not trigger a rebuild of the test runner image.

**Important Note:** The use of `base64Config` input is deprecated in favor of `test_config_override_path`. For more details, refer to [the decision log](https://smartcontract-it.atlassian.net/wiki/spaces/TT/pages/927596563/Storing+All+Test+Configs+In+Git).

To learn more about test configs see [CTF Test Config](https://github.com/smartcontractkit/chainlink-testing-framework/blob/main/lib/config/README.md).

## Test Secrets

For security reasons, test secrets and sensitive information are not stored directly within the test config TOML files. Instead, these secrets are securely injected into tests using environment variables. For a detailed explanation on managing test secrets, refer to our [Test Secrets documentation](https://github.com/smartcontractkit/chainlink-testing-framework/blob/main/lib/config/README.md#test-secrets).

If you need to run a GitHub workflow using custom secrets, please refer to the [guide on running GitHub workflows with your test secrets](https://github.com/smartcontractkit/chainlink-testing-framework/blob/main/lib/config/README.md#run-github-workflow-with-your-test-secrets).

## About the E2E Test Reusable Workflow

For information on the E2E Test Reusable Workflow, visit the documentation in the [smartcontractkit/.github repository](https://github.com/smartcontractkit/.github/blob/main/.github/workflows/README.md).
4 changes: 2 additions & 2 deletions .github/actions/build-chainlink-image/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ runs:
AWS_ROLE_TO_ASSUME: ${{ inputs.AWS_ROLE_TO_ASSUME }}
- name: Build Image
if: steps.check-image.outputs.exists != 'true'
uses: smartcontractkit/chainlink-github-actions/chainlink-testing-framework/build-image@75a9005952a9e905649cfb5a6971fd9429436acd # v2.3.25
uses: smartcontractkit/.github/actions/ctf-build-image@1a26fe378d7ebdc34ab1fe31ec4a6d1c376199f8 # [email protected]
with:
cl_repo: smartcontractkit/ccip
cl_ref: ${{ inputs.git_commit_sha }}
Expand All @@ -51,4 +51,4 @@ runs:
shell: sh
run: |
echo "### Chainlink node image tag used for this test run :link:" >>$GITHUB_STEP_SUMMARY
echo "\`${GITHUB_SHA}\`" >>$GITHUB_STEP_SUMMARY
echo "\`${{inputs.git_commit_sha}}\`" >>$GITHUB_STEP_SUMMARY
92 changes: 25 additions & 67 deletions .github/actions/build-sign-publish-chainlink/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -51,23 +51,11 @@ inputs:
description: When set to the string boolean value of "true", the resulting build image will be signed
default: "false"
required: false
cosign-private-key:
description: The private key to be used with cosign to sign the image
required: false
cosign-public-key:
description: The public key to be used with cosign for verification
required: false
cosign-password:
description: The password to decrypt the cosign private key needed to sign the image
required: false
sign-method:
description: Build image will be signed using keypair or keyless methods
default: "keypair"
required: true
verify-signature:
description: When set to the string boolean value of "true", the resulting build image signature will be verified
default: "false"
required: false

outputs:
docker-image-tag:
description: The docker image tag that was built and pushed
Expand All @@ -84,6 +72,8 @@ runs:
# See https://docs.github.com/en/actions/learn-github-actions/workflow-commands-for-github-actions#multiline-strings
run: |
SHARED_IMAGES=${{ inputs.ecr-hostname }}/${{ inputs.ecr-image-name }}
OIDC_ISSUER=https://token.actions.githubusercontent.com
OIDC_IDENTITY=https://github.com/smartcontractkit/chainlink/.github/workflows/build-publish.yml@${{ github.ref }}
SHARED_TAG_LIST=$(cat << EOF
type=ref,event=branch,suffix=${{ inputs.ecr-tag-suffix }}
Expand All @@ -101,6 +91,9 @@ runs:
echo "$SHARED_IMAGES" >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV
echo "oidc-issuer=${OIDC_ISSUER}" >> $GITHUB_ENV
echo "oidc-identity=${OIDC_IDENTITY}" >> $GITHUB_ENV
echo "shared-tag-list<<EOF" >> $GITHUB_ENV
echo "$SHARED_TAG_LIST" >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV
Expand Down Expand Up @@ -171,7 +164,9 @@ runs:
run: |
IMAGES_NAME_RAW=${{ fromJSON(steps.buildpush-root.outputs.metadata)['image.name'] }}
IMAGE_NAME=$(echo "$IMAGES_NAME_RAW" | cut -d"," -f1)
IMAGE_DIGEST=${{ fromJSON(steps.buildpush-root.outputs.metadata)['containerimage.digest'] }}
echo "root_image_name=${IMAGE_NAME}" >> $GITHUB_ENV
echo "root_image_digest=${IMAGE_DIGEST}" >> $GITHUB_ENV
- name: Generate docker metadata for non-root image
id: meta-nonroot
Expand Down Expand Up @@ -217,6 +212,7 @@ runs:
IMAGE_NAME=$(echo "$IMAGES_NAME_RAW" | cut -d"," -f1)
IMAGE_TAG=$(echo "$IMAGES_NAME_RAW" | cut -d":" -f2)
echo "nonroot_image_name=${IMAGE_NAME}" >> $GITHUB_ENV
echo "nonroot_image_digest=${IMAGE_DIGEST}" >> $GITHUB_ENV
echo '### Docker Image' >> $GITHUB_STEP_SUMMARY
echo "Image Name: ${IMAGE_NAME}" >> $GITHUB_STEP_SUMMARY
echo "Image Digest: ${IMAGE_DIGEST}" >> $GITHUB_STEP_SUMMARY
Expand All @@ -239,74 +235,36 @@ runs:
- if: inputs.sign-images == 'true'
name: Install cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
with:
cosign-release: "v1.6.0"
cosign-release: "v2.4.0"

- if: inputs.sign-images == 'true' && inputs.sign-method == 'keypair'
name: Sign the published root Docker image using keypair method
shell: sh
env:
COSIGN_PASSWORD: "${{ inputs.cosign-password }}"
run: |
echo "${{ inputs.cosign-private-key }}" > cosign.key
cosign sign --key cosign.key "${{ env.root_image_name }}"
rm -f cosign.key
- if: inputs.verify-signature == 'true' && inputs.sign-method == 'keypair'
name: Verify the signature of the published root Docker image using keypair
shell: sh
run: |
echo "${{ inputs.cosign-public-key }}" > cosign.key
cosign verify --key cosign.key "${{ env.root_image_name }}"
rm -f cosign.key
- if: inputs.sign-images == 'true' && inputs.sign-method == 'keyless'
# This automatically signs the image with the correct OIDC provider from Github
- if: inputs.sign-images == 'true'
name: Sign the published root Docker image using keyless method
shell: sh
env:
COSIGN_EXPERIMENTAL: 1
run: |
cosign sign "${{ env.root_image_name }}"
cosign sign "${{ env.root_image_name }}" --yes
- if: inputs.verify-signature == 'true' && inputs.sign-method == 'keyless'
- if: inputs.verify-signature == 'true'
name: Verify the signature of the published root Docker image using keyless
shell: sh
env:
COSIGN_EXPERIMENTAL: 1
run: |
cosign verify "${{ env.root_image_name }}"
- if: inputs.sign-images == 'true' && inputs.sign-method == 'keypair'
name: Sign the published non-root Docker image using keypair method
shell: sh
env:
COSIGN_PASSWORD: "${{ inputs.cosign-password }}"
run: |
echo "${{ inputs.cosign-private-key }}" > cosign.key
cosign sign --key cosign.key "${{ env.nonroot_image_name }}"
rm -f cosign.key
- if: inputs.verify-signature == 'true' && inputs.sign-method == 'keypair'
name: Verify the signature of the published non-root Docker image using keypair
shell: sh
run: |
echo "${{ inputs.cosign-public-key }}" > cosign.key
cosign verify --key cosign.key "${{ env.nonroot_image_name }}"
rm -f cosign.key
cosign verify "${{ env.root_image_name }}" \
--certificate-oidc-issuer ${{ env.oidc-issuer }} \
--certificate-identity "${{ env.oidc-identity }}"
- if: inputs.sign-images == 'true' && inputs.sign-method == 'keyless'
# This automatically signs the image with the correct OIDC provider from Github
- if: inputs.sign-images == 'true'
name: Sign the published non-root Docker image using keyless method
shell: sh
env:
COSIGN_EXPERIMENTAL: 1
run: |
cosign sign "${{ env.nonroot_image_name }}"
cosign sign "${{ env.nonroot_image_name }}" --yes
- if: inputs.verify-signature == 'true' && inputs.sign-method == 'keyless'
- if: inputs.verify-signature == 'true'
name: Verify the signature of the published non-root Docker image using keyless
shell: sh
env:
COSIGN_EXPERIMENTAL: 1
run: |
cosign verify "${{ env.nonroot_image_name }}"
cosign verify "${{ env.nonroot_image_name }}" \
--certificate-oidc-issuer ${{ env.oidc-issuer }} \
--certificate-identity "${{ env.oidc-identity }}"
Loading

0 comments on commit d888177

Please sign in to comment.