From 3a79dddd9fd5f9a0ea853680f4b228db909a65c7 Mon Sep 17 00:00:00 2001 From: rodrigopavezi Date: Thu, 14 May 2026 07:57:21 -0300 Subject: [PATCH 1/3] ci: harden GitHub Actions against supply chain attacks - Pin all third-party actions to immutable commit SHAs - Add top-level permissions: contents: read to all workflows - Add StepSecurity Harden Runner (egress-policy: audit) to every job - Add SocketDev/action (firewall-free) + sfw install wrapper to tron-smart-contracts jobs - Pin github/codeql-action/upload-sarif to SHA (runs with security-events: write) Closes RequestNetwork/private-issues#282 --- .github/workflows/auto-project.yml | 3 ++ .github/workflows/auto_assign_pr.yml | 6 ++- .github/workflows/pr-comments.yml | 4 ++ .../workflows/reopen-issue-if-prs-open.yml | 3 ++ .github/workflows/security-echidna.yml | 16 ++++--- .github/workflows/security-slither.yml | 16 ++++--- .github/workflows/tron-smart-contracts.yml | 48 +++++++++++++++---- 7 files changed, 74 insertions(+), 22 deletions(-) diff --git a/.github/workflows/auto-project.yml b/.github/workflows/auto-project.yml index 4747379b4b..db78c5fdcc 100644 --- a/.github/workflows/auto-project.yml +++ b/.github/workflows/auto-project.yml @@ -4,6 +4,9 @@ on: issues: types: [opened] +permissions: + contents: read + jobs: add-to-project: uses: RequestNetwork/.github/.github/workflows/add-to-project.yml@main diff --git a/.github/workflows/auto_assign_pr.yml b/.github/workflows/auto_assign_pr.yml index 7dc5326ec4..cacc16f2b0 100644 --- a/.github/workflows/auto_assign_pr.yml +++ b/.github/workflows/auto_assign_pr.yml @@ -12,4 +12,8 @@ jobs: add-reviews: runs-on: ubuntu-latest steps: - - uses: kentaro-m/auto-assign-action@v1.2.0 + - name: Harden Runner + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2 + with: + egress-policy: audit + - uses: kentaro-m/auto-assign-action@50ee9a1818bde2eb93a948448994a9d414457e3a # v1.2.0 diff --git a/.github/workflows/pr-comments.yml b/.github/workflows/pr-comments.yml index ce41e4b9c8..007e7c3339 100644 --- a/.github/workflows/pr-comments.yml +++ b/.github/workflows/pr-comments.yml @@ -4,6 +4,10 @@ on: pull_request_target: types: [opened, ready_for_review, closed] +permissions: + contents: read + pull-requests: write + jobs: pr-comments: name: PR Comments diff --git a/.github/workflows/reopen-issue-if-prs-open.yml b/.github/workflows/reopen-issue-if-prs-open.yml index 986342f103..665c07d030 100644 --- a/.github/workflows/reopen-issue-if-prs-open.yml +++ b/.github/workflows/reopen-issue-if-prs-open.yml @@ -4,6 +4,9 @@ on: issues: types: [closed] +permissions: + contents: read + jobs: reopen-if-needed: uses: RequestNetwork/.github/.github/workflows/reopen-issue-if-prs-open.yml@main diff --git a/.github/workflows/security-echidna.yml b/.github/workflows/security-echidna.yml index 5a9b9f404d..601749094e 100644 --- a/.github/workflows/security-echidna.yml +++ b/.github/workflows/security-echidna.yml @@ -34,13 +34,17 @@ jobs: timeout-minutes: 90 steps: + - name: Harden Runner + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2 + with: + egress-policy: audit - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '22' cache: 'yarn' @@ -82,7 +86,7 @@ jobs: echidna --version - name: Restore corpus cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: packages/smart-contracts/corpus key: echidna-corpus-${{ github.ref_name }}-${{ github.sha }} @@ -175,7 +179,7 @@ jobs: - name: Upload Echidna reports if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: echidna-reports-${{ steps.mode.outputs.MODE }} path: | @@ -185,7 +189,7 @@ jobs: - name: Comment on PR if: github.event_name == 'pull_request' && always() - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -257,7 +261,7 @@ jobs: - name: Create issue for nightly failures if: github.event_name == 'schedule' && steps.echidna.outcome == 'failure' - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/security-slither.yml b/.github/workflows/security-slither.yml index c58fb1f0f9..bda7b239c6 100644 --- a/.github/workflows/security-slither.yml +++ b/.github/workflows/security-slither.yml @@ -21,13 +21,17 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2 + with: + egress-policy: audit - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '22' cache: 'yarn' @@ -48,7 +52,7 @@ jobs: yarn build:sol - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: '3.11' cache: 'pip' @@ -90,14 +94,14 @@ jobs: - name: Upload SARIF to GitHub Security if: always() && hashFiles('packages/smart-contracts/reports/security/slither.sarif') != '' - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@5e316336eb4f107009e477d4bfbfff13d7250fae # v4 with: sarif_file: packages/smart-contracts/reports/security/slither.sarif category: slither - name: Upload Slither reports if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: slither-reports path: packages/smart-contracts/reports/security/ @@ -132,7 +136,7 @@ jobs: - name: Comment on PR if: github.event_name == 'pull_request' && always() - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/tron-smart-contracts.yml b/.github/workflows/tron-smart-contracts.yml index a7cd610cff..0f28d4e889 100644 --- a/.github/workflows/tron-smart-contracts.yml +++ b/.github/workflows/tron-smart-contracts.yml @@ -32,17 +32,24 @@ on: - 'packages/currency/src/chains/tron/**' workflow_dispatch: +permissions: + contents: read + jobs: tron-compile-check: name: Tron Contract Compilation Check runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2 + with: + egress-policy: audit - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '22' cache: 'yarn' @@ -50,8 +57,13 @@ jobs: - name: Install TronBox globally run: npm install -g tronbox + - name: Setup Socket.dev + uses: SocketDev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2 + with: + mode: firewall-free + - name: Install dependencies - run: yarn install --frozen-lockfile + run: sfw yarn install --frozen-lockfile - name: Compile Tron contracts working-directory: packages/smart-contracts @@ -134,17 +146,26 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2 + with: + egress-policy: audit - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '22' cache: 'yarn' + - name: Setup Socket.dev + uses: SocketDev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2 + with: + mode: firewall-free + - name: Install dependencies - run: yarn install --frozen-lockfile + run: sfw yarn install --frozen-lockfile - name: Build dependencies run: | @@ -163,17 +184,26 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2 + with: + egress-policy: audit - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '22' cache: 'yarn' + - name: Setup Socket.dev + uses: SocketDev/action@ba6de6cc0565af1f42295590380973573297e31f # v1.3.2 + with: + mode: firewall-free + - name: Install dependencies - run: yarn install --frozen-lockfile + run: sfw yarn install --frozen-lockfile - name: Build smart-contracts package run: | From a8e46ba1125b4abbb1b31a3c91ea58acf5fe564a Mon Sep 17 00:00:00 2001 From: rodrigopavezi Date: Thu, 14 May 2026 08:15:24 -0300 Subject: [PATCH 2/3] fix(ci): add issues: write permission to security-echidna workflow The nightly failure-alert step calls github.rest.issues.create() to notify the team when Echidna properties fail. Without issues: write the call silently returns a 403 and the alert is never created. --- .github/workflows/security-echidna.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/security-echidna.yml b/.github/workflows/security-echidna.yml index 601749094e..c8ac5f0e7d 100644 --- a/.github/workflows/security-echidna.yml +++ b/.github/workflows/security-echidna.yml @@ -26,6 +26,7 @@ on: permissions: contents: read pull-requests: write + issues: write jobs: echidna-fuzzing: From 20aa4dc94518354ed5f0fa9029b61602c2c780d9 Mon Sep 17 00:00:00 2001 From: MantisClone Date: Fri, 15 May 2026 15:50:49 -0400 Subject: [PATCH 3/3] chore: re-trigger CI after Performance plan upgrade The previous CircleCI failures on this PR were caused by the RequestNetwork CircleCI org dropping to the Free plan, which caps Docker resource classes at large. The repo's .circleci/config.yml declares xlarge for build/test jobs (deliberate; see #1703), so every build failed with resource-class-not-in-plan. Org was upgraded to Performance; this empty commit re-triggers the pipeline. No source changes. Co-Authored-By: Claude Opus 4.7 (1M context)