ci: Add the release and security workflows (#6)

* ci: Add the release and security workflows

* chore: update the pinned node version

* chore: update the pnpm-lock file

* chore: test the release drafter action

* chore: test the release drafter action

* chore: update the release drafter

* chore: add nx to run tests

* feat: update the changeset release process

* chore: add a publish script

* chore: trigger release workflow

* chore: trigger release workflow

* chore: add the missing prepare actions

* chore: update the PAT

* chore: update the PAT

* Revert "feat: update the changeset release process"

This reverts commit 2836632.

* Revert "chore: add a publish script"

This reverts commit 72baf2f.

* chore: integrate github app

* chore: test github app

* feat: automate the release process using changesets

* fix: fix the workflow synatx error

* fix: add GH app authentication

* fix: fix the workflow syntax error

* fix: fix GH app authentication

* fix: test GH app authentication

* fix: add GH app authentication in prepare action

* fix: add runs-on on prepare action

* fix: fix composite action

* fix: fix composite action

* fix: authenticate state and start steps

* fix: authenticate state and start steps

* fix: authenticate state and start steps

* fix: authenticate state and start steps

* fix: authenticate state and start steps

* fix: update the input token

* fix: add missing packages

* fix: add missing packages

* chore: test start of rc

* chore: test start of rc release

* chore: test start of rc release

* chore: add the missing pull-requests: write permission

* chore: make version_tag optional for n ow

* chore: test the RC release flow

* 🤖 chore: Push the release candidate change

* chore: test the RC release flow

* chore: test the RC release flow

* chore: test sign commits using action

* chore: test sign commits using action

* chore: fix sign commits using action

* chore: clean up the gh PR creation action

* chore: test the gh app token step

* chore: introduce a merge back step from develop to main branch after a release

* chore: remove the release drafter to favor populating the release using changelog.md file

* chore: update package.json scripts

* chore: trigger build

* chore: trigger build

* chore: pin action versions

* chore: debug startup failure

* chore: debug startup failure

* chore: fix startup failure

* chore: fix startup failure

* chore: fix startup failure

* chore: fix startup failure

* chore: update the sbom needs

* chore: update the the gapp token

* chore: fix workflow

* chore: fix workflow

* chore: set skip-token-revoke to truthy

* chore: debug gapp job

* chore: do away with a separate gapp token job. We can revisit later

* chore: do away with a separate gapp token job

* chore: install prerequisites

* chore: comment out provenance as the repo is private

* chore: clean up and remove reyrn of workflows

* chore: refactor release strategy to use release branches

* chore: fix sbom step dependency

* chore: trigger build

* chore: trigger build to test

* chore: trigger build to test

* chore: trigger build to test

* chore: trigger build to test

* chore: trigger build to test

* chore: trigger build to test

* chore: clean up workflow

* chore: remove the version.yml workflow file as it's no longer needed

* chore: test signing using gapp

* chore: test slsa provenance

* chore: test sbom

* chore: test provenance

* chore: fix eslint command

* chore: update slsa node version

* chore: add the missing build script

* chore: add the missing nx-test-skip-cache script

* chore: add a step to create a temo-dir for provenance

* chore: add sbom provenance dep

* chore: allow PR details in the changelog file

* chore: remove the test branch

* chore: pin versions and use gap token on all actions

* chore: comment out codeql until we go public and fix node version in prepare action

* chore: test sbom

* chore: test sbom

* chore: test sbom upload to a gh release

* chore: test sbom upload to a gh release

* chore: allow upload of sbom to a release

* feat: Xample cancel transaction (#7)

* chore: disable the dependency review workflow until the repo goes public

* chore: remove docker scan step as the project is not dockerised

* chore: update the CI workflow to use pinned SHA on the actions

* chore: send build status to slack

* chore: add a release workflow diagram

* chore: remove the test changelog file

* chore: add a release workflow diagram

* chore: pin slsa version

* chore: unpin slsa version

* chore: pin slsa version

* chore: add CLA

* chore: disable cla until we go public

* chore: enable cla

---------

Co-authored-by: collins-w <collins-w@users.noreply.github.com>
Co-authored-by: nahimterrazas <nahim.terrazas@openzeppelin.com>

Author: collins-w

.changeset/README.md

@@ -0,0 +1,8 @@
+# Changesets
+
+Hello and welcome! This folder has been automatically generated by `@changesets/cli`, a build tool that works
+with multi-package repos, or single-package repos to help you version and publish your code. You can
+find the full documentation for it [in our repository](https://github.com/changesets/changesets)
+
+We have a quick list of common questions to get you started engaging with this project in
+[our documentation](https://github.com/changesets/changesets/blob/main/docs/common-questions.md)

.changeset/config.json

@@ -0,0 +1,12 @@
+{
+  "$schema": "https://unpkg.com/@changesets/config@2.3.0/schema.json",
+  "changelog": [
+    "@changesets/changelog-github",
+    {
+      "repo": "OpenZeppelin/openzeppelin-relayer-sdk"
+    }
+  ],
+  "commit": false,
+  "access": "restricted",
+  "baseBranch": "main"
+}

.github/actions/prepare/action.yml

@@ -0,0 +1,32 @@
+---
+name: Pre-requisites
+description: |
+  Setup Pre-requisites
+
+inputs:
+  token:
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Checkout Repo
+      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.5.4
+      with:
+        token: ${{ inputs.token }}
+        persist-credentials: true
+    - uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda #v4.1.0
+      with:
+        version: 9
+        run_install: false
+
+    - name: Use node@22
+      uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+      with:
+        node-version: 22.14.0
+        cache: 'pnpm'
+
+    - name: Install dependencies
+      run: |
+        pnpm install-deps
+      shell: bash

.github/workflows/ci.yaml

@@ -11,17 +11,17 @@ jobs:
     steps:
       # Checkout the repository
       - name: Checkout Code
-        uses: actions/checkout@v4
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.5.4
 
       # Set up Node.js
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '22' # Use the latest LTS version for stability
+          node-version: '22.14.0'
 
       # Cache pnpm dependencies
       - name: Cache pnpm dependencies
-        uses: actions/cache@v4
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: |
             ~/.pnpm-store
@@ -49,17 +49,17 @@ jobs:
     steps:
       # Checkout the repository
       - name: Checkout Code
-        uses: actions/checkout@v4
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.5.4
 
       # Set up Node.js
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
-          node-version: '22' # Use the latest LTS version for stability
+          node-version: '22.14.0'
 
       # Restore pnpm dependencies from cache
       - name: Restore pnpm dependencies from cache
-        uses: actions/cache@v4
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: |
             ~/.pnpm-store
@@ -83,32 +83,3 @@ jobs:
       # Run tests
       - name: Run tests
         run: pnpm test
-
-  docker-scan:
-    runs-on: ubuntu-latest
-    needs: build-and-test
-
-    steps:
-      # Checkout the repository
-      - name: Checkout Code
-        uses: actions/checkout@v4
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Build local container
-        uses: docker/build-push-action@v6
-        with:
-          tags: oss-dev:${{ github.sha }}
-          push: false
-          load: true
-          file: Dockerfile.development
-          platforms: linux/amd64
-
-      - name: Scan image
-        uses: anchore/scan-action@v5
-        with:
-          image: oss-dev:${{ github.sha }}
-          fail-build: true
-          severity-cutoff: high
-          output-format: table

.github/workflows/cla.yml

@@ -0,0 +1,63 @@
+name: "CLA Assistant"
+on:
+  issue_comment:
+    types: [created]
+  pull_request_target:
+    types: [opened,closed,synchronize]
+
+permissions:
+  actions: write
+  contents: write 
+  pull-requests: write
+  statuses: write
+
+jobs:
+  CLAAssistant:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@af35edadc00be37caa72ed9f3e6d5f7801bfdf09 # v1.11.7
+        id: gh-app-token
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout Private Repo for Allowlist
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          repository: OpenZeppelin/cla-sigs
+          token: ${{ steps.gh-app-token.outputs.token }}
+          sparse-checkout: |
+            allowlist.txt
+          sparse-checkout-cone-mode: false
+
+      - name: Read Allowlist File
+        id: read_allowlist
+        run: |
+          ALLOWLIST=$(cat allowlist.txt)
+          echo "allowlist=$ALLOWLIST" >> $GITHUB_OUTPUT
+
+      - name: "CLA Assistant"
+        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I confirm that I have read and hereby agree to the OpenZeppelin Contributor License Agreement') || github.event_name == 'pull_request_target'
+        uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 #v2.6.1
+        env:
+          GITHUB_TOKEN: ${{ steps.gh-app-token.outputs.token }}
+          PERSONAL_ACCESS_TOKEN: ${{ steps.gh-app-token.outputs.token }}
+        with:
+          path-to-signatures: 'signatures/${{ github.event.repository.name }}/v1_cla.json'
+          path-to-document: 'https://github.com/OpenZeppelin/cla-assistant/blob/main/openzeppelin_2025_cla.md'
+          branch: 'main'
+          allowlist: ${{ steps.read_allowlist.outputs.allowlist }}
+          remote-organization-name: 'OpenZeppelin'
+          remote-repository-name: 'cla-sigs'
+          custom-notsigned-prcomment: >
+            Thank you for your contribution to OpenZeppelin Relayer SDK.
+            Before being able to integrate those changes, we would like you to
+            sign our [Contributor License Agreement](https://github.com/OpenZeppelin/cla-assistant/blob/main/openzeppelin_2025_cla.md).
+
+            You can sign the CLA by just posting a Pull Request Comment with the sentence below. Thanks.
+          custom-pr-sign-comment: 'I confirm that I have read and hereby agree to the OpenZeppelin Contributor License Agreement'

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,38 @@
+# TODO: To be uncommeted when the repo goes public
+# name: "CodeQL"
+
+# on:
+#   push:
+#     branches: ["main"]
+#   pull_request:
+#     branches: ["main"]
+#   schedule:
+#     - cron: '40 12 * * 3'
+
+# jobs:
+#   analyze:
+#     name: Code Analysis
+#     runs-on: ubuntu-latest
+#     permissions:
+#       actions: read
+#       contents: read
+#       security-events: write
+
+#     strategy:
+#       fail-fast: false
+#       matrix:
+#         language: ["javascript"]
+
+#     steps:
+#       - name: Checkout repository
+#         uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.5.4
+
+#       - name: Initialize CodeQL
+#         uses: github/codeql-action/init@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
+#         with:
+#           languages: ${{ matrix.language }}
+
+#       - name: Perform CodeQL Analysis
+#         uses: github/codeql-action/analyze@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
+#         with:
+#           category: "/language:${{matrix.language}}"

.github/workflows/dependency-review.yml

@@ -0,0 +1,29 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+
+## TODO: Uncomment when the repo goes public
+# name: 'Dependency Review'
+# on: [pull_request]
+
+# permissions:
+#   contents: read
+
+# jobs:
+#   dependency-review:
+#     runs-on: ubuntu-latest
+#     steps:
+#       - name: Harden Runner
+#         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+#         with:
+#           egress-policy: audit
+
+#       - name: 'Checkout Repository'
+#         uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+#       - name: 'Dependency Review'
+#         uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4