bsv-blockchain
diff --git a/‎.github/.env.base‎
Lines changed: 7 additions & 1 deletion b/‎.github/.env.base‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎.github/actions/setup-magex/action.yml‎
Lines changed: 11 additions & 5 deletions b/‎.github/actions/setup-magex/action.yml‎
Lines changed: 11 additions & 5 deletions
diff --git a/‎.github/workflows/auto-merge-on-approval.yml‎
Lines changed: 4 additions & 4 deletions b/‎.github/workflows/auto-merge-on-approval.yml‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎.github/workflows/codeql-analysis.yml‎
Lines changed: 2 additions & 3 deletions b/‎.github/workflows/codeql-analysis.yml‎
Lines changed: 2 additions & 3 deletions
diff --git a/‎.github/workflows/dependabot-auto-merge.yml‎
Lines changed: 2 additions & 3 deletions b/‎.github/workflows/dependabot-auto-merge.yml‎
Lines changed: 2 additions & 3 deletions
diff --git a/‎.github/workflows/fortress-benchmarks.yml‎
Lines changed: 4 additions & 3 deletions b/‎.github/workflows/fortress-benchmarks.yml‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎.github/workflows/fortress-code-quality.yml‎
Lines changed: 8 additions & 3 deletions b/‎.github/workflows/fortress-code-quality.yml‎
Lines changed: 8 additions & 3 deletions
diff --git a/‎.github/workflows/fortress-completion-finalize.yml‎
Lines changed: 5 additions & 4 deletions b/‎.github/workflows/fortress-completion-finalize.yml‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎.github/workflows/fortress-completion-report.yml‎
Lines changed: 14 additions & 4 deletions b/‎.github/workflows/fortress-completion-report.yml‎
Lines changed: 14 additions & 4 deletions
diff --git a/‎.github/workflows/fortress-completion-statistics.yml‎
Lines changed: 5 additions & 4 deletions b/‎.github/workflows/fortress-completion-statistics.yml‎
Lines changed: 5 additions & 4 deletions
@@ -235,7 +235,7 @@ REDIS_CACHE_FORCE_PULL=false           # Force pull Redis images even when cache
 # 🪄 MAGE-X CONFIGURATION
 # ================================================================================================
 
-MAGE_X_VERSION=v1.11.0                                        # https://github.com/mrz1836/mage-x/releases
+MAGE_X_VERSION=v1.12.2                                        # https://github.com/mrz1836/mage-x/releases
 MAGE_X_USE_LOCAL=false                                        # Use local version for development
 MAGE_X_CI_SKIP_STEP_SUMMARY=true                              # Skip duplicate test results in step summary (already in test validation summary)
 MAGE_X_AUTO_DISCOVER_BUILD_TAGS=true                          # Enable auto-discovery of build tags
@@ -293,6 +293,12 @@ GITLEAKS_CONFIG_FILE=
 # Nancy CVE Exclusions (known acceptable vulnerabilities)
 NANCY_EXCLUDES=CVE-2024-38513,CVE-2023-45142
 
+# Govulncheck/Magex CVE Exclusions (known acceptable vulnerabilities)
+# Format: comma-separated CVE IDs (e.g., CVE-2024-38513,CVE-2023-45142)
+# Used by: magex deps:audit (govulncheck) (env or param)
+# Can also be passed via: magex deps:audit exclude=CVE-2024-38513
+MAGE_X_CVE_EXCLUDES=CVE-2024-38513,CVE-2023-45142
+
 # OSS Index Authentication for Nancy (optional)
 # Username (email) for OSS Index authentication - reduces rate limits and provides better vulnerability data
 # Get your API token from: https://ossindex.sonatype.org/user-token
 
@@ -112,6 +112,8 @@ runs:
     - name: ✅ Download MAGE-X binary (remote mode only)
       if: inputs.use-local != 'true' && steps.magex-cache.outputs.cache-hit != 'true'
       shell: bash
+      env:
+        GH_TOKEN: ${{ github.token }}
       run: |
         echo "⬇️ Cache miss – downloading MAGE-X binary..."
         echo "📋 Downloading MAGE-X version ${{ inputs.magex-version }}..."
@@ -141,18 +143,22 @@ runs:
         VERSION="${{ inputs.magex-version }}"
         CLEAN_VERSION="${VERSION#v}"
 
-        # Build download URL
-        DOWNLOAD_URL="https://github.com/mrz1836/mage-x/releases/download/$VERSION/mage-x_${CLEAN_VERSION}_${OS}_${ARCH}.tar.gz"
-        echo "📥 Downloading from: $DOWNLOAD_URL"
+        # Build asset name and download using gh CLI
+        ASSET_NAME="mage-x_${CLEAN_VERSION}_${OS}_${ARCH}.tar.gz"
+        echo "📥 Downloading asset: $ASSET_NAME from mrz1836/mage-x@$VERSION"
 
         # Download and extract
         TEMP_DIR=$(mktemp -d)
         cd "$TEMP_DIR"
 
-        if curl -fsSL "$DOWNLOAD_URL" -o mage-x.tar.gz; then
+        if gh release download "$VERSION" \
+            --repo mrz1836/mage-x \
+            --pattern "$ASSET_NAME" \
+            --dir .; then
           echo "✅ Download successful"
+          mv "$ASSET_NAME" mage-x.tar.gz
         else
-          echo "❌ Download failed from $DOWNLOAD_URL"
+          echo "❌ Download failed for $ASSET_NAME from mrz1836/mage-x@$VERSION"
           exit 1
         fi
 
 
@@ -34,10 +34,8 @@ on:
   pull_request:
     types: [ready_for_review, review_request_removed]
 
-# Security: Restrictive default permissions with job-level overrides for least privilege access
-permissions:
-  contents: read # Default read-only access to repository contents
-  pull-requests: read # Default read access to pull requests
+# Security: Restrict default permissions (jobs must explicitly request what they need)
+permissions: {}
 
 # --------------------------------------------------------------------
 # Concurrency Control
@@ -58,6 +56,8 @@ jobs:
   load-env:
     name: 🌍 Load Environment Variables
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       env-json: ${{ steps.load-env.outputs.env-json }}
     steps:
 
@@ -18,9 +18,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
-# Security: Restrictive default permissions with job-level overrides for least privilege access
-permissions:
-  contents: read
+# Security: Restrict default permissions (jobs must explicitly request what they need)
+permissions: {}
 
 jobs:
   analyze:
 
@@ -30,9 +30,8 @@ on:
   pull_request:
     types: [opened, synchronize, reopened, ready_for_review]
 
-# Security: Restrictive default permissions with job-level overrides for least privilege access
-permissions:
-  contents: read
+# Security: Restrict default permissions (jobs must explicitly request what they need)
+permissions: {}
 
 # --------------------------------------------------------------------
 # Concurrency Control
 
@@ -87,9 +87,8 @@ on:
         description: "GitHub token for API access"
         required: true
 
-# Security: Restrictive default permissions with job-level overrides for least privilege access
-permissions:
-  contents: read
+# Security: Restrict default permissions (jobs must explicitly request what they need)
+permissions: {}
 
 jobs:
   # ----------------------------------------------------------------------------------
@@ -98,6 +97,8 @@ jobs:
   benchmark-go:
     name: 🏃 Benchmark (${{ matrix.name }})
     timeout-minutes: ${{ inputs.benchmark-timeout }}
+    permissions:
+      contents: read
     strategy:
       fail-fast: false # Continue running other benchmarks if one fails
       matrix: ${{ fromJSON(inputs.benchmark-matrix) }}
 
@@ -53,9 +53,8 @@ on:
         description: "GitHub token for API access"
         required: true
 
-# Security: Restrictive default permissions with job-level overrides for least privilege access
-permissions:
-  contents: read
+# Security: Restrict default permissions (jobs must explicitly request what they need)
+permissions: {}
 
 jobs:
   # ----------------------------------------------------------------------------------
@@ -65,6 +64,8 @@ jobs:
     name: 📊 Govet (Static Analysis)
     if: ${{ inputs.static-analysis-enabled == 'true' }}
     runs-on: ${{ inputs.primary-runner }}
+    permissions:
+      contents: read
     steps:
       # --------------------------------------------------------------------
       # Checkout code (required for local actions)
@@ -210,6 +211,8 @@ jobs:
     timeout-minutes: 20
     if: ${{ inputs.go-lint-enabled == 'true' }}
     runs-on: ${{ inputs.primary-runner }}
+    permissions:
+      contents: read
     outputs:
       golangci-lint-version: ${{ steps.golangci-lint-version.outputs.version }}
     steps:
@@ -430,6 +433,8 @@ jobs:
     name: 📐 YAML/JSON Format Validation
     if: ${{ inputs.yaml-lint-enabled == 'true' }}
     runs-on: ${{ inputs.primary-runner }}
+    permissions:
+      contents: read
     outputs:
       yamlfmt-version: ${{ steps.yamlfmt-version.outputs.version }}
     steps:
 
@@ -40,10 +40,8 @@ on:
         description: "Complete assembled report"
         value: ${{ jobs.finalize-report.outputs.report-content }}
 
-# Security: Restrictive default permissions with job-level overrides for least privilege access
-permissions:
-  contents: read
-  actions: read # Required for artifact downloads
+# Security: Restrict default permissions (jobs must explicitly request what they need)
+permissions: {}
 
 jobs:
   # ----------------------------------------------------------------------------------
@@ -53,6 +51,9 @@ jobs:
     name: ✅ Finalize Report
     runs-on: ubuntu-latest
     if: always()
+    permissions:
+      contents: read
+      actions: read
     outputs:
       report-content: ${{ steps.set-output.outputs.content }}
     steps:
 
@@ -96,10 +96,8 @@ on:
         type: string
         default: "full"
 
-# Security: Restrictive default permissions with job-level overrides for least privilege access
-permissions:
-  contents: read
-  actions: read # Required for artifact downloads
+# Security: Restrict default permissions (jobs must explicitly request what they need)
+permissions: {}
 
 jobs:
   # ----------------------------------------------------------------------------------
@@ -109,6 +107,9 @@ jobs:
     name: 📊 Initialize Report Data
     runs-on: ${{ inputs.primary-runner }}
     if: always()
+    permissions:
+      contents: read
+      actions: read
     outputs:
       timing-data: ${{ steps.calculate-timing.outputs.timing-json }}
     steps:
@@ -158,6 +159,9 @@ jobs:
     name: 📊 Process Statistics
     needs: initialize-report
     if: always()
+    permissions:
+      contents: read
+      actions: read
     uses: ./.github/workflows/fortress-completion-statistics.yml
     with:
       timing-metrics: ${{ needs.initialize-report.outputs.timing-data }}
@@ -170,6 +174,9 @@ jobs:
     name: 🧪 Process Test Analysis
     needs: initialize-report
     if: always()
+    permissions:
+      contents: read
+      actions: read
     uses: ./.github/workflows/fortress-completion-tests.yml
     with:
       test-suite-result: ${{ inputs.test-suite-result }}
@@ -182,6 +189,9 @@ jobs:
     name: ✅ Finalize Report
     needs: [initialize-report, process-statistics, process-tests]
     if: always()
+    permissions:
+      contents: read
+      actions: read
     uses: ./.github/workflows/fortress-completion-finalize.yml
     with:
       all-inputs: ${{ toJSON(inputs) }}
 
@@ -41,10 +41,8 @@ on:
         description: "Coverage metrics"
         value: ${{ jobs.process-statistics.outputs.coverage-data }}
 
-# Security: Restrictive default permissions with job-level overrides for least privilege access
-permissions:
-  contents: read
-  actions: read # Required for artifact downloads
+# Security: Restrict default permissions (jobs must explicitly request what they need)
+permissions: {}
 
 jobs:
   # ----------------------------------------------------------------------------------
@@ -54,6 +52,9 @@ jobs:
     name: 📊 Process Statistics
     runs-on: ubuntu-latest
     if: always()
+    permissions:
+      contents: read
+      actions: read
     outputs:
       statistics-markdown: ${{ steps.set-output.outputs.content }}
       cache-data: ${{ steps.process-cache.outputs.cache-metrics }}