diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 30e51302a..3d377006d 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,3 +4,9 @@ updates: directory: "/" schedule: interval: "weekly" + cooldown: + default-days: 7 + groups: + gh-actions: + patterns: + - "*" diff --git a/.github/workflows/action.yml b/.github/workflows/action.yml index e4f498ef2..31291e9ce 100644 --- a/.github/workflows/action.yml +++ b/.github/workflows/action.yml @@ -8,15 +8,20 @@ on: branches: - master +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Assert test - uses: crytic/echidna-action@v2 + uses: crytic/echidna-action@f7e374e42bf7131f7307a92f5549ed6b2fd17c9d # v2 with: files: "tests/solidity/basic/assert.sol" contract: "TestAssert" @@ -25,7 +30,7 @@ jobs: negate-exit-status: 1 - name: Multi-abi test - uses: crytic/echidna-action@v2 + uses: crytic/echidna-action@f7e374e42bf7131f7307a92f5549ed6b2fd17c9d # v2 with: files: "tests/solidity/basic/multi-abi.sol" contract: "B" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bc0844091..eab42bae5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,6 +8,9 @@ on: branches: - master +permissions: + contents: read + env: # Tag for cache invalidation CACHE_VERSION: v10 @@ -38,7 +41,7 @@ jobs: run: brew install automake - name: Get Packages (Windows) - uses: msys2/setup-msys2@v2 + uses: msys2/setup-msys2@cafece8e6baf9247cf9b1bf95097b0b983cc558d # v2 if: runner.os == 'Windows' id: msys2 with: @@ -61,7 +64,7 @@ jobs: openssl:p - name: Install Stack - uses: haskell-actions/setup@v2 + uses: haskell-actions/setup@f9150cb1d140e9a9271700670baa38991e6fa25c # v2 id: stack if: matrix.container == '' with: @@ -128,10 +131,12 @@ jobs: MSYS2_LOCATION: ${{ steps.msys2.outputs.msys2-location }} - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Cache Local - uses: actions/cache@v5 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 with: path: | ~/.local @@ -143,7 +148,7 @@ jobs: printf "\nflags:\n hevm:\n static-secp256k1: true\n echidna:\n static: true\n" >> stack.yaml - name: Cache Stack & Cabal - uses: actions/cache@v5 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 with: path: | .stack-work @@ -188,7 +193,7 @@ jobs: run: GZIP=-9 tar -czf echidna.tar.gz -C $APPDATA/local/bin/ echidna.exe - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: echidna-${{ runner.os }} path: echidna.tar.gz @@ -202,7 +207,7 @@ jobs: - name: Upload testsuite if: runner.os != 'macOS' - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: echidna-testsuite-${{ runner.os }} path: echidna-testsuite* @@ -231,12 +236,13 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: recursive + persist-credentials: false - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: '3.10' @@ -252,10 +258,10 @@ jobs: SOLC_VER: ${{ matrix.solc }} - name: Install Foundry - uses: foundry-rs/foundry-toolchain@v1 + uses: foundry-rs/foundry-toolchain@8789b3e21e6c11b2697f5eb56eddae542f746c10 # v1 - name: Download testsuite - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: echidna-testsuite-${{ runner.os }} diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 96c86a165..a7da44705 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -7,10 +7,15 @@ on: tags: - '*' +permissions: {} + jobs: build: name: build ${{ matrix.platform }} container runs-on: ${{ matrix.os }} + permissions: + contents: read + packages: write strategy: fail-fast: false matrix: @@ -27,14 +32,14 @@ jobs: PLATFORM: "${{ matrix.platform }}" - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 id: buildx with: install: true - name: Set Docker metadata (Ubuntu & NVM variant) id: meta-ubuntu - uses: docker/metadata-action@v6 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6 with: images: | ghcr.io/${{ github.repository }}/echidna @@ -53,21 +58,21 @@ jobs: } >> "$GITHUB_OUTPUT" - name: GitHub Container Registry Login - uses: docker/login-action@v4 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Docker Hub Login - uses: docker/login-action@v4 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4 if: github.repository == 'crytic/echidna' with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }} - name: Docker Build and Push (Ubuntu & NVM variant) - uses: docker/build-push-action@v7 + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7 id: build-ubuntu with: platforms: ${{ matrix.platform }} @@ -87,7 +92,7 @@ jobs: DIGEST_UBUNTU: "${{ steps.build-ubuntu.outputs.digest }}" - name: Upload digest - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: digests-${{ env.PLATFORM_PAIR }} path: ${{ runner.temp }}/digests/* @@ -97,36 +102,39 @@ jobs: merge: name: merge containers runs-on: ubuntu-latest + permissions: + contents: read + packages: write needs: - build steps: - name: Download digests - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: path: ${{ runner.temp }}/digests pattern: digests-* merge-multiple: true - name: GitHub Container Registry Login - uses: docker/login-action@v4 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Docker Hub Login - uses: docker/login-action@v4 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4 if: github.repository == 'crytic/echidna' with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 - name: Set Docker metadata (Ubuntu & NVM variant) id: meta-ubuntu - uses: docker/metadata-action@v6 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6 with: images: | ghcr.io/${{ github.repository }}/echidna diff --git a/.github/workflows/hlint.yml b/.github/workflows/hlint.yml index acfdc7e53..1f7ea8210 100644 --- a/.github/workflows/hlint.yml +++ b/.github/workflows/hlint.yml @@ -8,15 +8,20 @@ on: branches: - master +permissions: + contents: read + jobs: hlint: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install Nix - uses: cachix/install-nix-action@v31 + uses: cachix/install-nix-action@51f3067b56fe8ae331890c77d4e454f6d60615ff # v31 with: nix_path: nixpkgs=channel:nixos-unstable diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 61a3bc4a4..a8efc83af 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -9,6 +9,8 @@ on: branches: - master +permissions: {} + jobs: nixBuild: name: Build ${{ matrix.name }} binary @@ -41,13 +43,15 @@ jobs: system: aarch64-darwin steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Install Nix - uses: DeterminateSystems/nix-installer-action@v21 + uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21 - name: Configure Cachix - uses: cachix/cachix-action@v17 + uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c # v17 with: name: trailofbits authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} @@ -77,7 +81,7 @@ jobs: NIX_SYSTEM: ${{ matrix.system }} - name: Upload artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: echidna-redistributable-${{ matrix.tuple }} path: echidna-${{ steps.version.outputs.version }}-${{ matrix.tuple }}.tar.gz @@ -93,21 +97,23 @@ jobs: id-token: write steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Download binaries - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: pattern: echidna-redistributable-* merge-multiple: true - name: Sign binaries - uses: sigstore/gh-action-sigstore-python@v3.2.0 + uses: sigstore/gh-action-sigstore-python@a5caf349bc536fbef3668a10ed7f5cd309a4b53d # v3.2.0 with: inputs: ./echidna-*.tar.gz - name: Create GitHub release and upload binaries - uses: softprops/action-gh-release@v2.6.1 + uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1 with: draft: true name: "Echidna ${{ needs.nixBuild.outputs.version }}"