ci(contracts): enable latest artifact fallback logic (#18310)

aliersh · web-flow · commit 5b9658455301 · 2025-11-18T21:44:17.000Z
* ci(contracts): enable latest artifact fallback logic

- add --fallback-to-latest flag to pull-artifacts.sh
- enable fallback forcontracts tests, coverage, and upgrade jobs in ci config
- extract download_and_extract helper function in pull-artifacts.sh
- add path traversal protection with --exclude='*../*' flag to tar commands

* test: trigger artifact fallback by modifying test file

* fix(scripts): address bots security concerns in pull-artifacts.sh

- add secure curl flags (--fail, --location, --connect-timeout, --max-time, --tlsv1.2) to prevent hangs and enforce TLS
- update path traversal exclusion pattern from '*../*' to '*..*' to block all paths containing '..' anywhere
- revert test comment change used for CI testing
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -933,8 +933,8 @@ jobs:
           command: forge --version
           working_directory: packages/contracts-bedrock
       - run:
-          name: Pull artifacts
-          command: bash scripts/ops/pull-artifacts.sh
+          name: Pull artifacts with latest fallback
+          command: bash scripts/ops/pull-artifacts.sh --fallback-to-latest
           working_directory: packages/contracts-bedrock
       - go-restore-cache:
           namespace: packages/contracts-bedrock/scripts/go-ffi
@@ -1103,8 +1103,8 @@ jobs:
           command: forge --version
           working_directory: packages/contracts-bedrock
       - run:
-          name: Pull artifacts
-          command: bash scripts/ops/pull-artifacts.sh
+          name: Pull artifacts with latest fallback
+          command: bash scripts/ops/pull-artifacts.sh --fallback-to-latest
           working_directory: packages/contracts-bedrock
       - run:
           name: Install lcov
@@ -1200,8 +1200,8 @@ jobs:
           command: forge --version
           working_directory: packages/contracts-bedrock
       - run:
-          name: Pull artifacts
-          command: bash scripts/ops/pull-artifacts.sh
+          name: Pull artifacts with latest fallback
+          command: bash scripts/ops/pull-artifacts.sh --fallback-to-latest
           working_directory: packages/contracts-bedrock
       - run:
           name: Write pinned block number for cache key
diff --git a/packages/contracts-bedrock/scripts/ops/pull-artifacts.sh b/packages/contracts-bedrock/scripts/ops/pull-artifacts.sh
@@ -16,11 +16,45 @@ echoerr() {
   echo "$@" 1>&2
 }
 
+download_and_extract() {
+  local archive_name=$1
+
+  echoerr "> Downloading..."
+  curl --fail --location --connect-timeout 30 --max-time 300 --tlsv1.2 -o "$archive_name" "https://storage.googleapis.com/oplabs-contract-artifacts/$archive_name"
+  echoerr "> Done."
+
+  echoerr "> Cleaning up existing artifacts..."
+  rm -rf artifacts
+  rm -rf forge-artifacts
+  rm -rf cache
+  echoerr "> Done."
+
+  echoerr "> Extracting artifacts..."
+  if [[ "$archive_name" == *.tar.zst ]]; then
+    zstd -dc "$archive_name" | tar -xf - --exclude='*..*'
+  else
+    tar -xzvf "$archive_name" --exclude='*..*'
+  fi
+  echoerr "> Done."
+
+  echoerr "> Cleaning up."
+  rm "$archive_name"
+  echoerr "> Done."
+  exit 0
+}
+
 # Check for help flag
 if [ "${1:-}" = "--help" ] || [ "${1:-}" = "-h" ]; then
   usage
 fi
 
+# Check for fallback-to-latest flag
+USE_LATEST_FALLBACK=false
+if [ "${1:-}" = "--fallback-to-latest" ]; then
+  USE_LATEST_FALLBACK=true
+  echoerr "> Fallback to latest enabled"
+fi
+
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 CONTRACTS_DIR="$SCRIPT_DIR/../.."
 
@@ -41,57 +75,43 @@ echoerr "> Checking for existing artifacts..."
 if [ "$HAS_ZSTD" = true ]; then
   archive_name_zst="artifacts-v1-$checksum.tar.zst"
   exists_zst=$(curl -s -o /dev/null --fail -LI "https://storage.googleapis.com/oplabs-contract-artifacts/$archive_name_zst" || echo "fail")
-  
+
   if [ "$exists_zst" != "fail" ]; then
-    echoerr "> Found .tar.zst artifacts. Downloading..."
-    curl -o "$archive_name_zst" "https://storage.googleapis.com/oplabs-contract-artifacts/$archive_name_zst"
-    echoerr "> Done."
-    
-    echoerr "> Cleaning up existing artifacts..."
-    rm -rf artifacts
-    rm -rf forge-artifacts
-    rm -rf cache
-    echoerr "> Done."
-    
-    echoerr "> Extracting existing artifacts..."
-    zstd -dc "$archive_name_zst" | tar -xf -
-    echoerr "> Done."
-    
-    echoerr "> Cleaning up."
-    rm "$archive_name_zst"
-    echoerr "> Done."
-    exit 0
+    download_and_extract "$archive_name_zst"
+  fi
+
+  # Try latest fallback if enabled
+  if [ "$USE_LATEST_FALLBACK" = true ]; then
+    echoerr "> Exact checksum not found, trying latest artifacts..."
+    archive_name_zst="artifacts-v1-latest.tar.zst"
+    exists_latest_zst=$(curl -s -o /dev/null --fail -LI "https://storage.googleapis.com/oplabs-contract-artifacts/$archive_name_zst" || echo "fail")
+
+    if [ "$exists_latest_zst" != "fail" ]; then
+      download_and_extract "$archive_name_zst"
+    fi
   fi
 fi
 
 archive_name_gz="artifacts-v1-$checksum.tar.gz"
 exists_gz=$(curl -s -o /dev/null --fail -LI "https://storage.googleapis.com/oplabs-contract-artifacts/$archive_name_gz" || echo "fail")
 
 if [ "$exists_gz" == "fail" ]; then
-  echoerr "> No existing artifacts found, exiting."
-  exit 0
-fi
-
-if [ "$HAS_ZSTD" = true ]; then
-  echoerr "> Only .tar.gz artifacts available (zstd format not found)."
-else
-  echoerr "> Found .tar.gz artifacts (zstd not available)."
+  # Try latest fallback if enabled
+  if [ "$USE_LATEST_FALLBACK" = true ]; then
+    echoerr "> Exact checksum not found, trying latest artifacts..."
+    archive_name_gz="artifacts-v1-latest.tar.gz"
+    exists_latest_gz=$(curl -s -o /dev/null --fail -LI "https://storage.googleapis.com/oplabs-contract-artifacts/$archive_name_gz" || echo "fail")
+
+    if [ "$exists_latest_gz" == "fail" ]; then
+      echoerr "> No existing artifacts found (including latest), exiting."
+      exit 0
+    fi
+
+    echoerr "> Found latest .tar.gz artifacts."
+  else
+    echoerr "> No existing artifacts found, exiting."
+    exit 0
+  fi
 fi
 
-echoerr "> Cleaning up existing artifacts..."
-rm -rf artifacts
-rm -rf forge-artifacts
-rm -rf cache
-echoerr "> Done."
-
-echoerr "> Downloading artifacts..."
-curl -o "$archive_name_gz" "https://storage.googleapis.com/oplabs-contract-artifacts/$archive_name_gz"
-echoerr "> Done."
-
-echoerr "> Extracting existing artifacts..."
-tar -xzvf "$archive_name_gz"
-echoerr "> Done."
-
-echoerr "> Cleaning up."
-rm "$archive_name_gz"
-echoerr "> Done."
+download_and_extract "$archive_name_gz"
