refactor: Enhance propose-to-safe-tx job to inherit environment secre… #23
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Bridge Pause/Unpause via Safe Multisig | ||
| on: | ||
| workflow_dispatch: | ||
| inputs: | ||
| operation: | ||
| description: 'Pause operation to perform' | ||
| required: true | ||
| type: choice | ||
| options: | ||
| - pause-bridge | ||
| - unpause-bridge | ||
| - pause-outbound | ||
| - unpause-outbound | ||
| network: | ||
| description: 'Network to perform operation on' | ||
| required: true | ||
| type: choice | ||
| options: | ||
| - ethereum | ||
| - arbitrum | ||
| - sepolia | ||
| - arbitrum_sepolia | ||
| default: sepolia | ||
| dry-run: | ||
| description: 'Dry run mode (only prepare and display transaction, do not propose to Safe)' | ||
| required: false | ||
| type: boolean | ||
| default: true | ||
| jobs: | ||
| prepare-transaction-calldata: | ||
| runs-on: ubuntu-latest | ||
| environment: ${{ inputs.network }} | ||
| outputs: | ||
| transaction-data: ${{ steps.prepare.outputs.transaction-data }} | ||
| safe-address: ${{ steps.prepare.outputs.safe-address }} | ||
| bridge-address: ${{ steps.prepare.outputs.bridge-address }} | ||
| # Note: We'll pass secrets through the next job | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| submodules: recursive | ||
| - name: Install Foundry | ||
| uses: foundry-rs/foundry-toolchain@v1 | ||
| with: | ||
| version: stable | ||
| cache: true | ||
| - name: Prepare transaction calldata | ||
| id: prepare | ||
| env: | ||
| CHAIN: ${{ inputs.network }} | ||
| run: | | ||
| # Get bridge address from config | ||
| BRIDGE_ADDRESS=$(jq -r ".chains.${CHAIN}.iexecLayerZeroBridgeAddress" config/config.json) | ||
| echo "bridge-address=$BRIDGE_ADDRESS" >> $GITHUB_OUTPUT | ||
| # Determine the function selector and name based on operation | ||
| case "${{ inputs.operation }}" in | ||
| "pause-bridge") | ||
| TRANSACTION_DATA=$(cast calldata "pause()") | ||
| FUNCTION_NAME="pause()" | ||
| ;; | ||
| "unpause-bridge") | ||
| TRANSACTION_DATA=$(cast calldata "unpause()") | ||
| FUNCTION_NAME="unpause()" | ||
| ;; | ||
| "pause-outbound") | ||
| TRANSACTION_DATA=$(cast calldata "pauseOutboundTransfers()") | ||
| FUNCTION_NAME="pauseOutboundTransfers()" | ||
| ;; | ||
| "unpause-outbound") | ||
| TRANSACTION_DATA=$(cast calldata "unpauseOutboundTransfers()") | ||
| FUNCTION_NAME="unpauseOutboundTransfers()" | ||
| ;; | ||
| esac | ||
| echo "transaction-data=$TRANSACTION_DATA" >> $GITHUB_OUTPUT | ||
| echo "safe-address=${{ vars.SAFE_ADDRESS }}" >> $GITHUB_OUTPUT | ||
| # Display transaction details | ||
| echo "==========================================" | ||
| echo "Transaction Details" | ||
| echo "==========================================" | ||
| echo "Workflow Configuration:" | ||
| echo " • Network: ${{ inputs.network }}" | ||
| echo " • Operation: ${{ inputs.operation }}" | ||
| echo " • Function: $FUNCTION_NAME" | ||
| echo " • Safe Address: ${{ vars.SAFE_ADDRESS }}" | ||
| echo " • Dry Run: ${{ inputs.dry-run }}" | ||
| echo "" | ||
| echo "Transaction Details:" | ||
| echo " • Target: $BRIDGE_ADDRESS" | ||
| echo " • Value: 0 ETH" | ||
| echo " • Data: $TRANSACTION_DATA" | ||
| echo "" | ||
| if [ "${{ inputs.dry-run }}" == "true" ]; then | ||
| echo "✅ DRY RUN MODE: Transaction prepared successfully" | ||
| fi | ||
| # ✅ NEW: Wrapper job that bridges the environment secrets to the reusable workflow | ||
| propose-to-safe-tx: | ||
| needs: prepare-transaction-calldata | ||
| runs-on: ubuntu-latest | ||
| environment: ${{ inputs.network }} # ✅ This gives access to environment secrets | ||
| steps: | ||
| - name: Call reusable workflow with secrets | ||
| uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/propose-safe-multisig-tx.yml@fix/multisig-rpc-secrets | ||
| with: | ||
| safe-address: ${{ needs.prepare-transaction-calldata.outputs.safe-address }} | ||
| transaction-to: ${{ needs.prepare-transaction-calldata.outputs.bridge-address }} | ||
| transaction-data: ${{ needs.prepare-transaction-calldata.outputs.transaction-data }} | ||
| dry-run: ${{ inputs.dry-run }} | ||
| env: | ||
| RPC_URL: ${{ secrets.RPC_URL }} | ||
| SAFE_PROPOSER_PRIVATE_KEY: ${{ secrets.SAFE_PROPOSER_PRIVATE_KEY }} | ||
| SAFE_API_KEY: ${{ secrets.SAFE_API_KEY }} | ||
