Merge remote-tracking branch 'origin/develop' into dx-3050-chip-fanout-router

Author: Tofel

.changeset/aptos-local-cre-support.md

@@ -0,0 +1,7 @@
+---
+"chainlink": patch
+---
+
+#internal
+
+Add Aptos local CRE read/write support, including Capabilities Registry OCR config for Aptos write and CI coverage for the Aptos write roundtrip and expected-failure scenarios.

.github/workflows/cre-system-tests.yaml

@@ -75,6 +75,9 @@ jobs:
 
           # Add list of tests with certain topologies
           PER_TEST_TOPOLOGIES_JSON=${PER_TEST_TOPOLOGIES_JSON:-'{
+            "Test_CRE_V2_Aptos_Suite": [
+               {"topology":"workflow-gateway-aptos","configs":"configs/workflow-gateway-don-aptos.toml"}
+             ],
             "Test_CRE_V2_Solana_Suite": [
                {"topology":"workflow","configs":"configs/workflow-don-solana.toml"}
              ],
@@ -213,6 +216,35 @@ jobs:
           chmod +x bin/ctf
           echo "::endgroup::"
 
+      - name: Install Aptos CLI
+        if: ${{ matrix.tests.test_name == 'Test_CRE_V2_Aptos_Suite' }}
+        shell: bash
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          APTOS_CLI_TAG: "aptos-cli-v7.8.0"
+        run: |
+          echo "::startgroup::Install Aptos CLI"
+          bin_dir="$HOME/.local/bin"
+          mkdir -p "$bin_dir"
+
+          gh release download "${APTOS_CLI_TAG}" \
+            --pattern "aptos-cli-*-Ubuntu-24.04-x86_64.zip" \
+            --clobber \
+            --repo aptos-labs/aptos-core \
+            -O aptos-cli.zip
+
+          unzip -o aptos-cli.zip -d aptos-cli-extract >/dev/null
+          aptos_path="$(find aptos-cli-extract -type f -name aptos | head -n1)"
+          if [[ -z "$aptos_path" ]]; then
+            echo "failed to locate aptos binary in release archive"
+            exit 1
+          fi
+
+          install -m 0755 "$aptos_path" "$bin_dir/aptos"
+          echo "$bin_dir" >> "$GITHUB_PATH"
+          "$bin_dir/aptos" --version
+          echo "::endgroup::"
+
       - name: Start local CRE${{ matrix.tests.cre_version }}
         shell: bash
         id: start-local-cre

.github/workflows/integration-tests.yml

@@ -624,8 +624,10 @@ jobs:
     steps:
       - name: Check Core test results
         id: check_core_results
+        env:
+          TEST_RESULTS: ${{ needs.run-core-e2e-tests.outputs.test_results }}
         run: |
-          results='${{ needs.run-core-e2e-tests.outputs.test_results }}'
+          results="$TEST_RESULTS"
           echo "Core e2e test results:"
           echo "$results" | jq .
 
@@ -634,9 +636,12 @@ jobs:
 
       - name: Check CCIP test results
         id: check_ccip_results
+        env:
+          JOB_RESULT: ${{ needs.run-ccip-e2e-tests.result }}
+          TEST_RESULTS: ${{ needs.run-ccip-e2e-tests.outputs.test_results }}
         run: |
-          if [[ '${{ needs.run-ccip-e2e-tests.result }}' != 'skipped' ]]; then
-            results='${{ needs.run-ccip-e2e-tests.outputs.test_results }}'
+          if [[ "$JOB_RESULT" != "skipped" ]]; then
+            results="$TEST_RESULTS"
             echo "CCIP test results:"
             echo "$results" | jq .
           else
@@ -646,64 +651,75 @@ jobs:
       - name: Fail the job if core tests were not successful
         if: always()
         env:
-          RESULT: ${{ needs.run-core-e2e-tests.result }}
+          JOB_RESULT: ${{ needs.run-core-e2e-tests.result }}
         run: |
-          if [[ "${RESULT}" == "failure" ]]; then
+          if [[ "${JOB_RESULT}" == "failure" ]]; then
             echo "::error::Core E2E tests failed."
             exit 1
-          elif [[ "${RESULT}" == "cancelled" ]]; then
+          elif [[ "${JOB_RESULT}" == "cancelled" ]]; then
             echo "::error::Core E2E tests were cancelled."
             exit 1
-          elif [[ "${RESULT}" == "skipped" ]]; then
+          elif [[ "${JOB_RESULT}" == "skipped" ]]; then
             echo "::warning::Core E2E tests were skipped."
           fi
 
       - name: Fail the job if core CRE tests were not successful
         if: always()
         env:
-          RESULT: ${{ needs.run-core-cre-e2e-tests.result }}
+          JOB_RESULT: ${{ needs.run-core-cre-e2e-tests.result }}
         run: |
-          if [[ "${RESULT}" == "failure" ]]; then
+          if [[ "${JOB_RESULT}" == "failure" ]]; then
             echo "::error::Core CRE E2E tests failed."
             exit 1
-          elif [[ "${RESULT}" == "cancelled" ]]; then
+          elif [[ "${JOB_RESULT}" == "cancelled" ]]; then
             echo "::error::Core CRE E2E tests were cancelled."
             exit 1
-          elif [[ "${RESULT}" == "skipped" ]]; then
+          elif [[ "${JOB_RESULT}" == "skipped" ]]; then
             echo "::warning::Core CRE E2E tests were skipped."
           fi
 
       - name: Fail the job if core CRE regression tests were not successful
         if: always()
         env:
-          RESULT: ${{ needs.run-core-cre-e2e-regression-tests.result }}
+          JOB_RESULT: ${{ needs.run-core-cre-e2e-regression-tests.result }}
         run: |
-          if [[ "${RESULT}" == "failure" ]]; then
+          if [[ "${JOB_RESULT}" == "failure" ]]; then
             echo "::error::Core CRE E2E regression tests failed."
             exit 1
-          elif [[ "${RESULT}" == "cancelled" ]]; then
+          elif [[ "${JOB_RESULT}" == "cancelled" ]]; then
             echo "::error::Core CRE E2E regression tests were cancelled."
             exit 1
-          elif [[ "${RESULT}" == "skipped" ]]; then
+          elif [[ "${JOB_RESULT}" == "skipped" ]]; then
             echo "::warning::Core CRE E2E regression tests were skipped."
           fi
 
       - name: Warn if CCIP tests were not successful
         if: always()
         env:
-          RESULT: ${{ needs.run-ccip-e2e-tests.result }}
+          JOB_RESULT: ${{ needs.run-ccip-e2e-tests.result }}
         run: |
-          if [[ "${RESULT}" == "failure" ]]; then
+          if [[ "${JOB_RESULT}" == "failure" ]]; then
             echo "::warning::CCIP E2E tests failed in one of the runs. Not failing as they are not mandatory."
-          elif [[ "${RESULT}" == "cancelled" ]]; then
+          elif [[ "${JOB_RESULT}" == "cancelled" ]]; then
             echo "::warning::CCIP E2E tests were cancelled."
-          elif [[ "${RESULT}" == "skipped" ]]; then
+          elif [[ "${JOB_RESULT}" == "skipped" ]]; then
             echo "::warning::CCIP E2E tests were skipped."
           fi
 
-      - name: Fail the job if Chainlink image wasn't built
-        if: always() && needs.build-chainlink.result == 'failure'
-        run: exit 1
+      - name: Fail the job if Chainlink image was cancelled or failed to build
+        if: always()
+        env:
+          JOB_RESULT: ${{ needs.build-chainlink.result }}
+        run: |
+          if [[ "${JOB_RESULT}" == "failure" ]]; then
+            echo "::error::Chainlink image build failed."
+            exit 1
+          elif [[ "${JOB_RESULT}" == "cancelled" ]]; then
+            echo "::error::Chainlink image build was cancelled."
+            exit 1
+          elif [[ "${JOB_RESULT}" == "skipped" ]]; then
+            echo "::warning::Chainlink image build was skipped."
+          fi
 
   show-chainlink-node-coverage:
     name: Show Chainlink Node Go Coverage

core/capabilities/vault/validator.go

@@ -7,13 +7,13 @@ import (
 	"fmt"
 	"strconv"
 
-	"github.com/ethereum/go-ethereum/common"
 	"github.com/smartcontractkit/tdh2/go/tdh2/tdh2easy"
 
 	vaultcommon "github.com/smartcontractkit/chainlink-common/pkg/capabilities/actions/vault"
 	pkgconfig "github.com/smartcontractkit/chainlink-common/pkg/config"
 	"github.com/smartcontractkit/chainlink-common/pkg/settings/limits"
 	"github.com/smartcontractkit/chainlink/v2/core/capabilities/vault/vaulttypes"
+	"github.com/smartcontractkit/chainlink/v2/core/capabilities/vault/vaultutils"
 )
 
 type RequestValidator struct {
@@ -65,7 +65,7 @@ func (r *RequestValidator) validateWriteRequest(publicKey *tdh2easy.PublicKey, i
 		if err := r.validateCiphertextSize(req.EncryptedValue); err != nil {
 			return fmt.Errorf("secret encrypted value at index %d is invalid: %w", idx, err)
 		}
-		err := EnsureRightLabelOnSecret(publicKey, req.EncryptedValue, req.Id.Owner)
+		err := EnsureRightLabelOnSecret(publicKey, req.EncryptedValue, req.Id.Owner, "")
 		if err != nil {
 			return errors.New("Encrypted Secret at index [" + strconv.Itoa(idx) + "] doesn't have owner as the label. Error: " + err.Error())
 		}
@@ -159,27 +159,40 @@ func NewRequestValidator(
 	}
 }
 
-func EnsureRightLabelOnSecret(publicKey *tdh2easy.PublicKey, secret, owner string) error {
+// EnsureRightLabelOnSecret verifies that the TDH2 ciphertext label matches either the
+// workflowOwner (Ethereum address, left-padded) or the orgID (SHA256 hash). Either
+// parameter can be empty to skip that check. The function succeeds if the label matches
+// at least one non-empty owner.
+func EnsureRightLabelOnSecret(publicKey *tdh2easy.PublicKey, secret string, workflowOwner string, orgID string) error {
 	cipherText := &tdh2easy.Ciphertext{}
 	cipherBytes, err := hex.DecodeString(secret)
 	if err != nil {
 		return errors.New("failed to decode encrypted value:" + err.Error())
 	}
 	if publicKey == nil {
-		// Public key can be nil if gateway cache isn't populated yet(immediately after gateway reboots)
-		// Ok to not validate in such cases, since this validation also runs on Vault Nodes
+		// Public key can be nil if gateway cache isn't populated yet (immediately after gateway reboots).
+		// Ok to not validate in such cases, since this validation also runs on Vault Nodes.
 		return nil
 	}
 	err = cipherText.UnmarshalVerify(cipherBytes, publicKey)
 	if err != nil {
 		return errors.New("failed to verify encrypted value:" + err.Error())
 	}
 	secretLabel := cipherText.Label()
-	ownerAddr := common.HexToAddress(owner)
-	var ownerLabel [32]byte
-	copy(ownerLabel[12:], ownerAddr.Bytes()) // left-pad with 12 zero
-	if secretLabel != ownerLabel {
-		return errors.New("secret label [" + hex.EncodeToString(secretLabel[:]) + "] does not match owner label [" + hex.EncodeToString(ownerLabel[:]) + "]")
+
+	if workflowOwner != "" {
+		expected := vaultutils.WorkflowOwnerToLabel(workflowOwner)
+		if secretLabel == expected {
+			return nil
+		}
 	}
-	return nil
+
+	if orgID != "" {
+		expected := vaultutils.OrgIDToLabel(orgID)
+		if secretLabel == expected {
+			return nil
+		}
+	}
+
+	return errors.New("secret label [" + hex.EncodeToString(secretLabel[:]) + "] does not match any of the provided owner labels")
 }