add changeset for secrets commands

Author: anirudhwarrier

cmd/client/workflow_registry_v2_client.go

@@ -678,42 +678,38 @@ func (wrc *WorkflowRegistryV2Client) IsRequestAllowlisted(owner common.Address,
 
 // AllowlistRequest sends the request digest to the WorkflowRegistry allowlist with a default expiry of now + 10 minutes.
 // `requestDigestHex` should be the hex string produced by utils.CalculateRequestDigest(...), with or without "0x".
-func (wrc *WorkflowRegistryV2Client) AllowlistRequest(requestDigest [32]byte, duration time.Duration) error {
+func (wrc *WorkflowRegistryV2Client) AllowlistRequest(requestDigest [32]byte, duration time.Duration) (*TxOutput, error) {
 	var contract workflowRegistryV2Contract
 	if wrc.Wr != nil {
 		contract = wrc.Wr
 	} else {
 		c, err := workflow_registry_v2_wrapper.NewWorkflowRegistry(wrc.ContractAddress, wrc.EthClient.Client)
 		if err != nil {
 			wrc.Logger.Error().Err(err).Msg("Failed to connect for AllowlistRequest")
-			return err
+			return nil, err
 		}
 		contract = c
 	}
 
 	// #nosec G115 -- int64 to uint32 conversion; Unix() returns seconds since epoch, which fits in uint32 until 2106
 	deadline := uint32(time.Now().Add(duration).Unix())
 
-	// Send tx; keep the same "callContractMethodV2" pattern you used for read-only calls.
-	// Here we return the tx hash string to the helper (it may log/track it).
-	_, err := callContractMethodV2(wrc, func() (string, error) {
-		tx, txErr := contract.AllowlistRequest(wrc.EthClient.NewTXOpts(), requestDigest, deadline)
-		if txErr != nil {
-			return "", txErr
-		}
-		// Return the tx hash string for visibility through the helper
-		return tx.Hash().Hex(), nil
-	})
+	txFn := func(opts *bind.TransactOpts) (*types.Transaction, error) {
+		return contract.AllowlistRequest(opts, requestDigest, deadline)
+	}
+	txOut, err := wrc.executeTransactionByTxType(txFn, "AllowlistRequest", "RequestAllowlisted", requestDigest, duration)
 	if err != nil {
-		wrc.Logger.Error().Err(err).Msg("AllowlistRequest tx failed")
-		return err
+		wrc.Logger.Error().
+			Str("contract", wrc.ContractAddress.Hex()).
+			Err(err).
+			Msg("Failed to call AllowlistRequest")
+		return nil, err
 	}
-
 	wrc.Logger.Debug().
 		Str("digest", hex.EncodeToString(requestDigest[:])).
 		Str("deadline", time.Unix(int64(deadline), 0).UTC().Format(time.RFC3339)).
 		Msg("AllowlistRequest submitted")
-	return nil
+	return &txOut, nil
 }
 
 func callContractMethodV2[T any](wrc *WorkflowRegistryV2Client, contractMethod func() (T, error)) (T, error) {

cmd/secrets/common/handler.go

@@ -25,15 +25,19 @@ import (
 	"github.com/smartcontractkit/chainlink-common/pkg/capabilities/actions/vault"
 	"github.com/smartcontractkit/chainlink-common/pkg/jsonrpc2"
 	"github.com/smartcontractkit/chainlink-evm/gethwrappers/workflow/generated/workflow_registry_wrapper_v2"
+	"github.com/smartcontractkit/chainlink/deployment/cre/workflow_registry/v2/changeset"
 	"github.com/smartcontractkit/chainlink/v2/core/capabilities/vault/vaulttypes"
 	"github.com/smartcontractkit/tdh2/go/tdh2/tdh2easy"
 
 	"github.com/smartcontractkit/cre-cli/cmd/client"
+	cmdCommon "github.com/smartcontractkit/cre-cli/cmd/common"
 	"github.com/smartcontractkit/cre-cli/internal/client/graphqlclient"
 	"github.com/smartcontractkit/cre-cli/internal/constants"
 	"github.com/smartcontractkit/cre-cli/internal/credentials"
 	"github.com/smartcontractkit/cre-cli/internal/environments"
 	"github.com/smartcontractkit/cre-cli/internal/runtime"
+	"github.com/smartcontractkit/cre-cli/internal/settings"
+	"github.com/smartcontractkit/cre-cli/internal/types"
 	"github.com/smartcontractkit/cre-cli/internal/validation"
 )
 
@@ -61,6 +65,7 @@ type Handler struct {
 	Gw              GatewayClient
 	Wrc             *client.WorkflowRegistryV2Client
 	Credentials     *credentials.Credentials
+	Settings        *settings.Settings
 }
 
 // NewHandler creates a new handler instance.
@@ -85,6 +90,7 @@ func NewHandler(ctx *runtime.Context, secretsFilePath string) (*Handler, error)
 		OwnerAddress:    ctx.Settings.Workflow.UserWorkflowSettings.WorkflowOwnerAddress,
 		EnvironmentSet:  ctx.EnvironmentSet,
 		Credentials:     ctx.Credentials,
+		Settings:        ctx.Settings,
 	}
 	h.Gw = &HTTPClient{URL: h.EnvironmentSet.GatewayURL, Client: &http.Client{Timeout: 90 * time.Second}}
 
@@ -173,7 +179,6 @@ func (h *Handler) ValidateInputs(inputs UpsertSecretsInputs) error {
 }
 
 // TODO: use TxType interface
-// TODO: implement changeset handling
 func (h *Handler) PackAllowlistRequestTxData(reqDigest [32]byte, duration time.Duration) (string, error) {
 	contractABI, err := abi.JSON(strings.NewReader(workflow_registry_wrapper_v2.WorkflowRegistryMetaData.ABI))
 	if err != nil {
@@ -404,19 +409,54 @@ func (h *Handler) Execute(
 		return fmt.Errorf("unsupported method %q (expected %q or %q)", method, vaulttypes.MethodSecretsCreate, vaulttypes.MethodSecretsUpdate)
 	}
 
-	// MSIG step 1: write bundle & exit
-	if ownerType == constants.WorkflowOwnerTypeMSIG {
-		baseDir := filepath.Dir(h.SecretsFilePath)
-		filename := DeriveBundleFilename(digest) // <digest>.json
-		bundlePath := filepath.Join(baseDir, filename)
+	ownerAddr := common.HexToAddress(h.OwnerAddress)
+
+	allowlisted, err := h.Wrc.IsRequestAllowlisted(ownerAddr, digest)
+	if err != nil {
+		return fmt.Errorf("allowlist check failed: %w", err)
+	}
+	var txOut *client.TxOutput
+	if !allowlisted {
+		if txOut, err = h.Wrc.AllowlistRequest(digest, duration); err != nil {
+			return fmt.Errorf("allowlist request failed: %w", err)
+		}
+	}
 
-		ub := &UnsignedBundle{
-			RequestID:   requestID,
-			Method:      method,
-			DigestHex:   "0x" + hex.EncodeToString(digest[:]),
-			RequestBody: requestBody,
-			CreatedAt:   time.Now().UTC(),
+	gatewayPost := func() error {
+		respBody, status, err := h.Gw.Post(requestBody)
+		if err != nil {
+			return err
+		}
+		if status != http.StatusOK {
+			return fmt.Errorf("gateway returned a non-200 status code: %d", status)
 		}
+		return h.ParseVaultGatewayResponse(method, respBody)
+	}
+
+	if txOut == nil && allowlisted {
+		fmt.Printf("Digest already allowlisted; proceeding to gateway POST: owner=%s, digest=0x%x\n", ownerAddr.Hex(), digest)
+		return gatewayPost()
+	}
+
+	baseDir := filepath.Dir(h.SecretsFilePath)
+	filename := DeriveBundleFilename(digest) // <digest>.json
+	bundlePath := filepath.Join(baseDir, filename)
+
+	ub := &UnsignedBundle{
+		RequestID:   requestID,
+		Method:      method,
+		DigestHex:   "0x" + hex.EncodeToString(digest[:]),
+		RequestBody: requestBody,
+		CreatedAt:   time.Now().UTC(),
+	}
+
+	switch txOut.Type {
+	case client.Regular:
+		fmt.Println("Transaction confirmed")
+		fmt.Printf("Digest allowlisted; proceeding to gateway POST: owner=%s, digest=0x%x\n", ownerAddr.Hex(), digest)
+		fmt.Printf("View on explorer: \033]8;;%s/tx/%s\033\\%s/tx/%s\033]8;;\033\\\n", h.EnvironmentSet.WorkflowRegistryChainExplorerURL, txOut.Hash, h.EnvironmentSet.WorkflowRegistryChainExplorerURL, txOut.Hash)
+		return gatewayPost()
+	case client.Raw:
 		if err := SaveBundle(bundlePath, ub); err != nil {
 			return fmt.Errorf("failed to save unsigned bundle at %s: %w", bundlePath, err)
 		}
@@ -426,32 +466,45 @@ func (h *Handler) Execute(
 			return fmt.Errorf("failed to pack allowlist tx: %w", err)
 		}
 		return h.LogMSIGNextSteps(txData, digest, bundlePath)
-	}
+	case client.Changeset:
+		chainSelector, err := settings.GetChainSelectorByChainName(h.EnvironmentSet.WorkflowRegistryChainName)
+		if err != nil {
+			return fmt.Errorf("failed to get chain selector for chain %q: %w", h.EnvironmentSet.WorkflowRegistryChainName, err)
+		}
+		mcmsConfig, err := settings.GetMCMSConfig(h.Settings, chainSelector)
+		if err != nil {
+			fmt.Println("\nMCMS config not found or is incorrect, skipping MCMS config in changeset")
+		}
+		csFile := types.ChangesetFile{
+			Environment: h.Settings.Workflow.CLDSettings.Environment,
+			Domain:      h.Settings.Workflow.CLDSettings.Domain,
+			Changesets: []types.Changeset{
+				{
+					AllowlistRequest: &types.AllowlistRequest{
+						Payload: changeset.UserAllowlistRequestInput{
+							ExpiryTimestamp:           uint32(time.Now().Add(duration).Unix()), // #nosec G115 -- int64 to uint32 conversion; Unix() returns seconds since epoch, which fits in uint32 until 2106
+							RequestDigest:             common.Bytes2Hex(digest[:]),
+							ChainSelector:             chainSelector,
+							MCMSConfig:                mcmsConfig,
+							WorkflowRegistryQualifier: h.Settings.Workflow.CLDSettings.WorkflowRegistryQualifier,
+						},
+					},
+				},
+			},
+		}
 
-	// EOA: allowlist (if needed) and POST
-	ownerAddr := common.HexToAddress(h.OwnerAddress)
+		fileName := fmt.Sprintf("AllowlistRequest_%s_%s_%s.yaml", requestID, h.Settings.Workflow.UserWorkflowSettings.WorkflowOwnerAddress, time.Now().Format("20060102_150405"))
 
-	allowlisted, err := h.Wrc.IsRequestAllowlisted(ownerAddr, digest)
-	if err != nil {
-		return fmt.Errorf("allowlist check failed: %w", err)
-	}
-	if !allowlisted {
-		if err := h.Wrc.AllowlistRequest(digest, duration); err != nil {
-			return fmt.Errorf("allowlist request failed: %w", err)
+		if err := SaveBundle(bundlePath, ub); err != nil {
+			return fmt.Errorf("failed to save unsigned bundle at %s: %w", bundlePath, err)
 		}
-		fmt.Printf("Digest allowlisted; proceeding to gateway POST: owner=%s, digest=0x%x\n", ownerAddr.Hex(), digest)
-	} else {
-		fmt.Printf("Digest already allowlisted; proceeding to gateway POST: owner=%s, digest=0x%x\n", ownerAddr.Hex(), digest)
-	}
 
-	respBody, status, err := h.Gw.Post(requestBody)
-	if err != nil {
-		return err
-	}
-	if status != http.StatusOK {
-		return fmt.Errorf("gateway returned a non-200 status code: %d", status)
+		return cmdCommon.WriteChangesetFile(fileName, &csFile, h.Settings)
+
+	default:
+		h.Log.Warn().Msgf("Unsupported transaction type: %s", txOut.Type)
 	}
-	return h.ParseVaultGatewayResponse(method, respBody)
+	return nil
 }
 
 // ParseVaultGatewayResponse parses the JSON-RPC response, decodes the SignedOCRResponse payload

cmd/secrets/delete/delete.go

@@ -18,12 +18,16 @@ import (
 
 	"github.com/smartcontractkit/chainlink-common/pkg/capabilities/actions/vault"
 	"github.com/smartcontractkit/chainlink-common/pkg/jsonrpc2"
+	"github.com/smartcontractkit/chainlink/deployment/cre/workflow_registry/v2/changeset"
 	"github.com/smartcontractkit/chainlink/v2/core/capabilities/vault/vaulttypes"
 
+	"github.com/smartcontractkit/cre-cli/cmd/client"
+	cmdCommon "github.com/smartcontractkit/cre-cli/cmd/common"
 	"github.com/smartcontractkit/cre-cli/cmd/secrets/common"
 	"github.com/smartcontractkit/cre-cli/internal/constants"
 	"github.com/smartcontractkit/cre-cli/internal/runtime"
 	"github.com/smartcontractkit/cre-cli/internal/settings"
+	"github.com/smartcontractkit/cre-cli/internal/types"
 	"github.com/smartcontractkit/cre-cli/internal/validation"
 )
 
@@ -144,44 +148,101 @@ func Execute(h *common.Handler, inputs DeleteSecretsInputs, duration time.Durati
 		return fmt.Errorf("failed to calculate request digest: %w", err)
 	}
 
-	// ---------------- MSIG step 1: bundle and exit ----------------
-	if ownerType == constants.WorkflowOwnerTypeMSIG {
-		baseDir := filepath.Dir(h.SecretsFilePath)
-		filename := common.DeriveBundleFilename(digest) // <digest>.json
-		bundlePath := filepath.Join(baseDir, filename)
-
-		ub := &common.UnsignedBundle{
-			RequestID:   requestID,
-			Method:      vaulttypes.MethodSecretsDelete,
-			DigestHex:   "0x" + hex.EncodeToString(digest[:]),
-			RequestBody: requestBody,
-			CreatedAt:   time.Now().UTC(),
-		}
-		if err := common.SaveBundle(bundlePath, ub); err != nil {
-			return fmt.Errorf("failed to save unsigned bundle at %s: %w", bundlePath, err)
-		}
-
-		txData, err := h.PackAllowlistRequestTxData(digest, duration)
+	gatewayPost := func() error {
+		respBody, status, err := h.Gw.Post(requestBody)
 		if err != nil {
-			return fmt.Errorf("failed to pack allowlist tx: %w", err)
+			return err
 		}
-		return h.LogMSIGNextSteps(txData, digest, bundlePath)
+		if status != http.StatusOK {
+			return fmt.Errorf("gateway returned a non-200 status code: %d", status)
+		}
+		return h.ParseVaultGatewayResponse(vaulttypes.MethodSecretsDelete, respBody)
 	}
 
-	// ---------------- EOA: allowlist (if needed) and POST ----------------
 	ownerAddr := ethcommon.HexToAddress(h.OwnerAddress)
 
 	allowlisted, err := h.Wrc.IsRequestAllowlisted(ownerAddr, digest)
 	if err != nil {
 		return fmt.Errorf("allowlist check failed: %w", err)
 	}
+	var txOut *client.TxOutput
 	if !allowlisted {
-		if err := h.Wrc.AllowlistRequest(digest, duration); err != nil {
+		if txOut, err = h.Wrc.AllowlistRequest(digest, duration); err != nil {
 			return fmt.Errorf("allowlist request failed: %w", err)
 		}
-		fmt.Printf("Digest allowlisted; proceeding to gateway POST: owner=%s, digest=0x%x\n", ownerAddr.Hex(), digest)
 	} else {
 		fmt.Printf("Digest already allowlisted; proceeding to gateway POST: owner=%s, digest=0x%x\n", ownerAddr.Hex(), digest)
+		return gatewayPost()
+	}
+
+	baseDir := filepath.Dir(h.SecretsFilePath)
+	filename := common.DeriveBundleFilename(digest) // <digest>.json
+	bundlePath := filepath.Join(baseDir, filename)
+
+	ub := &common.UnsignedBundle{
+		RequestID:   requestID,
+		Method:      vaulttypes.MethodSecretsDelete,
+		DigestHex:   "0x" + hex.EncodeToString(digest[:]),
+		RequestBody: requestBody,
+		CreatedAt:   time.Now().UTC(),
+	}
+
+	switch txOut.Type {
+	case client.Regular:
+		fmt.Println("Transaction confirmed")
+		fmt.Printf("Digest allowlisted; proceeding to gateway POST: owner=%s, digest=0x%x\n", ownerAddr.Hex(), digest)
+		fmt.Printf("View on explorer: \033]8;;%s/tx/%s\033\\%s/tx/%s\033]8;;\033\\\n", h.EnvironmentSet.WorkflowRegistryChainExplorerURL, txOut.Hash, h.EnvironmentSet.WorkflowRegistryChainExplorerURL, txOut.Hash)
+		return gatewayPost()
+	case client.Raw:
+
+		if err := common.SaveBundle(bundlePath, ub); err != nil {
+			return fmt.Errorf("failed to save unsigned bundle at %s: %w", bundlePath, err)
+		}
+
+		txData, err := h.PackAllowlistRequestTxData(digest, duration)
+		if err != nil {
+			return fmt.Errorf("failed to pack allowlist tx: %w", err)
+		}
+		return h.LogMSIGNextSteps(txData, digest, bundlePath)
+
+	case client.Changeset:
+		chainSelector, err := settings.GetChainSelectorByChainName(h.EnvironmentSet.WorkflowRegistryChainName)
+		if err != nil {
+			return fmt.Errorf("failed to get chain selector for chain %q: %w", h.EnvironmentSet.WorkflowRegistryChainName, err)
+		}
+		mcmsConfig, err := settings.GetMCMSConfig(h.Settings, chainSelector)
+		if err != nil {
+			fmt.Println("\nMCMS config not found or is incorrect, skipping MCMS config in changeset")
+		}
+		csFile := types.ChangesetFile{
+			Environment: h.Settings.Workflow.CLDSettings.Environment,
+			Domain:      h.Settings.Workflow.CLDSettings.Domain,
+			Changesets: []types.Changeset{
+				{
+					AllowlistRequest: &types.AllowlistRequest{
+						Payload: changeset.UserAllowlistRequestInput{
+							ExpiryTimestamp:           uint32(time.Now().Add(duration).Unix()), // #nosec G115 -- int64 to uint32 conversion; Unix() returns seconds since epoch, which fits in uint32 until 2106
+							RequestDigest:             ethcommon.Bytes2Hex(digest[:]),
+							ChainSelector:             chainSelector,
+							MCMSConfig:                mcmsConfig,
+							WorkflowRegistryQualifier: h.Settings.Workflow.CLDSettings.WorkflowRegistryQualifier,
+						},
+					},
+				},
+			},
+		}
+
+		fileName := fmt.Sprintf("AllowlistRequest_%s_%s_%s.yaml", requestID, h.Settings.Workflow.UserWorkflowSettings.WorkflowOwnerAddress, time.Now().Format("20060102_150405"))
+
+		if err := common.SaveBundle(bundlePath, ub); err != nil {
+			return fmt.Errorf("failed to save unsigned bundle at %s: %w", bundlePath, err)
+		}
+
+		return cmdCommon.WriteChangesetFile(fileName, &csFile, h.Settings)
+
+	default:
+		h.Log.Warn().Msgf("Unsupported transaction type: %s", txOut.Type)
+
 	}
 
 	// POST to gateway (HTTPClient.Post has your retry policy)