From a27aa50e016bf6cb4f1e132c110824f4d2ce8d0d Mon Sep 17 00:00:00 2001 From: Mark Stacey Date: Fri, 20 Dec 2024 00:18:58 -0330 Subject: [PATCH 1/4] chore: Migrate LavaMoat validation to GitHub Actions Migrate LavaMoat policy validation from CircleCI to GitHub actions. No functional changes. Relates to #28572 --- .circleci/config.yml | 60 ------------------- .github/workflows/main.yml | 15 +++++ .../validate-lavamoat-allow-scripts.yml | 25 ++++++++ .../validate-lavamoat-policy-build.yml | 25 ++++++++ .../validate-lavamoat-policy-webapp.yml | 28 +++++++++ 5 files changed, 93 insertions(+), 60 deletions(-) create mode 100644 .github/workflows/validate-lavamoat-allow-scripts.yml create mode 100644 .github/workflows/validate-lavamoat-policy-build.yml create mode 100644 .github/workflows/validate-lavamoat-policy-webapp.yml diff --git a/.circleci/config.yml b/.circleci/config.yml index 552aa3305509..023e0d9eccc2 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -136,18 +136,6 @@ workflows: - test-yarn-dedupe: requires: - prep-deps - - validate-lavamoat-allow-scripts: - requires: - - prep-deps - - validate-lavamoat-policy-build: - requires: - - prep-deps - - validate-lavamoat-policy-webapp: - matrix: - parameters: - build-type: [main, beta, flask, mmi] - requires: - - prep-deps - prep-build-mmi: requires: - prep-deps @@ -292,9 +280,6 @@ workflows: - all-tests-pass: requires: - test-deps-depcheck - - validate-lavamoat-allow-scripts - - validate-lavamoat-policy-build - - validate-lavamoat-policy-webapp - test-lint - test-lint-shellcheck - test-lint-lockfile @@ -509,51 +494,6 @@ jobs: at: . - run: yarn tsx .circleci/scripts/validate-locales-only.ts - validate-lavamoat-allow-scripts: - executor: node-browsers-small - steps: - - run: *shallow-git-clone-and-enable-vnc - - run: sudo corepack enable - - attach_workspace: - at: . - - run: - name: Validate allow-scripts config - command: yarn allow-scripts auto - - run: - name: Check working tree - command: .circleci/scripts/check-working-tree.sh - - validate-lavamoat-policy-build: - executor: node-browsers-medium - steps: - - run: *shallow-git-clone-and-enable-vnc - - run: sudo corepack enable - - attach_workspace: - at: . - - run: - name: Validate LavaMoat build policy - command: yarn lavamoat:build:auto - - run: - name: Check working tree - command: .circleci/scripts/check-working-tree.sh - - validate-lavamoat-policy-webapp: - executor: node-browsers-medium-plus - parameters: - build-type: - type: string - steps: - - run: *shallow-git-clone-and-enable-vnc - - run: sudo corepack enable - - attach_workspace: - at: . - - run: - name: Validate LavaMoat << parameters.build-type >> policy - command: yarn lavamoat:webapp:auto:ci '--build-types=<< parameters.build-type >>' - - run: - name: Check working tree - command: .circleci/scripts/check-working-tree.sh - prep-build: executor: node-linux-medium steps: diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c7907455701d..2e1b7b3ce221 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -28,6 +28,18 @@ jobs: run: ${{ steps.download-actionlint.outputs.executable }} -color shell: bash + validate-lavamoat-allow-scripts: + name: Validate lavamoat allow scripts + uses: ./.github/workflows/validate-lavamoat-allow-scripts.yml + + validate-lavamoat-policy-build: + name: Validate lavamoat policy build + uses: ./.github/workflows/validate-lavamoat-policy-build.yml + + validate-lavamoat-policy-webapp: + name: Validate lavamoat policy webapp + uses: ./.github/workflows/validate-lavamoat-policy-webapp.yml + run-tests: name: Run tests uses: ./.github/workflows/run-tests.yml @@ -41,6 +53,9 @@ jobs: runs-on: ubuntu-latest needs: - check-workflows + - validate-lavamoat-allow-scripts + - validate-lavamoat-policy-build + - validate-lavamoat-policy-webapp - run-tests - wait-for-circleci-workflow-status outputs: diff --git a/.github/workflows/validate-lavamoat-allow-scripts.yml b/.github/workflows/validate-lavamoat-allow-scripts.yml new file mode 100644 index 000000000000..637a2d9aeb54 --- /dev/null +++ b/.github/workflows/validate-lavamoat-allow-scripts.yml @@ -0,0 +1,25 @@ +name: Validate lavamoat allow scripts + +on: + workflow_call: + +jobs: + validate-lavamoat-allow-scripts: + name: Validate lavamoat allow scripts + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Setup environment + uses: metamask/github-tools/.github/actions/setup-environment@main + + - name: Validate allow-scripts config + run: yarn allow-scripts auto + + - name: Check working tree + run: | + if ! git diff --exit-code; then + echo "::error::Working tree dirty." + exit 1 + fi diff --git a/.github/workflows/validate-lavamoat-policy-build.yml b/.github/workflows/validate-lavamoat-policy-build.yml new file mode 100644 index 000000000000..d6b7326c5c4e --- /dev/null +++ b/.github/workflows/validate-lavamoat-policy-build.yml @@ -0,0 +1,25 @@ +name: Validate lavamoat policy build + +on: + workflow_call: + +jobs: + validate-lavamoat-policy-build: + name: Validate lavamoat policy build + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Setup environment + uses: metamask/github-tools/.github/actions/setup-environment@main + + - name: Validate lavamoat build policy + run: yarn lavamoat:build:auto + + - name: Check working tree + run: | + if ! git diff --exit-code; then + echo "::error::Working tree dirty." + exit 1 + fi diff --git a/.github/workflows/validate-lavamoat-policy-webapp.yml b/.github/workflows/validate-lavamoat-policy-webapp.yml new file mode 100644 index 000000000000..3c31bff0a068 --- /dev/null +++ b/.github/workflows/validate-lavamoat-policy-webapp.yml @@ -0,0 +1,28 @@ +name: Validate lavamoat policy webapp + +on: + workflow_call: + +jobs: + validate-lavamoat-policy-webapp: + name: Validate lavamoat policy webapp + runs-on: ubuntu-latest + strategy: + matrix: + build-type: [main, beta, flask, mmi] + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Setup environment + uses: metamask/github-tools/.github/actions/setup-environment@main + + - name: Validate lavamoat ${{ matrix.build-type }} policy + run: yarn lavamoat:webapp:auto:ci --build-types=${{ matrix.build-type }} + + - name: Check working tree + run: | + if ! git diff --exit-code; then + echo "::error::Working tree dirty." + exit 1 + fi From bbf4c5e94c0bab27eeb527bcb851e416b8878a1c Mon Sep 17 00:00:00 2001 From: Mark Stacey Date: Fri, 20 Dec 2024 00:39:30 -0330 Subject: [PATCH 2/4] Add mock Infura project ID --- .github/workflows/validate-lavamoat-policy-build.yml | 2 ++ .github/workflows/validate-lavamoat-policy-webapp.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/validate-lavamoat-policy-build.yml b/.github/workflows/validate-lavamoat-policy-build.yml index d6b7326c5c4e..4524cc26a546 100644 --- a/.github/workflows/validate-lavamoat-policy-build.yml +++ b/.github/workflows/validate-lavamoat-policy-build.yml @@ -16,6 +16,8 @@ jobs: - name: Validate lavamoat build policy run: yarn lavamoat:build:auto + env: + INFURA_PROJECT_ID: 00000000000 - name: Check working tree run: | diff --git a/.github/workflows/validate-lavamoat-policy-webapp.yml b/.github/workflows/validate-lavamoat-policy-webapp.yml index 3c31bff0a068..37ff9ede00fc 100644 --- a/.github/workflows/validate-lavamoat-policy-webapp.yml +++ b/.github/workflows/validate-lavamoat-policy-webapp.yml @@ -19,6 +19,8 @@ jobs: - name: Validate lavamoat ${{ matrix.build-type }} policy run: yarn lavamoat:webapp:auto:ci --build-types=${{ matrix.build-type }} + env: + INFURA_PROJECT_ID: 00000000000 - name: Check working tree run: | From c3d99f78c22b969075695d7f891399b0fe0482ca Mon Sep 17 00:00:00 2001 From: HJetpoluru Date: Fri, 20 Dec 2024 11:30:39 -0500 Subject: [PATCH 3/4] Removed dependency --- lavamoat/browserify/flask/policy.json | 8 -------- 1 file changed, 8 deletions(-) diff --git a/lavamoat/browserify/flask/policy.json b/lavamoat/browserify/flask/policy.json index 05a22743204c..31d38efa9a7e 100644 --- a/lavamoat/browserify/flask/policy.json +++ b/lavamoat/browserify/flask/policy.json @@ -13,14 +13,6 @@ "browserify": true } }, - "eth-lattice-keyring>@ethereumjs/tx>@chainsafe/ssz": { - "packages": { - "eth-lattice-keyring>@ethereumjs/tx>@chainsafe/ssz>@chainsafe/persistent-merkle-tree": true, - "browserify": true, - "browserify>buffer": true, - "eth-lattice-keyring>@ethereumjs/tx>@chainsafe/ssz>case": true - } - }, "@metamask/notification-services-controller>@contentful/rich-text-html-renderer": { "globals": { "SuppressedError": true From 7e81d92964c391d0ede90cb4cdcd15324fadc8d7 Mon Sep 17 00:00:00 2001 From: HJetpoluru Date: Fri, 20 Dec 2024 11:51:12 -0500 Subject: [PATCH 4/4] Fix the error --- lavamoat/browserify/flask/policy.json | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lavamoat/browserify/flask/policy.json b/lavamoat/browserify/flask/policy.json index 31d38efa9a7e..05a22743204c 100644 --- a/lavamoat/browserify/flask/policy.json +++ b/lavamoat/browserify/flask/policy.json @@ -13,6 +13,14 @@ "browserify": true } }, + "eth-lattice-keyring>@ethereumjs/tx>@chainsafe/ssz": { + "packages": { + "eth-lattice-keyring>@ethereumjs/tx>@chainsafe/ssz>@chainsafe/persistent-merkle-tree": true, + "browserify": true, + "browserify>buffer": true, + "eth-lattice-keyring>@ethereumjs/tx>@chainsafe/ssz>case": true + } + }, "@metamask/notification-services-controller>@contentful/rich-text-html-renderer": { "globals": { "SuppressedError": true