Merge branch 'main' into dynamic-proxy-port

.github/workflows/run-e2e-tests.yml

@@ -244,6 +244,11 @@ on:
         required: true
       MAIN_DNS_ZONE_PUBLIC_SDLC:
         required: true
+      # Passing these will get GATI token and set it as env var GATI_TOKEN for the tests
+      OPTIONAL_GATI_AWS_ROLE_ARN:
+        required: false
+      OPTIONAL_GATI_LAMBDA_URL:
+        required: false
 
 env:
   CHAINLINK_IMAGE:
@@ -490,9 +495,15 @@ jobs:
       - name: Check if test secrets are required for any test
         shell: bash
         run: |
-          # Check if the test secret key is provided and skip the checks if it is non-empty
-          if [ -n "${{ secrets.TEST_SECRETS_OVERRIDE_BASE64 }}" ]; then
-            echo "Test secret key provided. Skipping checks for tests requiring secrets."
+          # Check if the test secret key is provided from GitHub Secrets and skip the checks if it is non-empty
+          if [[ -n "${{ secrets.TEST_SECRETS_OVERRIDE_BASE64 }}" ]]; then
+            echo "Test secrets from GitHub Secret provided. Skipping checks for tests requiring secrets."
+            exit 0
+          fi
+
+          # Check if the test secret key is provided from AWS Secrets Manager and skip the checks if it is non-empty
+          if [[ "${{ inputs.test_secrets_override_key }}" =~ ^aws: ]]; then
+            echo "Test secrets from AWS Secrets Manager provided. Skipping checks for tests requiring secrets."
             exit 0
           fi
 
@@ -723,6 +734,20 @@ jobs:
           aws_region: ${{ secrets.QA_AWS_REGION }}
           aws_role_to_assume: ${{ secrets.QA_AWS_ROLE_TO_ASSUME }}
 
+      - name: Setup GitHub token using GATI
+        id: setup-optional-gati-token
+        env:
+          OPTIONAL_GATI_AWS_ROLE_ARN: ${{ secrets.OPTIONAL_GATI_AWS_ROLE_ARN }}
+          OPTIONAL_GATI_LAMBDA_URL: ${{ secrets.OPTIONAL_GATI_LAMBDA_URL }}
+        if:
+          ${{ env.OPTIONAL_GATI_AWS_ROLE_ARN && env.OPTIONAL_GATI_LAMBDA_URL }}
+        uses: smartcontractkit/.github/actions/setup-github-token@ef78fa97bf3c77de6563db1175422703e9e6674f # [email protected]
+        with:
+          aws-role-arn: ${{ secrets.OPTIONAL_GATI_AWS_ROLE_ARN }}
+          aws-lambda-url: ${{ secrets.OPTIONAL_GATI_LAMBDA_URL }}
+          aws-region: ${{ secrets.AWS_REGION }}
+          aws-role-duration-seconds: "1800"
+
       - name: Run tests
         id: run_tests
         uses: smartcontractkit/.github/actions/ctf-run-tests@5a52473d754eb3cfde41449437e320167bbbddf2 # [email protected]
@@ -746,6 +771,8 @@ jobs:
           INTERNAL_DOCKER_REPO:
             ${{ secrets.QA_AWS_ACCOUNT_NUMBER }}.dkr.ecr.${{
             secrets.QA_AWS_REGION }}.amazonaws.com
+          GITHUB_API_TOKEN:
+            ${{ steps.setup-optional-gati-token.outputs.access-token || ''}}
         with:
           test_command_to_run:
             ${{ matrix.tests.test_cmd }} ${{ matrix.tests.test_cmd_opts || '2>&1
@@ -772,6 +799,7 @@ jobs:
             ./integration-tests/smoke/logs/
             ./integration-tests/smoke/db_dumps/
             ./integration-tests/smoke/ccip/logs/
+            ./integration-tests/smoke/capabilities/logs/
             ./integration-tests/smoke/ccip/db_dumps/
             /tmp/gotest.log
           publish_check_name: ${{ env.TEST_ID }}

.github/workflows/run-integration-tests.yml

@@ -97,6 +97,10 @@ on:
       # Used in some tests to send slack notifications
       SLACK_CHANNEL:
         required: false
+      AWS_K8S_CLUSTER_NAME_SDLC:
+        required: true
+      MAIN_DNS_ZONE_PUBLIC_SDLC:
+        required: true
 
 env:
   MOD_CACHE_VERSION: 1
@@ -226,7 +230,7 @@ jobs:
           fi
       - name: Run tests
         id: run_tests
-        uses: smartcontractkit/.github/actions/ctf-run-tests@b8731364b119e88983e94b0c4da87fc27ddb41b8 # ctf-run-tests@0.0.0
+        uses: smartcontractkit/.github/actions/ctf-run-tests@5a52473d754eb3cfde41449437e320167bbbddf2 # ctf-run-tests@v0.4.1
         env:
           CL_DATABASE_URL: ${{ env.DB_URL }}
         with:
@@ -253,6 +257,8 @@ jobs:
           should_tidy: "false"
           go_coverage_src_dir: /var/tmp/go-coverage
           go_coverage_dest_dir: ${{ github.workspace }}/.covdata
+          main-dns-zone: ${{ secrets.MAIN_DNS_ZONE_PUBLIC_SDLC }}
+          k8s-cluster-name: ${{ secrets.AWS_K8S_CLUSTER_NAME_SDLC }}
 
       - name: Upload test log as artifact
         uses: actions/[email protected]

actions/check-if-verified/CHANGELOG.md

@@ -0,0 +1,10 @@
+# check-if-verified
+
+## 1.0.0
+
+### Major Changes
+
+- [#834](https://github.com/smartcontractkit/.github/pull/834)
+  [`d8e30e3`](https://github.com/smartcontractkit/.github/commit/d8e30e301002a053102ff88f64217db56dda5ccd)
+  Thanks [@erikburt](https://github.com/erikburt)! - feat: add check-if-verified
+  initial functionality. Checking if a commit or a tag is verified

actions/check-if-verified/README.md

@@ -0,0 +1,34 @@
+# check-if-verified
+
+> Checks if a tag or commit has a GPG signature.
+
+## Usage
+
+```
+name: Check If Verified Test
+
+on:
+  pull_request:
+  push:
+    tags:
+      - "v*"
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check PR Commit
+        uses: smartcontractkit/.github/actions/check-if-verified@<ref> # tag
+        if: ${{ github.event_name == 'pull_request' }}
+        with:
+          commit: ${{ github.event.pull_request.head.sha }}
+          assert: true
+
+      - name: Check Tag
+        uses: smartcontractkit/.github/actions/check-if-verified@<ref> # tag
+        if: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') }}
+        with:
+          tag: ${{ github.ref_name}}
+          assert: true
+
+```

actions/check-if-verified/action.yml

@@ -0,0 +1,142 @@
+name: check-if-verified
+description: "Checks if a tag or commit has a GPG signature"
+
+inputs:
+  tag:
+    description: "The tag to check"
+    required: false
+  commit:
+    description: "The commit to check"
+    required: false
+  assert:
+    description:
+      "Whether to assert the tag/object is verified. Default is true. Set to any
+      other value to disable."
+    required: false
+    default: true
+  token:
+    description: "GitHub token"
+    required: true
+    default: ${{ github.token }}
+  repository:
+    description: "The repository to check"
+    required: false
+    default: ${{ github.repository }}
+
+outputs:
+  object_type:
+    description: "The type of the object (tag or commit)"
+    value: ${{ steps.get-sha.outputs.object_type }}
+  verified:
+    description: "Whether the object is GPG-verified"
+    value:
+      ${{ steps.check-tag.outputs.verified  ||
+      steps.check-commit.outputs.verified }}
+  verify_url:
+    description: "The Github API link for details for the tag or commit"
+    value:
+      ${{ steps.check-tag.outputs.verify_url ||
+      steps.check-commit.outputs.verify_url }}
+
+runs:
+  using: composite
+  steps:
+    - name: Input Validation
+      id: input-validation
+      shell: bash
+      env:
+        TAG: ${{ inputs.tag }}
+        COMMIT: ${{ inputs.commit }}
+      run: |
+        if [ -z "$TAG" ] && [ -z "$COMMIT" ]; then
+          echo "::error::Either tag or commit must be provided"
+          exit 1
+        fi
+
+    - name: Get Object SHA
+      id: get-sha
+      env:
+        TAG: ${{ inputs.tag }}
+        COMMIT: ${{ inputs.commit }}
+        GH_TOKEN: ${{ inputs.token }}
+        GH_REPO: ${{ inputs.repository }}
+      shell: bash
+      run: |
+        if [ -n "$TAG" ]; then
+          TAG_RESPONSE=$(gh api "repos/$GH_REPO/git/ref/tags/$TAG")
+          OBJECT_SHA=$(echo $TAG_RESPONSE | jq -r '.object.sha')
+          OBJECT_TYPE=$(echo $TAG_RESPONSE | jq -r '.object.type')
+        elif [ -n "$COMMIT" ]; then
+          OBJECT_SHA=$COMMIT
+          OBJECT_TYPE="commit"
+        fi
+
+        echo "::debug::Found object SHA: $OBJECT_SHA"
+        echo "::debug::Found object type: $OBJECT_TYPE"
+
+        echo "object_sha=$OBJECT_SHA" >> $GITHUB_OUTPUT
+        echo "object_type=$OBJECT_TYPE" >> $GITHUB_OUTPUT
+
+    - name: Check Annotated Tag
+      id: check-tag
+      if: steps.get-sha.outputs.object_type == 'tag'
+      env:
+        ASSERT: ${{ inputs.assert }}
+        GH_TOKEN: ${{ inputs.token }}
+        OBJECT_SHA: ${{ steps.get-sha.outputs.object_sha }}
+        GH_REPO: ${{ inputs.repository }}
+      shell: bash
+      run: |
+        echo "Found annotated tag. Checking the tag object's verification..."
+        echo "::debug::Running gh api repos/$GH_REPO/git/tags/$OBJECT_SHA"
+
+        TAG_JSON=$(gh api "repos/$GH_REPO/git/tags/$OBJECT_SHA")
+        TAG_VERIFIED=$(echo "$TAG_JSON" | jq -r '.verification.verified // empty')
+
+        TAG_API_URL=$(echo "$TAG_JSON" | jq -r '.url')
+        echo "::debug::Tag API URL: $TAG_API_URL"
+        echo "verify_url=$TAG_API_URL" >> $GITHUB_OUTPUT
+
+        if [ "$TAG_VERIFIED" = "true" ]; then
+          echo "✅ Annotated tag is GPG-verified."
+          echo "verified=true" >> $GITHUB_OUTPUT
+        else
+          echo "::error::❌ Annotated tag is NOT verified."
+          echo "verified=false" >> $GITHUB_OUTPUT
+
+          if [ "$ASSERT" = "true" ]; then
+            exit 1
+          fi
+        fi
+
+    - name: Check Commit/Lightweight Tag
+      id: check-commit
+      if: steps.get-sha.outputs.object_type == 'commit'
+      env:
+        ASSERT: ${{ inputs.assert }}
+        GH_TOKEN: ${{ inputs.token }}
+        OBJECT_SHA: ${{ steps.get-sha.outputs.object_sha }}
+        GH_REPO: ${{ inputs.repository }}
+      shell: bash
+      run: |
+        echo "Found commit or lightweight tag. Checking commit verification..."
+        echo "::debug::Running gh api repos/$GH_REPO/commits/$OBJECT_SHA"
+
+        COMMIT_JSON=$(gh api "repos/$GH_REPO/commits/$OBJECT_SHA")
+        COMMIT_VERIFIED=$(echo "$COMMIT_JSON" | jq -r '.commit.verification.verified')
+
+        COMMIT_API_URL=$(echo "$COMMIT_JSON" | jq -r '.url')
+        echo "::debug::Commit API URL: $COMMIT_API_URL"
+        echo "verify_url=$COMMIT_API_URL" >> $GITHUB_OUTPUT
+
+        if [ "$COMMIT_VERIFIED" = "true" ]; then
+          echo "✅ Commit is GPG-verified."
+          echo "verified=true" >> $GITHUB_OUTPUT
+        else
+          echo "::error::❌ Commit is NOT verified."
+          echo "verified=false" >> $GITHUB_OUTPUT
+
+          if [ "$ASSERT" = "true" ]; then
+            exit 1
+          fi
+        fi

actions/check-if-verified/package.json

@@ -0,0 +1,11 @@
+{
+  "name": "check-if-verified",
+  "version": "1.0.0",
+  "description": "",
+  "private": true,
+  "scripts": {},
+  "author": "@smartcontractkit",
+  "license": "MIT",
+  "dependencies": {},
+  "repository": "https://github.com/smartcontractkit/.github"
+}

actions/check-if-verified/project.json

@@ -0,0 +1,7 @@
+{
+  "name": "check-if-verified",
+  "$schema": "../../node_modules/nx/schemas/project-schema.json",
+  "projectType": "application",
+  "sourceRoot": "actions/check-if-verified",
+  "targets": {}
+}

actions/check-if-verified/test-check-if-verified.yml

@@ -0,0 +1,66 @@
+name: Check If Verified Test
+
+on:
+  pull_request:
+
+jobs:
+  check-commit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: smartcontractkit/.github/actions/check-if-verified@feat/check-if-verified
+        id: check-tag
+        with:
+          commit: ${{ github.event.pull_request.head.sha }}
+          assert: false
+
+      - name: Echo Outputs
+        run: |
+          echo "verified: ${{ steps.check-tag.outputs.verified }}"
+          echo "object_type: ${{ steps.check-tag.outputs.object_type }}"
+          echo "verify_url: ${{ steps.check-tag.outputs.verify_url }}"
+
+  check-lightweight-tag:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: smartcontractkit/.github/actions/check-if-verified@feat/check-if-verified
+        id: check-tag
+        with:
+          tag: "[email protected]"
+          assert: false
+
+      - name: Echo Outputs
+        run: |
+          echo "verified: ${{ steps.check-tag.outputs.verified }}"
+          echo "object_type: ${{ steps.check-tag.outputs.object_type }}"
+          echo "verify_url: ${{ steps.check-tag.outputs.verify_url }}"
+
+  check-annotated-tag-unsigned:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: smartcontractkit/.github/actions/check-if-verified@feat/check-if-verified
+        id: check-tag
+        with:
+          tag: "[email protected]"
+          assert: false
+
+      - name: Echo Outputs
+        run: |
+          echo "verified: ${{ steps.check-tag.outputs.verified }}"
+          echo "object_type: ${{ steps.check-tag.outputs.object_type }}"
+          echo "verify_url: ${{ steps.check-tag.outputs.verify_url }}"
+
+  check-annotated-tag-signed:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: smartcontractkit/.github/actions/check-if-verified@feat/check-if-verified
+        id: check-tag
+        with:
+          tag: "v2.9.1-vrf-20240227"
+          repository: smartcontractkit/chainlink
+          assert: false
+
+      - name: Echo Outputs
+        run: |
+          echo "verified: ${{ steps.check-tag.outputs.verified }}"
+          echo "object_type: ${{ steps.check-tag.outputs.object_type }}"
+          echo "verify_url: ${{ steps.check-tag.outputs.verify_url }}"

actions/crib-deploy-environment/CHANGELOG.md

@@ -1,5 +1,13 @@
 # crib-deploy-environment
 
+## 8.4.0
+
+### Minor Changes
+
+- [#832](https://github.com/smartcontractkit/.github/pull/832)
+  [`63bc25d`](https://github.com/smartcontractkit/.github/commit/63bc25dbdcdf6c9953ae4676ea7f3ddaef8d457e)
+  Thanks [@scheibinger](https://github.com/scheibinger)! - Bump crib repo ref
+
 ## 8.3.1
 
 ### Patch Changes

actions/crib-deploy-environment/action.yml

@@ -72,7 +72,7 @@ inputs:
       for example: https://hooks.slack.com/services/aaa/bbb
     required: false
   crib-repo-ref:
-    default: "v2.0.0"
+    default: "v2.2.0"
     required: false
     description: Useful for testing updates in CRIB
   chainlink-team: