chore(lint): fix super linter (again) (#14)

* chore(lint): satisfy gitleaks

If a variable name contains the word KEY, gitleaks does not like it and
flags it as a potential secret. I have changed the name of the variable
in these files from KEYALGO to ALGO since it is not a secret but rather
the algorithm of the key generation. That silences gitleaks.

* chore(lint): placate YAML linter

added a blank line at the end of `.golangci.yml`

* chore(lint): activate Docker / IAAS linter

* chore(lint): placate shellcheck

* chore(lint): placate markdownlint

* chore(lint): placate markdownlint from `lint.yml`

The previous commit worked on the markdownlint from the super-linter.

* build: use test keyring in localnet

The OS keyring may not always be available.

* chore(lint): merge docker RUN statements

It can potentially reduce the number of layers in the image, making it
smaller and more efficient to build and pull.

* fix(localnet): remove seed URL upon init

* chore(lint): some lint suggestions for Dockerfile

Note that this file is used from the root of the project via `make
localnet-build`, which is why the paths work.

* chore(lint): apply shfmt

* chore(lint): add docker healthcheck and user

* chore(build): update release go version to 1.21

* chore(ci): add permissions to workflows

* chore(ci): skip generated files

* chore(ci): placate yaml linter

* chore(ci): use correct argument name for checkov

* chore(ci): add top level permissions to codeql

* chore(ci): add json super linter to match develop

* chore(ci): disable JSON super linter

* chore(lint): trigger lint workflows with comment

* chore(deps): upgrade protobuf to 1.33.0

CVE-2024-24786 / GO-2024-2611 is fixed with this upgrade. Even though
this package is fundamental to our system, the changes between 1.31.0
and 1.33.0 are minor.

* Revert "chore(deps): upgrade protobuf to 1.33.0"

This reverts commit c09f986.

* chore(deps): update protobuf

A vulnerability has been fixed in v1.33.0 of google.golang.org/protobuf
and we must update the associated github.com/golang/protobuf as well.

* chore(ci): coverage badge comment on PR

* chore(build): exclude testutil from coverage

* chore(ci): add test coverage commenting workflow

* chore(ci): use step output instead of env

* chore(ci): add commit hash in test comment

* chore(ci): remove deprecated output

The test workflow will not fully run right now because it runs on
`pull_request_target` which must be merged into the base branch first.

.checkov.yaml

@@ -0,0 +1,3 @@
+skip-path:
+  # auto generated
+  - client/docs

.github/workflows/ante-benchmark.yml

@@ -1,5 +1,8 @@
 name: AnteHandler Benchmark Tests
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:

.github/workflows/build.yml

@@ -11,6 +11,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/codeql-analysis.yml

@@ -11,6 +11,11 @@
 #
 name: "CodeQL"
 
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 on:
   push:
     branches: [develop, main, master]

.github/workflows/consensuswarn.yml

@@ -7,9 +7,14 @@ on:
       - edited
       - synchronize
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   main:
     permissions:
+      contents: read
       pull-requests: write  # For reading the PR and posting comment
     runs-on: ubuntu-latest
     steps:

.github/workflows/e2e-test-release.yml

@@ -1,4 +1,8 @@
 name: E2E Test Release
+
+permissions:
+  contents: read
+
 on:
   pull_request:
     branches:

.github/workflows/e2e-test.yml

@@ -1,4 +1,8 @@
 name: E2E Test
+
+permissions:
+  contents: read
+
 on:
   pull_request:
     branches:

.github/workflows/goreleaser.yml

@@ -1,5 +1,9 @@
 name: goreleaser
 
+permissions:
+  # github releases
+  contents: write
+
 on:
   push:
     tags:

.github/workflows/labeler.yml

@@ -1,5 +1,9 @@
 name: "Pull Request Labeler"
 
+permissions:
+  contents: read
+  pull-requests: write
+
 on:
   pull_request_target:
 

.github/workflows/markdown-links.yml

@@ -1,5 +1,9 @@
 name: Check Markdown links
-on: 
+
+permissions:
+  contents: read
+
+on:
   pull_request:
     paths:
       - '**.md'
@@ -10,6 +14,9 @@ on:
       - master
     paths:
       - '**.md'
+  # runs every monday at 9 am
+  schedule:
+    - cron: "0 9 * * 1"
 
 jobs:
   markdown-link-check:
@@ -18,7 +25,5 @@ jobs:
       - uses: actions/checkout@v4
       - uses: gaurav-nelson/github-action-markdown-link-check@master
         with:
-          check-modified-files-only: "yes"
-          use-quiet-mode: "yes"
           base-branch: "main"
           config-file: "mlc_config.json"

.github/workflows/proto.yml

@@ -6,6 +6,9 @@ on:
     paths:
       - "proto/**"
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/security.yml

@@ -7,9 +7,14 @@ on:
       - main
       - master
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   Gosec:
     permissions:
+      contents: read
       security-events: write
 
     runs-on: ubuntu-latest

.github/workflows/semgrep.yml

@@ -1,4 +1,6 @@
 name: Semgrep
+permissions:
+  contents: read
 on:
   # Scan changed files in PRs, block on new issues only (existing issues ignored)
   pull_request: {}

.github/workflows/slither.yml

@@ -8,6 +8,10 @@ on:
       - main
       - master
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   analyze:
     # disabled for now, since we don't have any Solidity files.

.github/workflows/solhint.yml

@@ -1,10 +1,13 @@
 name: Solhint
-# This workflow is only run when a .sol file has been changed
+# This workflow is only run when a file in the contracts folder changes.
 on:
   pull_request:
     paths:
       - "contracts/**"
 
+permissions:
+  contents: read
+
 jobs:
   solhint:
     name: runner / solhint

.github/workflows/solidity-test.yml

@@ -7,6 +7,9 @@ on:
       - master
       - release/**
 
+permissions:
+  contents: read
+
 jobs:
   test-solidity:
     # disabled for now, since we don't have any Solidity files.

.github/workflows/stale.yml

@@ -3,6 +3,10 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   stale:
     runs-on: ubuntu-latest

.github/workflows/super-linter.yml

@@ -7,6 +7,9 @@
 ---
 name: Lint Code Base
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: ["develop", "main", "master"]
@@ -33,9 +36,10 @@ jobs:
           VALIDATE_NATURAL_LANGUAGE: false
           VALIDATE_OPENAPI: false
           VALIDATE_JSCPD: false
+          # The JSON files in the repo are generated (abis or swagger)
+          # or are linting files. So this can be safely disabled.
+          VALIDATE_JSON: false
           # separate workflow
           VALIDATE_GO: false
           VALIDATE_GO_MODULES: false
-          # TODO: enable docker coverage later
-          VALIDATE_CHECKOV: false
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test.yml

@@ -1,13 +1,18 @@
 name: Tests
 on:
-  pull_request:
+  # for write permission, use pull_request_target and not pull_request.
+  pull_request_target:
   push:
     branches:
       - develop
       - main
       - master
       - release/**
 
+permissions:
+  contents: write
+  pull-requests: write
+
 # Automatically cancel run if another commit to the same ref is detected.
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -29,14 +34,32 @@ jobs:
             **/**.go
             go.mod
             go.sum
-      - name: Test and Create Coverage Report
+      - name: Test and create coverage report
         run: |
           make test-unit-cover
         if: env.GIT_DIFF
-      - uses: codecov/codecov-action@v3
-        # disabled for now, since we don't have any codecov
-        if: ${{ false }}
+      - name: Check if test coverage is above threshold
+        id: output-coverage
+        uses: vladopajic/go-test-coverage@v2
+        with:
+          profile: cover.out
+          local-prefix: github.com/ExocoreNetwork/exocore
+          # TODO: increase this threshold with time to 80
+          threshold-total: 10
+        if: env.GIT_DIFF
+      - name: Find comment
+        id: find-comment
+        uses: peter-evans/find-comment@v2
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          comment-author: 'github-actions[bot]'
+        if: env.GIT_DIFF && github.event_name == 'pull_request'
+      - name: Comment coverage on PR
+        uses: peter-evans/create-or-update-comment@v3
         with:
-          file: ./coverage.txt
-          fail_ci_if_error: true
-        # if: env.GIT_DIFF
+          issue-number: ${{ github.event.pull_request.number }}
+          comment-id: ${{ steps.find-comment.outputs.comment-id }}
+          body: |
+            Coverage as of ${{ github.sha }}: ${{ steps.output-coverage.outputs.total-coverage }}%
+          edit-mode: append
+        if: env.GIT_DIFF && github.event_name == 'pull_request'

.gitignore

@@ -49,7 +49,6 @@ localnet-setup
 .testnets
 
 # Testing
-coverage.txt
 *.out
 sim_log_file
 tests/**/tmp/*

.golangci.yml

@@ -67,4 +67,4 @@ issues:
     # however, other linters have not yet caught up.
     - text: 'leading space'
       linters:
-        - nolintlint
+        - nolintlint