[refactor] remove unused ginkgo

.checkov.yaml

@@ -0,0 +1,3 @@
+skip-path:
+  # auto generated
+  - client/docs

.github/workflows/ante-benchmark.yml

@@ -1,5 +1,8 @@
 name: AnteHandler Benchmark Tests
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:

.github/workflows/build.yml

@@ -11,6 +11,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/codeql-analysis.yml

@@ -11,6 +11,11 @@
 #
 name: "CodeQL"
 
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 on:
   push:
     branches: [develop, main, master]

.github/workflows/consensuswarn.yml

@@ -7,9 +7,14 @@ on:
       - edited
       - synchronize
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   main:
     permissions:
+      contents: read
       pull-requests: write  # For reading the PR and posting comment
     runs-on: ubuntu-latest
     steps:
@@ -18,4 +23,4 @@ jobs:
       - uses: orijtech/consensuswarn@main
         with:
           # example.com/pkg/path.Type.Method
-          roots: 'github.com/ExocoreNetwork/exocore/app.ExocoreApp.BaseApp.DeliverTx,github.com/ExocoreNetwork/exocore/app.ExocoreApp.BaseApp.BeginBlocker,github.com/ExocoreNetwork/exocore/app.ExocoreApp.BaseApp.EndBlocker'
+          roots: 'github.com/ExocoreNetwork/exocore/app.ExocoreApp.DeliverTx,github.com/ExocoreNetwork/exocore/app.ExocoreApp.BeginBlocker,github.com/ExocoreNetwork/exocore/app.ExocoreApp.EndBlocker'

.github/workflows/dependencies.yml

@@ -23,6 +23,8 @@ jobs:
       - name: "Dependency Review"
         uses: actions/dependency-review-action@v3
         if: env.GIT_DIFF
+        with:
+          fail-on-severity: high
       - name: "Go vulnerability check"
         run: make vulncheck
         if: env.GIT_DIFF

.github/workflows/e2e-test-release.yml

@@ -1,4 +1,8 @@
 name: E2E Test Release
+
+permissions:
+  contents: read
+
 on:
   pull_request:
     branches:

.github/workflows/e2e-test.yml

@@ -1,4 +1,8 @@
 name: E2E Test
+
+permissions:
+  contents: read
+
 on:
   pull_request:
     branches:
@@ -13,6 +17,8 @@ on:
 
 jobs:
   test-e2e:
+    # disabled for now, since we don't have any e2e tests.
+    if: ${{ false }}
     runs-on: ubuntu-latest
     steps:
       - uses: actions/setup-go@v4

.github/workflows/goreleaser.yml

@@ -1,5 +1,9 @@
 name: goreleaser
 
+permissions:
+  # github releases
+  contents: write
+
 on:
   push:
     tags:

.github/workflows/labeler.yml

@@ -1,15 +1,18 @@
 name: "Pull Request Labeler"
+
+permissions:
+  contents: read
+  pull-requests: write
+
 on:
-  pull_request:
-  push:
-    branches:
-      - develop
-      - main
-      - master
+  pull_request_target:
 
 jobs:
   triage:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - uses: actions/labeler@v4
         with:

.github/workflows/markdown-links.yml

@@ -1,5 +1,9 @@
 name: Check Markdown links
-on: 
+
+permissions:
+  contents: read
+
+on:
   pull_request:
     paths:
       - '**.md'
@@ -10,6 +14,9 @@ on:
       - master
     paths:
       - '**.md'
+  # runs every monday at 9 am
+  schedule:
+    - cron: "0 9 * * 1"
 
 jobs:
   markdown-link-check:
@@ -18,7 +25,5 @@ jobs:
       - uses: actions/checkout@v4
       - uses: gaurav-nelson/github-action-markdown-link-check@master
         with:
-          check-modified-files-only: "yes"
-          use-quiet-mode: "yes"
           base-branch: "main"
           config-file: "mlc_config.json"

.github/workflows/proto-comment.yml

@@ -0,0 +1,81 @@
+name: Comment protobuf breaking action outcome on the pull request
+
+permissions:
+  # for finding and downloading artifacts.
+  actions: read
+  # for commenting on pull requests.
+  pull-requests: write
+  # the content of the repo is irrelevant to this workflow.
+  contents: none
+
+on:
+  workflow_run:
+    workflows: ["Protobuf"]
+    types:
+      - completed
+
+jobs:
+  download-artifact-and-comment:
+    runs-on: ubuntu-latest
+    if: >
+      github.event.workflow_run.conclusion == 'success'
+    steps:
+      - name: 'Download artifact'
+        uses: actions/github-script@v7.0.1
+        with:
+          script: |
+            var artifacts = await github.actions.listWorkflowRunArtifacts({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                run_id: ${{github.event.workflow_run.id }},
+            });
+            var matchArtifact = artifacts.data.artifacts.find((artifact) => {
+                return artifact.name == "result";
+            });
+            if (!matchArtifact) {
+                var core = require('@actions/core');
+                core.setFailed('Artifact "result" not found.');
+                return;
+            }
+            var download = await github.actions.downloadArtifact({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                artifact_id: matchArtifact.id,
+                archive_format: 'zip',
+            });
+            var fs = require('fs');
+            fs.writeFileSync('${{github.workspace}}/result.zip', Buffer.from(download.data));
+      - run: unzip result.zip -d result
+      - name: Read PR number and outcome
+        run: |
+            pr_number=$(cat "result/pr_number.txt")
+            outcome=$(cat "result/outcome.txt")
+            echo "PR_NUMBER=${pr_number}" >> "$GITHUB_ENV"
+            echo "OUTCOME=${outcome}" >> "$GITHUB_ENV"
+      - name: Find comment
+        id: find-comment
+        uses: peter-evans/find-comment@v2
+        with:
+          issue-number: ${{ env.PR_NUMBER }}
+          comment-author: 'github-actions[bot]'
+          body-includes: buf breaking change
+      - name: Comment status of break-check in the case of failure
+        if: ${{ env.OUTCOME == 'failure' }}
+        uses: peter-evans/create-or-update-comment@v3
+        with:
+          issue-number: ${{ env.PR_NUMBER }}
+          comment-id: ${{ steps.find-comment.outputs.comment-id }}
+          body: |
+            ${{ github.sha }} (${{ github.event.workflow_run.updated_at }}) has a buf breaking change.
+            View the workflow run: [here](https://github.com/${{ github.repository }}/actions/runs/${{ github.event.workflow_run.id }})
+          edit-mode: append
+      - name: Comment status of break-check in the case of success
+        if: env.OUTCOME == 'success' && steps.find-comment.outputs.comment-id != ''
+        uses: peter-evans/create-or-update-comment@v3
+        with:
+          issue-number: ${{ env.PR_NUMBER }}
+          comment-id: ${{ steps.find-comment.outputs.comment-id }}
+          body: |
+            ${{ github.sha }} (${{ github.event.workflow_run.updated_at }}) has no buf breaking changes.
+            View the workflow run: [here](https://github.com/${{ github.repository }}/actions/runs/${{ github.event.workflow_run.id }})
+          edit-mode: append

.github/workflows/proto.yml

@@ -6,6 +6,15 @@ on:
     paths:
       - "proto/**"
 
+permissions:
+  # for uploading artifacts
+  contents: write
+  pull-requests: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -39,6 +48,22 @@ jobs:
       - uses: actions/checkout@v4
       - uses: bufbuild/buf-setup-action@v1.26.1
       - uses: bufbuild/buf-breaking-action@v1
+        id: break-check
         with:
           input: "proto"
-          against: "https://github.com/${{ github.repository }}.git#branch=${{ github.event.pull_request.base.ref }},ref=HEAD~1,subdir=proto"
+          # previously, this ran on ref=HEAD~1, which is incorrect as it can
+          # only be used to compare within a branch. it is designed to run
+          # on a PR, so it must compare the HEAD of the base branch against
+          # the PR branch.
+          against: "https://github.com/${{ github.repository }}.git#branch=${{ github.event.pull_request.base.ref }},subdir=proto"
+        # do not fail the build if there are breaking changes
+        continue-on-error: true
+      - name: Make buf breaking changes outcome as txt file
+        run: |
+          mkdir -p ./result/
+          echo "${{ steps.break-check.outcome }}" > ./result/outcome.txt
+          echo "${{ github.event.pull_request.number }}" > ./result/pr_number.txt
+      - uses: actions/upload-artifact@v2
+        with:
+          name: result
+          path: ./result/

.github/workflows/security.yml

@@ -7,9 +7,14 @@ on:
       - main
       - master
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   Gosec:
     permissions:
+      contents: read
       security-events: write
 
     runs-on: ubuntu-latest

.github/workflows/semgrep.yml

@@ -1,4 +1,6 @@
 name: Semgrep
+permissions:
+  contents: read
 on:
   # Scan changed files in PRs, block on new issues only (existing issues ignored)
   pull_request: {}

.github/workflows/slither.yml

@@ -8,6 +8,10 @@ on:
       - main
       - master
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   analyze:
     # disabled for now, since we don't have any Solidity files.

.github/workflows/solhint.yml

@@ -1,10 +1,13 @@
 name: Solhint
-# This workflow is only run when a .sol file has been changed
+# This workflow is only run when a file in the contracts folder changes.
 on:
   pull_request:
     paths:
       - "contracts/**"
 
+permissions:
+  contents: read
+
 jobs:
   solhint:
     name: runner / solhint

.github/workflows/solidity-test.yml

@@ -7,8 +7,13 @@ on:
       - master
       - release/**
 
+permissions:
+  contents: read
+
 jobs:
   test-solidity:
+    # disabled for now, since we don't have any Solidity files.
+    if: ${{ false }}
     runs-on: ubuntu-latest
     steps:
       - uses: actions/setup-go@v4

.github/workflows/stale.yml

@@ -3,6 +3,10 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   stale:
     runs-on: ubuntu-latest

.github/workflows/super-linter.yml

@@ -7,6 +7,9 @@
 ---
 name: Lint Code Base
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: ["develop", "main", "master"]
@@ -23,7 +26,7 @@ jobs:
           fetch-depth: 0
 
       - name: Lint Code Base
-        uses: github/super-linter@v5
+        uses: super-linter/super-linter@v6.3.0  # x-release-please-version
         env:
           LINTER_RULES_PATH: /
           YAML_CONFIG_FILE: .yamllint
@@ -33,6 +36,10 @@ jobs:
           VALIDATE_NATURAL_LANGUAGE: false
           VALIDATE_OPENAPI: false
           VALIDATE_JSCPD: false
+          # The JSON files in the repo are generated (abis or swagger)
+          # or are linting files. So this can be safely disabled.
+          VALIDATE_JSON: false
+          # separate workflow
           VALIDATE_GO: false
-          DEFAULT_BRANCH: "master"
+          VALIDATE_GO_MODULES: false
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}