Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
175 commits
Select commit Hold shift + click to select a range
d3770e1
Update op-node to v1.7.6 and op-geth to v1.101315.1 (#263)
danyalprout May 28, 2024
f722031
docs(readme): HDD requirements (#262)
Jun 8, 2024
2dfb660
clarify that HOST_IP should be set to external ip address for better …
Jun 12, 2024
b63b798
fix missing end quote on nat IP (#273)
coffeexcoin Jun 13, 2024
acc4e30
chore: add reth configuration & cleanup configs (#271)
danyalprout Jun 14, 2024
d056b51
Update Reth for Fjord CL Support (#277)
danyalprout Jun 17, 2024
f0eb7f1
op-node: v1.7.7 / op-geth: v1.101315.2 / op-reth: v1.0.0-rc.2 (#279)
danyalprout Jun 20, 2024
2dbf4a4
fix: typo in natextip for op-geth (#281)
danyalprout Jun 20, 2024
50fc6e9
restore recommendation for NVME drive (#282)
Jun 24, 2024
8e7460e
Update Reth (#286)
danyalprout Jun 27, 2024
5652221
chore: remove unused env vars (#291)
danyalprout Jul 7, 2024
44912b2
Update README.md (#302)
evslatts Jul 22, 2024
37a3020
chore: update reth version & return to upstream (#308)
danyalprout Aug 7, 2024
90f047f
Update op-node to 1.9.0 and op-geth to v1.101315.3 (#309)
henridevieux Aug 7, 2024
d1639e1
chore: update reth (v1.0.5), op-node (v1.9.0) (#310)
danyalprout Aug 10, 2024
5234654
Update geth-entrypoint (#311)
web3-nodeops Aug 12, 2024
f69654d
Upgrade to op-node 1.9.1 (#317)
henridevieux Aug 30, 2024
fb05db2
docs(readme): Add additional recommended specs for running a node (#307)
Sep 17, 2024
d42810f
Allow execution nodes to act as peers for other nodes (#330)
benaadams Sep 27, 2024
c41489f
Enable discovery for reth node (#314)
walkerlala Sep 30, 2024
f038903
Add Nethermind (#329)
stdevMac Oct 21, 2024
47c0680
op-node(1.9.4), op-geth(v1.101411.0), op-reth(1.1.0) (#337)
danyalprout Oct 21, 2024
d15d4fe
Remove reth arm64 build (running out of memory) (#338)
Oct 21, 2024
d44e4da
Upgrade to OP version 1.9.5 (#350)
henridevieux Nov 18, 2024
f9ab89c
Upgrade op-node(v1.10.0), op-geth(v1.101411.2), and op-reth(v1.1.2) (…
henridevieux Nov 22, 2024
923f340
Update README.md (#345)
Olexandr88 Nov 28, 2024
1d5d06b
Upgrade op-node(v1.10.2) op-geth(v1.101411.4) and reth(v1.1.4) (#367)
henridevieux Dec 18, 2024
ad4fef7
use a hotfix commit (#381)
cody-wang-cb Jan 6, 2025
410634f
upgrade to reth 1.1.5 (#382)
cody-wang-cb Jan 7, 2025
9997fd1
Update Nethermind to 1.30.3 (and op node) (#380)
benaadams Jan 23, 2025
de96297
Update op-geth to v1.101411.6 (#400)
henridevieux Jan 30, 2025
50ae0f7
[Chore] Update build-push-action to latest v6 (#403)
0x00101010 Feb 3, 2025
26d3279
Update workflow config to fix docker publish (#406)
0x00101010 Feb 3, 2025
cee4c24
Migrate from base-org to base (#410)
Feb 11, 2025
311ea00
chore: simplified variable check condition (#404)
0xkazak Feb 11, 2025
414b6ba
feat: improve network configuration handling (#395)
VolodymyrBg Feb 11, 2025
69e2895
docs: typo fix Update README.md (#376)
mdqst Feb 11, 2025
554d9f3
Consistent Docker Buildx Action Version (#374)
Mukzid Feb 11, 2025
9a4ebd1
Fix: adding l2 engine kind param in .env for faster sync (#401)
etherhood Feb 11, 2025
741a31f
chore: Upgrade geth version to v1.101500.0, Pectra compat (#411)
BrianBland Feb 18, 2025
f186296
chore: Upgrade reth version to 1.2.0, Pectra compat (#412)
BrianBland Feb 18, 2025
a0ce106
Update nodes version for pectra readiness (#415)
cody-wang-cb Feb 18, 2025
7f67637
update nethermind (#416)
cody-wang-cb Feb 18, 2025
f496431
op-node 1.11.1 (#417)
cody-wang-cb Feb 19, 2025
40d773f
chore: update op-node (v1.11.2) op-geth (v1.101500.1) (#420)
danyalprout Feb 28, 2025
b571f94
chore: update reth to 1.3.0 (#425)
danyalprout Mar 17, 2025
31e9f13
chore: upgrade op-node (v1.12.1) op-geth (v1.101503.1) (#427)
meyer9 Mar 17, 2025
864abe9
Build arm64 multiplatform images (#429)
dguenther Mar 19, 2025
6f48c36
Make nethermind entrypoint executable (#430)
dguenther Mar 19, 2025
1144986
Updates op-node=v1.13.0, op-geth=v1.101503.2, op-reth=v1.3.7 (#437)
henridevieux Apr 5, 2025
41444b0
chore: update reth to 1.3.9 (#440)
danyalprout Apr 14, 2025
c673c87
chore: bump reth to v1.3.11 (#441)
danyalprout Apr 16, 2025
d6794bb
Add setup for node-reth (#446)
cody-wang-cb Apr 24, 2025
971ab6e
add default node type (#448)
cody-wang-cb Apr 25, 2025
a06efe9
Upgrade op-node=v.1.13.2 and op-geth=v1.101503.4 (#454)
henridevieux Apr 28, 2025
de4d3d4
refactor(configs): Update for Geth and Reth (#447)
Apr 28, 2025
9bd0122
refactor(reth/Dockerfile): Reference tag not branch (#455)
Apr 28, 2025
5a73a41
docs: fix minor wording issue in security section (#422)
annwag May 9, 2025
e82da83
fix(reth/dockerfile): Reference tag instead of branch (#460)
May 12, 2025
ac53ae8
Updates op-node, Nethermind in Nethermind Dockerfile (#470)
surtling44 May 28, 2025
8cd6941
chore: update reth binaries to v1.4.3 (#472)
danyalprout May 28, 2025
5a871ba
bump node-reth to 0.1.2 (#476)
haardikk21 Jun 10, 2025
2336893
Automate Node Upgrade Process: Update Dependencies (#477)
JenabaBa Jun 10, 2025
cfd8eca
Update op-geth for geth-based build (#473)
drwtsn95 Jun 16, 2025
b10fc7a
Automate Node Upgrade Process: Update Script (#478)
JenabaBa Jun 17, 2025
ccaf12e
[StepSecurity] Apply security best practices (#481)
stepsecurity-app[bot] Jun 18, 2025
9415dea
fix: allow github actions to push packages (#483)
danyalprout Jun 20, 2025
97e1064
Upgrade node-reth to v0.1.3 (#486)
0x00101010 Jun 30, 2025
a3dfafa
Fix Dependency Update Multiple Pages + Update Op-node to V1.13.4 (#482)
JenabaBa Jul 2, 2025
32c0b61
Add Commit Message Feature to Dependency Updater (#488)
JenabaBa Jul 2, 2025
d20b73e
feat: add additional port configuration options for disc/p2p (#465)
coffeexcoin Jul 2, 2025
e3e0ae3
fix typo "accomodate" (#491)
gap-editor Jul 6, 2025
56890f3
Dependency Updater: Add Support for Branch Tracking (#495)
JenabaBa Jul 7, 2025
6b16142
Dependency Updater: Github Action Workflow for Scheduled Updater Runs…
JenabaBa Jul 9, 2025
94e86f0
Dependency Updater: Add Step to Remove commit_message.env (#499)
JenabaBa Jul 9, 2025
8d4ecd9
Dependency Updater: Create env Before Commit Message (#501)
JenabaBa Jul 9, 2025
926d8a9
chore: updated reth (#500)
github-actions[bot] Jul 9, 2025
4c24423
Dependency Updater: Change Updater Workflow Schedule (#503)
JenabaBa Jul 10, 2025
c575eec
fix updater bug (#504)
JenabaBa Jul 10, 2025
21009d4
[StepSecurity] Apply security best practices (#505)
stepsecurity-app[bot] Jul 12, 2025
2981de0
fix: push when title is set (#507)
danyalprout Jul 16, 2025
7cb0364
chore: updated node-reth, nethermind, op-geth, optimism (#508)
github-actions[bot] Jul 18, 2025
3a9feee
Update README.md (#506)
operagxoksana Jul 21, 2025
3e4d876
Update dependency_updater.go (#510)
pashka8 Jul 21, 2025
13c0c68
chore: updated node-reth, nethermind, reth (#511)
github-actions[bot] Jul 23, 2025
5e8ef57
remove newline char (#515)
JenabaBa Jul 28, 2025
d96045b
Dependency Updater: change workflow to use GITHUB_OUTPUT instead of e…
JenabaBa Jul 31, 2025
3de663c
Dependency Updater: fix commit description formatting (#520)
JenabaBa Aug 4, 2025
f988bd0
Update dependency_updater.go (#522)
GarmashAlex Aug 6, 2025
163785a
fixed typos and removed print (#521)
letmehateu Aug 13, 2025
0357d33
fix GitHub markdown syntax for NOTE block in README (#532)
reallesee Sep 22, 2025
b284f35
chore: bump node reth to 0.1.8 (#545)
haardikk21 Sep 23, 2025
021d441
fix: use branch name as tag for branch-tracked dependencies (#560)
cody-wang-cb Sep 30, 2025
d0088a1
chore: updated nethermind, op-geth, optimism, reth (#539)
github-actions[bot] Oct 2, 2025
00569b5
Fix TAG writing in env file (#565)
cody-wang-cb Oct 3, 2025
a58740f
Update README.md (#534)
petryshkaCODE Oct 8, 2025
97c1b32
updates (#542)
maciekzygmunt Oct 8, 2025
df92c55
Fix apt cache cleanup in nethermind Dockerfile (#526)
strmfos Oct 8, 2025
b8f32f9
dependency_updater: remove redundant string casts in updater CLI args…
Galoretka Oct 8, 2025
9043c22
fix: correct inconsistency (#568)
alkindivv Oct 8, 2025
3c34620
docs: fix unclosed parenthesis in storage requirements (#524)
aso20455 Oct 8, 2025
b844ef5
reth: rename “vanilla” to “OP Reth”; align README terminology (#547)
Forostovec Oct 8, 2025
b095dbd
fix(nethermind): validate OP_NODE_NETWORK in entrypoint (#553)
HoustonOla35 Oct 8, 2025
fe34377
Update op-node-entrypoint (#546)
DeVikingMark Oct 8, 2025
e648693
Fix apt cache cleanup in reth Dockerfile (#548)
Piotr-InforDB Oct 8, 2025
832f2ba
Update dependency_updater.go (#540)
sashaodessa Oct 8, 2025
b86b168
fix(geth): remove unused txpool variables and align comment (#572)
sashass1315 Oct 8, 2025
bd1ba2e
Update README.md (#531)
oooLowNeoNooo Oct 8, 2025
db71d5f
chore: update formatting / fix go mod declaration (#574)
danyalprout Oct 8, 2025
507cd8c
chore: updated nethermind, op-geth, optimism, node-reth (#569)
github-actions[bot] Oct 9, 2025
9f47c92
nethermind-entrypoint: remove dead JWT_SECRET_FILE (#573)
MozirDmitriy Oct 9, 2025
9f3da7f
Remove redundant !githubAction check in else if statement. (#541)
eeemmmmmm Oct 9, 2025
0e60232
Add web3 namespace to reth API configuration (#421)
Inbell1s Oct 9, 2025
974d711
Restart unless stopped (#517)
bart613 Oct 9, 2025
aeaab78
fix: make bootnodes check safer (#538)
hexcow Oct 9, 2025
9124a5c
Unquoted variables vulnerability (#549)
Piotr-InforDB Oct 9, 2025
86e563a
reth-entrypoint: use safe parameter expansion to prevent set -u unbou…
Snezhkko Oct 9, 2025
68d8776
fix: allow multiline output (#575)
danyalprout Oct 9, 2025
bc32ac4
fix: try adding eof on newline (#577)
danyalprout Oct 9, 2025
de14602
chore: updated node-reth (#578)
github-actions[bot] Oct 9, 2025
1f84561
chore: Align Go version (#582)
HoustonOla35 Oct 22, 2025
14d4914
chore: bump node-reth commit hash (#606)
haardikk21 Oct 24, 2025
d72dc2c
chore: updated op-geth, optimism, node-reth, nethermind (#591)
github-actions[bot] Oct 24, 2025
58c2b3d
Reth recommended (#604)
anikaraghu Oct 24, 2025
34a7d90
chore: updated reth, node-reth (#615)
github-actions[bot] Oct 29, 2025
4e4f38f
chore: updated node-reth to 0.1.14 (#616)
github-actions[bot] Oct 29, 2025
4c24721
chore: updated node-reth (#622)
github-actions[bot] Oct 30, 2025
14d0a21
add pruning snapshot capability (#625)
wlawt Oct 31, 2025
9f73ac9
fix pruning args (#626)
wlawt Oct 31, 2025
aa205fb
chore: updated reth, node-reth, nethermind (#627)
github-actions[bot] Nov 6, 2025
979a338
feat: push to Docker sha and allow workflow dispatch (#639)
meyer9 Nov 7, 2025
22ae136
chore: build `base-reth-node` w/ maxperf (#634)
wlawt Nov 12, 2025
7a56cf4
chore: updated optimism, reth, node-reth, nethermind, op-geth (#638)
github-actions[bot] Nov 12, 2025
12566c4
chore: mark prs/issues as stale (#652)
danyalprout Nov 14, 2025
f34be03
chore: updated node-reth, op-geth, optimism (#656)
github-actions[bot] Nov 18, 2025
b153c59
chore: updated reth, node-reth (#661)
github-actions[bot] Nov 24, 2025
33db41a
chore: updated nethermind (#677)
github-actions[bot] Nov 26, 2025
b52083f
chore: update diff view for commits (#729)
danyalprout Dec 2, 2025
29fcaba
fix(reth_entrypoint): add flashblocks to additional args instead of r…
mur-me Dec 22, 2025
b4e39fb
chore: add rc support for dependency updater (#909)
danyalprout Jan 14, 2026
97fb39a
chore: update base-reth repo url to base/base (#912)
danyalprout Jan 16, 2026
863c9bd
chore: add pruning args to env file (#682)
wlawt Jan 27, 2026
68a894f
chore: update to base reth 0.3.0 (#932)
danyalprout Jan 28, 2026
43ef7cc
[StepSecurity] Apply security best practices (#966)
stepsecurity-app[bot] Feb 11, 2026
5d47f18
chore: updated base, nethermind, op-geth, optimism, reth (#937)
github-actions[bot] Feb 11, 2026
5598217
fix: update dotnet images to 10.0 for Nethermind 1.36.0 (#967)
danyalprout Feb 11, 2026
2d8c44c
chore: update base reth to v0.4.0 (#972)
danyalprout Feb 17, 2026
a294d4a
chore: update base reth to v0.4.1 (#975)
danyalprout Feb 18, 2026
fccea22
chore: remove unused op-reth repo (#981)
meyer9 Feb 25, 2026
6e9cb08
feat: support proofs ExEx (#980)
meyer9 Feb 26, 2026
208d696
chore: updated base-reth to 0.5.1 (#969)
github-actions[bot] Mar 3, 2026
9c50dae
chore: updated base-reth to 0.5.1 (#969)
github-actions[bot] Mar 3, 2026
f14551c
chore: updated optimism, op-geth (#984)
github-actions[bot] Mar 5, 2026
23ffb27
chore: updated base, nethermind, op-geth, optimism (#987)
github-actions[bot] Mar 27, 2026
6a2a361
fix(base-reth): add mold linker (#992)
danyalprout Mar 28, 2026
e684286
feat: switch consensus client from op-node to base-consensus (#985)
meyer9 Apr 6, 2026
1a97dfe
fix: base-consensus mode (#999)
meyer9 Apr 8, 2026
c8d0862
chore: updated base, op-geth, optimism (#995)
github-actions[bot] Apr 8, 2026
0ef36d3
fix: switch all entrypoints to use base node auth (#1001)
meyer9 Apr 8, 2026
9480ec1
fix: add legacy op node flag (#1002)
meyer9 Apr 8, 2026
e493aa8
bump: base/base to 0.7.3 (#1021)
refcell Apr 15, 2026
726a616
bump: base/base to 0.7.4 (#1025)
refcell Apr 16, 2026
8e10bf3
fix: 0.7.5 (#1026)
refcell Apr 17, 2026
ca91ddb
bump: base/base to 0.7.6 (#1027)
danyalprout Apr 21, 2026
3bac950
fix(reth): replace deprecated docker-compose with docker compose (#1013)
Sertug17 Apr 24, 2026
d4a32b2
fix: disable NuGet audit in nethermind Dockerfile (#1036)
mw2000 Apr 28, 2026
77255d1
fix: default CLIENT to reth in .env and docker-compose.yml (#1035)
mw2000 Apr 28, 2026
4e715e4
chore: upgrade base/base to 0.8.0 (#1042)
danyalprout May 9, 2026
a7f7dd0
feat: allow customizing v5 disc port (#1070)
meyer9 May 11, 2026
dc2ae0a
chore: remove dependency updater (#1089)
danyalprout May 20, 2026
bfff3f4
chore: prepare for only base client support in azul (#1090)
danyalprout May 20, 2026
7137b78
Update base reth node to v0.9.0 (#1093)
danyalprout May 21, 2026
6da7465
bump base to v0.9.1 (#1108)
haardikk21 May 27, 2026
cf36041
bump base/base to v1.0.0 stable (#1122)
haardikk21 Jun 3, 2026
a417467
chore(versions): update Base release to v1.0.1 (#1123)
refcell Jun 5, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .dockerignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
reth-data/
2 changes: 1 addition & 1 deletion .env
Original file line number Diff line number Diff line change
@@ -1 +1 @@
GETH_HOST_DATA_DIR=./geth-data
HOST_DATA_DIR=./reth-data
101 changes: 55 additions & 46 deletions .env.mainnet
Original file line number Diff line number Diff line change
@@ -1,46 +1,55 @@
OP_GETH_GENESIS_FILE_PATH=mainnet/genesis-l2.json
OP_GETH_SEQUENCER_HTTP=https://mainnet-sequencer.base.org

# [optional] used to enable geth stats:
# OP_GETH_ETH_STATS=nodename:secret@host:port

# [required] replace with your preferred L1 (Ethereum, not Base) node RPC URL:
OP_NODE_L1_ETH_RPC=https://1rpc.io/eth

# [required] replace with your preferred L1 CL beacon endpoint:
OP_NODE_L1_BEACON=https://your.mainnet.beacon.node/endpoint-here

# auth secret used by op-geth engine API:
OP_NODE_L2_ENGINE_AUTH_RAW=688f5d737bad920bdfb2fc2f488d6b6209eebda1dae949a8de91398d932c517a

OP_NODE_BETA_EXTRA_NETWORKS=true
OP_NODE_L2_ENGINE_AUTH=/tmp/engine-auth-jwt
OP_NODE_L2_ENGINE_RPC=ws://geth:8551
OP_NODE_LOG_LEVEL=info
OP_NODE_METRICS_ADDR=0.0.0.0
OP_NODE_METRICS_ENABLED=true
OP_NODE_METRICS_PORT=7300
OP_NODE_NETWORK=base-mainnet
OP_NODE_P2P_AGENT=base
OP_NODE_P2P_BOOTNODES=enr:-J24QNz9lbrKbN4iSmmjtnr7SjUMk4zB7f1krHZcTZx-JRKZd0kA2gjufUROD6T3sOWDVDnFJRvqBBo62zuF-hYCohOGAYiOoEyEgmlkgnY0gmlwhAPniryHb3BzdGFja4OFQgCJc2VjcDI1NmsxoQKNVFlCxh_B-716tTs-h1vMzZkSs1FTu_OYTNjgufplG4N0Y3CCJAaDdWRwgiQG,enr:-J24QH-f1wt99sfpHy4c0QJM-NfmsIfmlLAMMcgZCUEgKG_BBYFc6FwYgaMJMQN5dsRBJApIok0jFn-9CS842lGpLmqGAYiOoDRAgmlkgnY0gmlwhLhIgb2Hb3BzdGFja4OFQgCJc2VjcDI1NmsxoQJ9FTIv8B9myn1MWaC_2lJ-sMoeCDkusCsk4BYHjjCq04N0Y3CCJAaDdWRwgiQG,enr:-J24QDXyyxvQYsd0yfsN0cRr1lZ1N11zGTplMNlW4xNEc7LkPXh0NAJ9iSOVdRO95GPYAIc6xmyoCCG6_0JxdL3a0zaGAYiOoAjFgmlkgnY0gmlwhAPckbGHb3BzdGFja4OFQgCJc2VjcDI1NmsxoQJwoS7tzwxqXSyFL7g0JM-KWVbgvjfB8JA__T7yY_cYboN0Y3CCJAaDdWRwgiQG,enr:-J24QHmGyBwUZXIcsGYMaUqGGSl4CFdx9Tozu-vQCn5bHIQbR7On7dZbU61vYvfrJr30t0iahSqhc64J46MnUO2JvQaGAYiOoCKKgmlkgnY0gmlwhAPnCzSHb3BzdGFja4OFQgCJc2VjcDI1NmsxoQINc4fSijfbNIiGhcgvwjsjxVFJHUstK9L1T8OTKUjgloN0Y3CCJAaDdWRwgiQG,enr:-J24QG3ypT4xSu0gjb5PABCmVxZqBjVw9ca7pvsI8jl4KATYAnxBmfkaIuEqy9sKvDHKuNCsy57WwK9wTt2aQgcaDDyGAYiOoGAXgmlkgnY0gmlwhDbGmZaHb3BzdGFja4OFQgCJc2VjcDI1NmsxoQIeAK_--tcLEiu7HvoUlbV52MspE0uCocsx1f_rYvRenIN0Y3CCJAaDdWRwgiQG
OP_NODE_P2P_LISTEN_IP=0.0.0.0
OP_NODE_P2P_LISTEN_TCP_PORT=9222
OP_NODE_P2P_LISTEN_UDP_PORT=9222
OP_NODE_ROLLUP_CONFIG=mainnet/rollup.json
OP_NODE_RPC_ADDR=0.0.0.0
OP_NODE_RPC_PORT=8545
OP_NODE_SNAPSHOT_LOG=/tmp/op-node-snapshot-log
OP_NODE_VERIFIER_L1_CONFS=4
OP_NODE_ROLLUP_LOAD_PROTOCOL_VERSIONS=true

# OP_NODE_L1_TRUST_RPC allows for faster syncing, but should be used *only* if your L1 RPC node
# is fully trusted. It also allows op-node to work with clients such as Erigon that do not
# support storage proofs:
# OP_NODE_L1_TRUST_RPC=true

# SNAP SYNC
# NOTE: This feature is experimental and may lead to syncing issues, delays or difficulties as a result of inability to find peers. We recommend running a full or archive node for production purposes.
# To enable snap sync, uncomment and set the env vars below:
# OP_NODE_SYNCMODE=execution-layer
# OP_GETH_BOOTNODES=enode://87a32fd13bd596b2ffca97020e31aef4ddcc1bbd4b95bb633d16c1329f654f34049ed240a36b449fda5e5225d70fe40bc667f53c304b71f8e68fc9d448690b51@3.231.138.188:30301,enode://ca21ea8f176adb2e229ce2d700830c844af0ea941a1d8152a9513b966fe525e809c3a6c73a2c18a12b74ed6ec4380edf91662778fe0b79f6a591236e49e176f9@184.72.129.189:30301,enode://acf4507a211ba7c1e52cdf4eef62cdc3c32e7c9c47998954f7ba024026f9a6b2150cd3f0b734d9c78e507ab70d59ba61dfe5c45e1078c7ad0775fb251d7735a2@3.220.145.177:30301,enode://8a5a5006159bf079d06a04e5eceab2a1ce6e0f721875b2a9c96905336219dbe14203d38f70f3754686a6324f786c2f9852d8c0dd3adac2d080f4db35efc678c5@3.231.11.52:30301,enode://cdadbe835308ad3557f9a1de8db411da1a260a98f8421d62da90e71da66e55e98aaa8e90aa7ce01b408a54e4bd2253d701218081ded3dbe5efbbc7b41d7cef79@54.198.153.150:30301
# OP_GETH_SYNCMODE=snap
# BASE MAINNET NODE CONFIGURATION
# ==============================

# NETWORK CONFIGURATION
# ---------------------
RETH_CHAIN=base
BASE_NODE_NETWORK=base

# BASE SEQUENCER ENDPOINTS
# ------------------------
RETH_SEQUENCER_HTTP=https://mainnet-sequencer.base.org

# [REQUIRED] L1 CONFIGURATION
# ---------------------------
# Replace these values with your L1 (Ethereum) node endpoints
BASE_NODE_L1_ETH_RPC=<your-preferred-l1-rpc>
BASE_NODE_L1_BEACON=<your-preferred-l1-beacon>
BASE_NODE_L1_TRUST_RPC="false"

# ENGINE CONFIGURATION
# --------------------
BASE_NODE_L2_ENGINE_RPC=ws://execution:8551
BASE_NODE_L2_ENGINE_AUTH=/tmp/engine-auth-jwt
BASE_NODE_L2_ENGINE_AUTH_RAW=688f5d737bad920bdfb2fc2f488d6b6209eebda1dae949a8de91398d932c517a

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Do not ship a fixed engine auth secret in the tracked mainnet config.

A checked-in JWT secret makes every deployment share the same engine credential unless operators remember to override it. This weakens the auth boundary for the engine API and is easy to avoid with a per-deployment secret.

Suggested fix
-BASE_NODE_L2_ENGINE_AUTH_RAW=688f5d737bad920bdfb2fc2f488d6b6209eebda1dae949a8de91398d932c517a
+BASE_NODE_L2_ENGINE_AUTH_RAW=<set-a-unique-32-byte-hex-secret-in-a-local-override>
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
BASE_NODE_L2_ENGINE_AUTH_RAW=688f5d737bad920bdfb2fc2f488d6b6209eebda1dae949a8de91398d932c517a
BASE_NODE_L2_ENGINE_AUTH_RAW=<set-a-unique-32-byte-hex-secret-in-a-local-override>
🧰 Tools
🪛 Betterleaks (1.1.2)

[high] 45-45: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🪛 dotenv-linter (4.0.0)

[warning] 45-45: [UnorderedKey] The BASE_NODE_L2_ENGINE_AUTH_RAW key should go before the BASE_NODE_L2_ENGINE_RPC key

(UnorderedKey)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.env.mainnet at line 45, Remove the hard-coded JWT secret value for
BASE_NODE_L2_ENGINE_AUTH_RAW and replace it with a placeholder or instruction to
load a per-deployment secret (e.g., set
BASE_NODE_L2_ENGINE_AUTH_RAW=<REPLACE_WITH_SECRET>), and update any
documentation or startup scripts to obtain the real value from environment
injection or a secret manager so every deployment uses a unique engine auth
secret rather than the checked-in token.


# P2P CONFIGURATION
# -----------------
BASE_NODE_P2P_LISTEN_IP=0.0.0.0
BASE_NODE_P2P_ADVERTISE_TCP_PORT=9222
BASE_NODE_P2P_ADVERTISE_UDP_PORT=9222
BASE_NODE_P2P_BOOTNODES=enr:-J24QNz9lbrKbN4iSmmjtnr7SjUMk4zB7f1krHZcTZx-JRKZd0kA2gjufUROD6T3sOWDVDnFJRvqBBo62zuF-hYCohOGAYiOoEyEgmlkgnY0gmlwhAPniryHb3BzdGFja4OFQgCJc2VjcDI1NmsxoQKNVFlCxh_B-716tTs-h1vMzZkSs1FTu_OYTNjgufplG4N0Y3CCJAaDdWRwgiQG,enr:-J24QH-f1wt99sfpHy4c0QJM-NfmsIfmlLAMMcgZCUEgKG_BBYFc6FwYgaMJMQN5dsRBJApIok0jFn-9CS842lGpLmqGAYiOoDRAgmlkgnY0gmlwhLhIgb2Hb3BzdGFja4OFQgCJc2VjcDI1NmsxoQJ9FTIv8B9myn1MWaC_2lJ-sMoeCDkusCsk4BYHjjCq04N0Y3CCJAaDdWRwgiQG,enr:-J24QDXyyxvQYsd0yfsN0cRr1lZ1N11zGTplMNlW4xNEc7LkPXh0NAJ9iSOVdRO95GPYAIc6xmyoCCG6_0JxdL3a0zaGAYiOoAjFgmlkgnY0gmlwhAPckbGHb3BzdGFja4OFQgCJc2VjcDI1NmsxoQJwoS7tzwxqXSyFL7g0JM-KWVbgvjfB8JA__T7yY_cYboN0Y3CCJAaDdWRwgiQG,enr:-J24QHmGyBwUZXIcsGYMaUqGGSl4CFdx9Tozu-vQCn5bHIQbR7On7dZbU61vYvfrJr30t0iahSqhc64J46MnUO2JvQaGAYiOoCKKgmlkgnY0gmlwhAPnCzSHb3BzdGFja4OFQgCJc2VjcDI1NmsxoQINc4fSijfbNIiGhcgvwjsjxVFJHUstK9L1T8OTKUjgloN0Y3CCJAaDdWRwgiQG,enr:-J24QG3ypT4xSu0gjb5PABCmVxZqBjVw9ca7pvsI8jl4KATYAnxBmfkaIuEqy9sKvDHKuNCsy57WwK9wTt2aQgcaDDyGAYiOoGAXgmlkgnY0gmlwhDbGmZaHb3BzdGFja4OFQgCJc2VjcDI1NmsxoQIeAK_--tcLEiu7HvoUlbV52MspE0uCocsx1f_rYvRenIN0Y3CCJAaDdWRwgiQG

# LOGGING & MONITORING
# --------------------
BASE_NODE_LOG_VERBOSITY=3
BASE_NODE_LOG_FORMAT="json"
BASE_NODE_METRICS_ENABLED="true"
BASE_NODE_METRICS_ADDR=0.0.0.0
BASE_NODE_METRICS_PORT="7300"
STATSD_ADDRESS="172.17.0.1"

# OPTIONAL SETTINGS
# =================

# FOLLOW MODE (OPTIONAL - UNCOMMENT TO ENABLE)
# BASE_NODE_SOURCE_L2_RPC=<source-l2-rpc>

# FLASHBLOCKS (OPTIONAL - UNCOMMENT TO ENABLE)
# RETH_FB_WEBSOCKET_URL=wss://mainnet.flashblocks.base.org/ws

# PRUNING (OPTIONAL - UNCOMMENT TO ENABLE)
# NOTE: Set to any number of blocks you want, but it should be >10064
# NOTE: The node type that was chosen when first running a node cannot be changed after the initial sync. Turning Archive into Pruned, or Pruned into Full is not supported [source](https://reth.rs/run/faq/pruning/).
# NOTE: The pruned snapshots provided are set with a distance of 1_339_200 (~31 days).
# RETH_PRUNING_ARGS="--prune.senderrecovery.distance=50000 --prune.transactionlookup.distance=50000 --prune.receipts.distance=50000 --prune.accounthistory.distance=50000 --prune.storagehistory.distance=50000 --prune.bodies.distance=50000"
101 changes: 55 additions & 46 deletions .env.sepolia
Original file line number Diff line number Diff line change
@@ -1,46 +1,55 @@
OP_GETH_GENESIS_FILE_PATH=sepolia/genesis-l2.json
OP_GETH_SEQUENCER_HTTP=https://sepolia-sequencer.base.org

# [optional] used to enable geth stats:
# OP_GETH_ETH_STATS=nodename:secret@host:port

# [required] replace with your preferred L1 (Ethereum, not Base) node RPC URL:
OP_NODE_L1_ETH_RPC=https://rpc.sepolia.org

# [required] replace with your preferred L1 CL beacon endpoint:
OP_NODE_L1_BEACON=https://your.sepolia.beacon.node/endpoint-here

# auth secret used by op-geth engine API:
OP_NODE_L2_ENGINE_AUTH_RAW=688f5d737bad920bdfb2fc2f488d6b6209eebda1dae949a8de91398d932c517a

OP_NODE_BETA_EXTRA_NETWORKS=true
OP_NODE_L2_ENGINE_AUTH=/tmp/engine-auth-jwt
OP_NODE_L2_ENGINE_RPC=ws://geth:8551
OP_NODE_LOG_LEVEL=info
OP_NODE_METRICS_ADDR=0.0.0.0
OP_NODE_METRICS_ENABLED=true
OP_NODE_METRICS_PORT=7300
OP_NODE_NETWORK=base-sepolia
OP_NODE_P2P_AGENT=base
OP_NODE_P2P_BOOTNODES=enr:-J64QBwRIWAco7lv6jImSOjPU_W266lHXzpAS5YOh7WmgTyBZkgLgOwo_mxKJq3wz2XRbsoBItbv1dCyjIoNq67mFguGAYrTxM42gmlkgnY0gmlwhBLSsHKHb3BzdGFja4S0lAUAiXNlY3AyNTZrMaEDmoWSi8hcsRpQf2eJsNUx-sqv6fH4btmo2HsAzZFAKnKDdGNwgiQGg3VkcIIkBg,enr:-J64QFa3qMsONLGphfjEkeYyF6Jkil_jCuJmm7_a42ckZeUQGLVzrzstZNb1dgBp1GGx9bzImq5VxJLP-BaptZThGiWGAYrTytOvgmlkgnY0gmlwhGsV-zeHb3BzdGFja4S0lAUAiXNlY3AyNTZrMaEDahfSECTIS_cXyZ8IyNf4leANlZnrsMEWTkEYxf4GMCmDdGNwgiQGg3VkcIIkBg
OP_NODE_P2P_LISTEN_IP=0.0.0.0
OP_NODE_P2P_LISTEN_TCP_PORT=9222
OP_NODE_P2P_LISTEN_UDP_PORT=9222
OP_NODE_ROLLUP_CONFIG=sepolia/rollup.json
OP_NODE_RPC_ADDR=0.0.0.0
OP_NODE_RPC_PORT=8545
OP_NODE_SNAPSHOT_LOG=/tmp/op-node-snapshot-log
OP_NODE_VERIFIER_L1_CONFS=4
OP_NODE_ROLLUP_LOAD_PROTOCOL_VERSIONS=true

# OP_NODE_L1_TRUST_RPC allows for faster syncing, but should be used *only* if your L1 RPC node
# is fully trusted. It also allows op-node to work with clients such as Erigon that do not
# support storage proofs:
# OP_NODE_L1_TRUST_RPC=true

# SNAP SYNC
# NOTE: This feature is experimental and may lead to syncing issues, delays or difficulties as a result of inability to find peers. We recommend running a full or archive node for production purposes.
# To enable snap sync, set env vars below:
# OP_NODE_SYNCMODE=execution-layer
# OP_GETH_BOOTNODES=enode://548f715f3fc388a7c917ba644a2f16270f1ede48a5d88a4d14ea287cc916068363f3092e39936f1a3e7885198bef0e5af951f1d7b1041ce8ba4010917777e71f@18.210.176.114:30301,enode://6f10052847a966a725c9f4adf6716f9141155b99a0fb487fea3f51498f4c2a2cb8d534e680ee678f9447db85b93ff7c74562762c3714783a7233ac448603b25f@107.21.251.55:30301
# OP_GETH_SYNCMODE=snap
# BASE SEPOLIA TESTNET NODE CONFIGURATION
# ======================================

# NETWORK CONFIGURATION
# ---------------------
RETH_CHAIN=base-sepolia
BASE_NODE_NETWORK=base-sepolia

# BASE SEQUENCER ENDPOINTS
# ------------------------
RETH_SEQUENCER_HTTP=https://sepolia-sequencer.base.org

# [REQUIRED] L1 CONFIGURATION
# ---------------------------
# Replace these values with your L1 (Ethereum) node endpoints
BASE_NODE_L1_ETH_RPC=<your-preferred-l1-rpc>
BASE_NODE_L1_BEACON=<your-preferred-l1-beacon>
BASE_NODE_L1_TRUST_RPC="false"

# ENGINE CONFIGURATION
# --------------------
BASE_NODE_L2_ENGINE_RPC=http://execution:8551
BASE_NODE_L2_ENGINE_AUTH=/tmp/engine-auth-jwt
BASE_NODE_L2_ENGINE_AUTH_RAW=688f5d737bad920bdfb2fc2f488d6b6209eebda1dae949a8de91398d932c517a
Comment on lines +22 to +24

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Do not ship a shared engine JWT in source control.

This value becomes the auth secret for the engine API. Keeping one real token in a checked-in .env means every deployment shares the same credential, so any leak or exposed authrpc endpoint loses isolation across nodes.

Suggested fix
 BASE_NODE_L2_ENGINE_RPC=http://execution:8551
 BASE_NODE_L2_ENGINE_AUTH=/tmp/engine-auth-jwt
-BASE_NODE_L2_ENGINE_AUTH_RAW=688f5d737bad920bdfb2fc2f488d6b6209eebda1dae949a8de91398d932c517a
+# Generate a unique 32-byte hex value per deployment.
+BASE_NODE_L2_ENGINE_AUTH_RAW=<generate-unique-32-byte-hex>
🧰 Tools
🪛 Betterleaks (1.1.2)

[high] 45-45: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🪛 dotenv-linter (4.0.0)

[warning] 44-44: [UnorderedKey] The BASE_NODE_L2_ENGINE_AUTH key should go before the BASE_NODE_L2_ENGINE_RPC key

(UnorderedKey)


[warning] 45-45: [UnorderedKey] The BASE_NODE_L2_ENGINE_AUTH_RAW key should go before the BASE_NODE_L2_ENGINE_RPC key

(UnorderedKey)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.env.sepolia around lines 43 - 45, Replace the checked-in engine JWT value
in BASE_NODE_L2_ENGINE_AUTH_RAW with a non-secret placeholder and stop
committing real tokens; remove the literal "688f5d..." value, document that
BASE_NODE_L2_ENGINE_AUTH_RAW must be injected at deploy-time via a secret
manager or CI/CD environment variable, and ensure the runtime reads the actual
auth token from the file referenced by BASE_NODE_L2_ENGINE_AUTH or from an env
var instead of this repo value so that the unique symbol
BASE_NODE_L2_ENGINE_AUTH_RAW is no longer a shared secret in source control.


# P2P CONFIGURATION
# -----------------
BASE_NODE_P2P_LISTEN_IP=0.0.0.0
BASE_NODE_P2P_ADVERTISE_TCP_PORT=9222
BASE_NODE_P2P_ADVERTISE_UDP_PORT=9222
BASE_NODE_P2P_BOOTNODES=enr:-J24QNz9lbrKbN4iSmmjtnr7SjUMk4zB7f1krHZcTZx-JRKZd0kA2gjufUROD6T3sOWDVDnFJRvqBBo62zuF-hYCohOGAYiOoEyEgmlkgnY0gmlwhAPniryHb3BzdGFja4OFQgCJc2VjcDI1NmsxoQKNVFlCxh_B-716tTs-h1vMzZkSs1FTu_OYTNjgufplG4N0Y3CCJAaDdWRwgiQG,enr:-J24QH-f1wt99sfpHy4c0QJM-NfmsIfmlLAMMcgZCUEgKG_BBYFc6FwYgaMJMQN5dsRBJApIok0jFn-9CS842lGpLmqGAYiOoDRAgmlkgnY0gmlwhLhIgb2Hb3BzdGFja4OFQgCJc2VjcDI1NmsxoQJ9FTIv8B9myn1MWaC_2lJ-sMoeCDkusCsk4BYHjjCq04N0Y3CCJAaDdWRwgiQG,enr:-J24QDXyyxvQYsd0yfsN0cRr1lZ1N11zGTplMNlW4xNEc7LkPXh0NAJ9iSOVdRO95GPYAIc6xmyoCCG6_0JxdL3a0zaGAYiOoAjFgmlkgnY0gmlwhAPckbGHb3BzdGFja4OFQgCJc2VjcDI1NmsxoQJwoS7tzwxqXSyFL7g0JM-KWVbgvjfB8JA__T7yY_cYboN0Y3CCJAaDdWRwgiQG,enr:-J24QHmGyBwUZXIcsGYMaUqGGSl4CFdx9Tozu-vQCn5bHIQbR7On7dZbU61vYvfrJr30t0iahSqhc64J46MnUO2JvQaGAYiOoCKKgmlkgnY0gmlwhAPnCzSHb3BzdGFja4OFQgCJc2VjcDI1NmsxoQINc4fSijfbNIiGhcgvwjsjxVFJHUstK9L1T8OTKUjgloN0Y3CCJAaDdWRwgiQG,enr:-J24QG3ypT4xSu0gjb5PABCmVxZqBjVw9ca7pvsI8jl4KATYAnxBmfkaIuEqy9sKvDHKuNCsy57WwK9wTt2aQgcaDDyGAYiOoGAXgmlkgnY0gmlwhDbGmZaHb3BzdGFja4OFQgCJc2VjcDI1NmsxoQIeAK_--tcLEiu7HvoUlbV52MspE0uCocsx1f_rYvRenIN0Y3CCJAaDdWRwgiQG

# LOGGING & MONITORING
# --------------------
BASE_NODE_LOG_VERBOSITY=3
BASE_NODE_LOG_FORMAT="json"
BASE_NODE_METRICS_ENABLED="true"
BASE_NODE_METRICS_ADDR=0.0.0.0
BASE_NODE_METRICS_PORT="7300"
STATSD_ADDRESS="172.17.0.1"

# OPTIONAL SETTINGS
# =================

# FOLLOW MODE (OPTIONAL - UNCOMMENT TO ENABLE)
# BASE_NODE_SOURCE_L2_RPC=<source-l2-rpc>

# FLASHBLOCKS (OPTIONAL - UNCOMMENT TO ENABLE)
# RETH_FB_WEBSOCKET_URL=wss://sepolia.flashblocks.base.org/ws

# PRUNING (OPTIONAL - UNCOMMENT TO ENABLE)
# NOTE: Set to any number of blocks you want, but it should be >10064
# NOTE: The node type that was chosen when first running a node cannot be changed after the initial sync. Turning Archive into Pruned, or Pruned into Full is not supported [source](https://reth.rs/run/faq/pruning/).
# NOTE: The pruned snapshots provided are set with a distance of 1_339_200 (~31 days).
# RETH_PRUNING_ARGS="--prune.senderrecovery.distance=50000 --prune.transactionlookup.distance=50000 --prune.receipts.distance=50000 --prune.accounthistory.distance=50000 --prune.storagehistory.distance=50000 --prune.bodies.distance=50000"
120 changes: 106 additions & 14 deletions .github/workflows/docker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,42 +3,134 @@ name: Tag Docker image
on:
push:
branches:
- 'main'
- "main"
tags:
- 'v*'
- "v*"
workflow_dispatch: {}

env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
NAMESPACE: ghcr.io/base
RETH_IMAGE_NAME: node-reth

permissions:
contents: read
packages: write

jobs:
build:
runs-on: ubuntu-latest
reth:
strategy:
matrix:
settings:
- arch: linux/amd64
runs-on: ubuntu-24.04
features: jemalloc,asm-keccak,optimism
- arch: linux/arm64
runs-on: ubuntu-24.04-arm
features: jemalloc,optimism
runs-on: ${{ matrix.settings.runs-on }}
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
with:
egress-policy: audit

- name: Checkout
uses: actions/checkout@v2
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
Comment on lines 38 to +39

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/docker.yml

Repository: LiskHQ/lisk-node

Length of output: 5513


🌐 Web query:

actions/checkout v3.6.0 persist-credentials parameter GitHub Actions

💡 Result:

In the actions/checkout GitHub Action (including version 3.6.0), the persist-credentials parameter is a boolean input used to control whether the authentication token (or SSH key) used for the checkout is stored in the local Git configuration [1][2]. By default, persist-credentials is set to true [1][2]. When enabled, the action configures the authentication credentials in the repository's local Git settings, allowing subsequent steps in the workflow to perform authenticated Git commands (such as git push or git fetch) without needing to re-provide the token [1][2]. The action removes these credentials during the post-job cleanup phase [1][2]. Security Context and Best Practices: Because the default setting persists credentials, sensitive tokens can potentially be exposed if a workflow inadvertently archives or uploads the repository directory as an artifact, or if subsequent malicious steps in the same workflow access the local Git configuration [3][4]. To mitigate this risk, it is a recommended security practice to explicitly set persist-credentials to false if your workflow does not require further authenticated Git operations [4][5]. Note on Evolution: While the core behavior of this parameter has remained consistent across versions, recent updates to actions/checkout have improved how credentials are handled. Specifically, changes implemented after v3.6.0 (such as those in PR #2286) refactored the persistence mechanism to store credentials in a separate file within the runner's temporary directory (RUNNER_TEMP) using Git's includeIf mechanism, rather than writing them directly into the repository's.git/config file [6][7]. This design enhances security by isolating the credentials from the main Git configuration [6].

Citations:


🌐 Web query:

site:github.com/actions/checkout f43a0e5ff2bd294095638e18286ca9a3d1956744 persist-credentials

💡 Result:

The term persist-credentials refers to an input setting in the GitHub Actions checkout action (actions/checkout) [1]. When enabled (which is the default behavior), it configures Git to store the authentication token in the local Git configuration, allowing subsequent steps in the workflow to perform authenticated Git operations [1]. The token is automatically removed during post-job cleanup [1]. The specific SHA f43a0e5ff2bd294095638e18286ca9a3d1956744 corresponds to a commit associated with version 3.6.0 of the actions/checkout repository [2][3]. Key points regarding persist-credentials: - Security Context: Setting persist-credentials to true has been a subject of security discussions regarding potential risks of token exposure within workflows [4][5][6]. - Recent Improvements: Recent updates, such as those implemented in PR #2286, have enhanced security by moving credential storage from the main.git/config file to a separate, isolated configuration file in the runner's temporary directory, using Git's includeIf mechanism [7][8][1]. - Configuration: You can opt out of this behavior by explicitly setting persist-credentials: false in your workflow definition [1]. Top results: [7][8][1][2]

Citations:


Disable credential persistence in the checkout step.

actions/checkout@f43a0e5 persists the auth token in local git config by default and supports persist-credentials: false to opt out. This job never runs authenticated git commands after checkout, and the workspace is immediately used as the Docker build context, so keeping the token around is unnecessary exposure.

Suggested fix
      - name: Checkout
        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+       with:
+         persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Checkout
uses: actions/checkout@v2
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 38-39: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docker.yml around lines 38 - 39, The Checkout step using
actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 should opt out of
storing the auth token by adding persist-credentials: false to that step; update
the step named "Checkout" (the actions/checkout invocation) to include the
persist-credentials: false input so the job does not persist GitHub credentials
in the local git config.


- name: Log into the Container registry
uses: docker/login-action@v3
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Extract metadata for the Docker image
id: meta
uses: docker/metadata-action@v4
uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
images: |
${{ env.NAMESPACE }}/${{ env.RETH_IMAGE_NAME }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

- name: Build and push the Docker image
uses: docker/build-push-action@v4
id: build
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
file: Dockerfile
tags: ${{ env.NAMESPACE }}/${{ env.RETH_IMAGE_NAME }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/amd64,linux/arm64
build-args: |
FEATURES=${{ matrix.settings.features }}
platforms: ${{ matrix.settings.arch }}
outputs: type=image,push-by-digest=true,name-canonical=true,push=true

- name: Export digest
run: |
mkdir -p ${{ runner.temp }}/digests
digest="${{ steps.build.outputs.digest }}"
touch "${{ runner.temp }}/digests/${digest#sha256:}"

- name: Prepare
run: |
platform=${{ matrix.settings.arch }}
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV

- name: Upload digest
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: digests-reth-${{ env.PLATFORM_PAIR }}
path: ${{ runner.temp }}/digests/*
if-no-files-found: error
retention-days: 1

merge-reth:
runs-on: ubuntu-latest
needs:
- reth
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
with:
egress-policy: audit

- name: Download digests
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
path: ${{ runner.temp }}/digests
pattern: digests-reth-*
merge-multiple: true

- name: Log into the Container registry
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

- name: Extract metadata for the Docker image
id: meta
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
with:
images: |
${{ env.NAMESPACE }}/${{ env.RETH_IMAGE_NAME }}
tags: |
type=ref,event=branch
type=ref,event=tag
type=sha,format=long

- name: Create manifest list and push
working-directory: ${{ runner.temp }}/digests
run: |
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
$(printf '${{ env.NAMESPACE }}/${{ env.RETH_IMAGE_NAME }}@sha256:%s ' *)

- name: Inspect image
run: |
docker buildx imagetools inspect ${{ env.NAMESPACE }}/${{ env.RETH_IMAGE_NAME }}:${{ steps.meta.outputs.version }}
Loading