From 3f810f5e339f1ae686ced55b58b365afcec17ebb Mon Sep 17 00:00:00 2001 From: Matt Grote Date: Mon, 11 May 2026 14:15:31 -0300 Subject: [PATCH 1/2] ci: remove third-party actions from workflows Drops two third-party actions from .github/workflows/: - borales/actions-yarn (in all five workflow files): replaced with corepack + yarn install --frozen-lockfile, using setup-node's built-in yarn cache. - BerniWittmann/background-server-action (in integration-tests-V2.yml and integration-tests-V3.yml): replaced with explicit background shell steps. Each one launches the Hardhat node (`npm run node` / `npx hardhat node`) in the background, polls localhost:8545 over JSON-RPC until ready (matching the action's wait-on behaviour), runs the deploy + test steps, then kills the recorded PID in an `if: always()` cleanup step so the node never leaks past the job. Reduces CI supply-chain surface: every workflow either runs with the npm OIDC token in scope (publish) or checks out the private Railgun-Privacy/contract repo (integration tests), so removing each third-party action removes a path a compromised action could use to exfiltrate those credentials. --- .github/workflows/integration-tests-V2.yml | 54 +++++++++++++++------- .github/workflows/integration-tests-V3.yml | 54 +++++++++++++++------- .github/workflows/publish-npmjs.yml | 7 ++- .github/workflows/unit-tests-V2.yml | 6 +-- .github/workflows/unit-tests-V3.yml | 6 +-- 5 files changed, 83 insertions(+), 44 deletions(-) diff --git a/.github/workflows/integration-tests-V2.yml b/.github/workflows/integration-tests-V2.yml index 29c03112..32bdb1f3 100644 --- a/.github/workflows/integration-tests-V2.yml +++ b/.github/workflows/integration-tests-V2.yml @@ -14,6 +14,7 @@ jobs: - uses: actions/setup-node@v3 with: node-version: '22' + cache: 'yarn' - name: Checkout engine repo uses: actions/checkout@v3 with: @@ -23,22 +24,43 @@ jobs: with: repository: Railgun-Privacy/contract path: contract + - name: Enable Corepack + run: corepack enable - name: Yarn in engine - uses: borales/actions-yarn@v4 - with: - cmd: install - dir: 'engine' + working-directory: ./engine + run: yarn install --frozen-lockfile - name: Yarn in contract - uses: borales/actions-yarn@v4 - with: - cmd: install - dir: 'contract' + working-directory: ./contract + run: yarn install --frozen-lockfile - name: Build contract - run: cd contract && npm run compile - - name: Run contract hardhat and engine tests - uses: BerniWittmann/background-server-action@v1 - with: - command: cd contract && npm run deploy && cd ../engine && yarn test-hardhat-V2 - start: cd contract && npm run node >/dev/null - wait-on: 'http://localhost:8545' - wait-on-timeout: 120 \ No newline at end of file + working-directory: ./contract + run: npm run compile + - name: Start Hardhat node (background) + working-directory: ./contract + run: | + npm run node > "$GITHUB_WORKSPACE/hardhat.log" 2>&1 & + echo $! > "$GITHUB_WORKSPACE/hardhat.pid" + for i in {1..120}; do + if curl -s -o /dev/null -X POST -H "Content-Type: application/json" \ + --data '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}' \ + http://localhost:8545; then + echo "Hardhat node ready" + exit 0 + fi + sleep 1 + done + echo "Hardhat node did not become ready in 120s" + cat "$GITHUB_WORKSPACE/hardhat.log" + exit 1 + - name: Deploy contracts + working-directory: ./contract + run: npm run deploy + - name: Run engine tests + working-directory: ./engine + run: yarn test-hardhat-V2 + - name: Stop Hardhat node + if: always() + run: | + if [ -f "$GITHUB_WORKSPACE/hardhat.pid" ]; then + kill "$(cat "$GITHUB_WORKSPACE/hardhat.pid")" 2>/dev/null || true + fi diff --git a/.github/workflows/integration-tests-V3.yml b/.github/workflows/integration-tests-V3.yml index aff8c905..5b06faf8 100644 --- a/.github/workflows/integration-tests-V3.yml +++ b/.github/workflows/integration-tests-V3.yml @@ -15,6 +15,7 @@ jobs: - uses: actions/setup-node@v3 with: node-version: '22' + cache: 'yarn' - name: Checkout engine repo uses: actions/checkout@v3 with: @@ -24,22 +25,43 @@ jobs: with: repository: Railgun-Privacy/contract path: contract + - name: Enable Corepack + run: corepack enable - name: Yarn in engine - uses: borales/actions-yarn@v4 - with: - cmd: install - dir: 'engine' + working-directory: ./engine + run: yarn install --frozen-lockfile - name: Yarn in contract - uses: borales/actions-yarn@v4 - with: - cmd: install - dir: 'contract' + working-directory: ./contract + run: yarn install --frozen-lockfile - name: Build contract - run: cd contract && ./node_modules/.bin/hardhat compile - - name: Run contract hardhat and engine tests - uses: BerniWittmann/background-server-action@v1 - with: - command: cd engine && yarn test-hardhat - start: cd contract && npx hardhat node >/dev/null, cd contract && sleep 5 && npx hardhat deploy:test --network localhost >/dev/null - wait-on: 'http://localhost:8545' - wait-on-timeout: 120 + working-directory: ./contract + run: ./node_modules/.bin/hardhat compile + - name: Start Hardhat node (background) + working-directory: ./contract + run: | + npx hardhat node > "$GITHUB_WORKSPACE/hardhat.log" 2>&1 & + echo $! > "$GITHUB_WORKSPACE/hardhat.pid" + for i in {1..120}; do + if curl -s -o /dev/null -X POST -H "Content-Type: application/json" \ + --data '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}' \ + http://localhost:8545; then + echo "Hardhat node ready" + exit 0 + fi + sleep 1 + done + echo "Hardhat node did not become ready in 120s" + cat "$GITHUB_WORKSPACE/hardhat.log" + exit 1 + - name: Deploy test contracts + working-directory: ./contract + run: npx hardhat deploy:test --network localhost + - name: Run engine tests + working-directory: ./engine + run: yarn test-hardhat + - name: Stop Hardhat node + if: always() + run: | + if [ -f "$GITHUB_WORKSPACE/hardhat.pid" ]; then + kill "$(cat "$GITHUB_WORKSPACE/hardhat.pid")" 2>/dev/null || true + fi diff --git a/.github/workflows/publish-npmjs.yml b/.github/workflows/publish-npmjs.yml index 038679c6..25712b8a 100644 --- a/.github/workflows/publish-npmjs.yml +++ b/.github/workflows/publish-npmjs.yml @@ -20,8 +20,7 @@ jobs: with: node-version: '24' registry-url: 'https://registry.npmjs.org' - - name: Install yarn - uses: borales/actions-yarn@v4 - with: - cmd: install + cache: 'yarn' + - run: corepack enable + - run: yarn install --frozen-lockfile - run: npm publish diff --git a/.github/workflows/unit-tests-V2.yml b/.github/workflows/unit-tests-V2.yml index 6c45bd86..c9932bf3 100644 --- a/.github/workflows/unit-tests-V2.yml +++ b/.github/workflows/unit-tests-V2.yml @@ -16,10 +16,8 @@ jobs: with: node-version: '18' cache: 'yarn' - - name: Install yarn - uses: borales/actions-yarn@v4 - with: - cmd: install + - run: corepack enable + - run: yarn install --frozen-lockfile - name: Yarn test shell: bash run: yarn test-V2 diff --git a/.github/workflows/unit-tests-V3.yml b/.github/workflows/unit-tests-V3.yml index f44b69ca..b7dbbd8b 100644 --- a/.github/workflows/unit-tests-V3.yml +++ b/.github/workflows/unit-tests-V3.yml @@ -16,10 +16,8 @@ jobs: with: node-version: '18' cache: 'yarn' - - name: Install yarn - uses: borales/actions-yarn@v4 - with: - cmd: install + - run: corepack enable + - run: yarn install --frozen-lockfile - name: Yarn test shell: bash run: yarn test From b97df7ee71690afe5a7a007658e917bd198fe55a Mon Sep 17 00:00:00 2001 From: Matt Grote Date: Mon, 11 May 2026 14:29:13 -0300 Subject: [PATCH 2/2] ci: drop setup-node cache:yarn from integration tests The engine and contract repos are checked out into ./engine/ and ./contract/ subdirectories, so there is no yarn.lock at the workspace root. setup-node's `cache: 'yarn'` fails with "Dependencies lock file is not found" before any install step runs. Removing the cache directive unblocks the workflow. If caching is wanted later, the right approach is `cache-dependency-path` set to each subdir's lockfile - but for integration tests that's arguably not worth the extra complexity. --- .github/workflows/integration-tests-V2.yml | 1 - .github/workflows/integration-tests-V3.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/.github/workflows/integration-tests-V2.yml b/.github/workflows/integration-tests-V2.yml index 32bdb1f3..0c092b8e 100644 --- a/.github/workflows/integration-tests-V2.yml +++ b/.github/workflows/integration-tests-V2.yml @@ -14,7 +14,6 @@ jobs: - uses: actions/setup-node@v3 with: node-version: '22' - cache: 'yarn' - name: Checkout engine repo uses: actions/checkout@v3 with: diff --git a/.github/workflows/integration-tests-V3.yml b/.github/workflows/integration-tests-V3.yml index 5b06faf8..08c15691 100644 --- a/.github/workflows/integration-tests-V3.yml +++ b/.github/workflows/integration-tests-V3.yml @@ -15,7 +15,6 @@ jobs: - uses: actions/setup-node@v3 with: node-version: '22' - cache: 'yarn' - name: Checkout engine repo uses: actions/checkout@v3 with: