Merge branch 'main' into eng-1236-implement-generic-erc-4626-shield-adapter

Author: ajag408

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+# Workflow/CI files specifically
+.github/ @ajag408 @Philippoes @petar-omni @jdomingos @raiseerco

.github/dependabot.yml

@@ -0,0 +1,17 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    labels:
+      - "dependencies"
+      - "ci"
+    commit-message:
+      prefix: "ci"
+      include: "scope"
+    groups:
+      github-actions:
+        patterns:
+          - "*"

.github/workflows/ci.yml

@@ -19,15 +19,15 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
         with:
           node-version: ${{ matrix.node-version }}
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v2
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061
         with:
           version: 10.12.2
 
@@ -37,7 +37,7 @@ jobs:
           echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
 
       - name: Setup pnpm cache
-        uses: actions/cache@v3
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830
         with:
           path: ${{ env.STORE_PATH }}
           key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
@@ -58,7 +58,7 @@ jobs:
 
       - name: Upload coverage to Codecov
         if: matrix.node-version == '20.17.0'
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 
         with:
           file: ./coverage/lcov.info
           flags: unittests
@@ -71,24 +71,23 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
         with:
           node-version: 20.17.0
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v2
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061
         with:
           version: 10.12.2
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
 
       - name: Run pnpm audit
-        run: pnpm audit --audit-level=moderate
-        continue-on-error: true
+        run: pnpm audit --audit-level=critical
 
       - name: Check for dependency updates
         run: pnpm outdated

.github/workflows/release.yml

@@ -11,10 +11,50 @@ permissions:
 
 jobs:
   # ==========================================
-  # Job 1: Publish to NPM
+  # Job 1: Security Audit (gates all other jobs)
+  # ==========================================
+  security-audit:
+    name: Security Audit
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+        with:
+          fetch-depth: 0
+
+      - name: Verify tag is on main
+        run: |
+          git fetch origin main
+          if ! git merge-base --is-ancestor "${{ github.sha }}" origin/main; then
+            echo "::error::Tagged commit is not on main branch — aborting release"
+            exit 1
+          fi
+
+      - name: Setup Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
+        with:
+          node-version: "22"
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061
+        with:
+          version: 10.12.2
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Security audit
+        run: pnpm audit --audit-level=critical
+
+  # ==========================================
+  # Job 2: Publish to NPM
   # ==========================================
   publish:
     name: Publish to NPM
+    needs: security-audit
     runs-on: ubuntu-latest
     environment: production
     permissions:
@@ -23,18 +63,26 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
         with:
-          ref: main
+          fetch-depth: 0
+
+      - name: Verify tag is on main
+        run: |
+          git fetch origin main
+          if ! git merge-base --is-ancestor "${{ github.sha }}" origin/main; then
+            echo "::error::Tagged commit is not on main branch — aborting publish"
+            exit 1
+          fi
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
         with:
           node-version: "22"
           registry-url: "https://registry.npmjs.org"
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v2
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061
         with:
           version: 10.12.2
 
@@ -55,16 +103,16 @@ jobs:
         run: pnpm publish --access public --no-git-checks
 
   # ==========================================
-  # Job 2: Build binaries for all platforms
+  # Job 3: Build binaries for all platforms
   # ==========================================
   build-binaries:
     name: Build Binary (${{ matrix.platform }}-${{ matrix.arch }})
+    needs: security-audit
     runs-on: ${{ matrix.os }}
-    # SECURITY: Only grant write permission where needed
     permissions:
       contents: read
-      attestations: write # SECURITY: For artifact attestation
-      id-token: write # SECURITY: For OIDC signing
+      attestations: write
+      id-token: write
 
     strategy:
       matrix:
@@ -85,23 +133,33 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+        with:
+          fetch-depth: 0
+
+      - name: Verify tag is on main
+        run: |
+          git fetch origin main
+          if ! git merge-base --is-ancestor "${{ github.sha }}" origin/main; then
+            echo "::error::Tagged commit is not on main branch — aborting build"
+            exit 1
+          fi
 
       - name: Setup Node.js
         if: ${{ !matrix.node_arch }}
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
         with:
           node-version: "22"
 
       - name: Setup Node.js (x64 via Rosetta)
         if: ${{ matrix.node_arch }}
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
         with:
           node-version: "22"
           architecture: ${{ matrix.node_arch }}
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v2
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061
         with:
           version: 10.12.2
 
@@ -111,7 +169,7 @@ jobs:
           echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
 
       - name: Setup pnpm cache
-        uses: actions/cache@v3
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830
         with:
           path: ${{ env.STORE_PATH }}
           key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
@@ -121,11 +179,6 @@ jobs:
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
 
-      # SECURITY: Run audit before building
-      - name: Security audit
-        run: pnpm audit --audit-level=high
-        continue-on-error: true
-
       - name: Build TypeScript
         run: pnpm build
 
@@ -143,7 +196,6 @@ jobs:
         shell: bash
         run: mv shield.exe shield-windows-${{ matrix.arch }}.exe
 
-      # SECURITY: Generate SHA256 checksum for integrity verification
       - name: Generate checksum (Unix)
         if: matrix.platform != 'win32'
         run: |
@@ -158,22 +210,21 @@ jobs:
           "$($hash.Hash.ToLower())  shield-windows-${{ matrix.arch }}.exe" | Out-File -Encoding utf8 shield-windows-${{ matrix.arch }}.exe.sha256
           Get-Content shield-windows-${{ matrix.arch }}.exe.sha256
 
-      # SECURITY: Generate artifact attestation (proves binary was built by this workflow)
       - name: Generate artifact attestation
-        uses: actions/attest-build-provenance@v2
+        uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be
         with:
           subject-path: "shield-*"
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
         with:
           name: binary-${{ matrix.platform }}-${{ matrix.arch }}
           path: |
             shield-${{ matrix.platform == 'win32' && 'windows' || matrix.platform }}-${{ matrix.arch }}${{ matrix.platform == 'win32' && '.exe' || '' }}
             shield-${{ matrix.platform == 'win32' && 'windows' || matrix.platform }}-${{ matrix.arch }}${{ matrix.platform == 'win32' && '.exe' || '' }}.sha256
 
   # ==========================================
-  # Job 3: Create GitHub Release with all binaries
+  # Job 4: Create GitHub Release with all binaries
   # ==========================================
   create-release:
     name: Create GitHub Release
@@ -184,7 +235,7 @@ jobs:
 
     steps:
       - name: Download all artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
         with:
           pattern: binary-*
           merge-multiple: true
@@ -193,7 +244,7 @@ jobs:
         run: ls -la shield-*
 
       - name: Create Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b
         with:
           files: shield-*
         env: