[NIT-3755] Serialization order of the chain config in the init message changes the genesis block hash #5799
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Check Submodule Pins | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| on: | |
| merge_group: | |
| # Using pull_request_target for security. If we had used pull_request, then it | |
| # would be possible for malicious actors to create Pull Requests which would | |
| # trigger workflows that they could have modified locally to extract secrets. | |
| # For this reason, the pins below must be updated and merged in a separate PR | |
| # before the PR that changes the actual submodule pins. | |
| pull_request_target: | |
| branches: [master, main] | |
| types: [synchronize, opened, reopened] | |
| permissions: | |
| statuses: write | |
| jobs: | |
| submodule-pin-check: | |
| name: Check Submodule Pin | |
| runs-on: ubuntu-4 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v5 | |
| with: | |
| fetch-depth: 0 | |
| submodules: recursive | |
| persist-credentials: false | |
| ref: "${{ github.event.pull_request.head.sha }}" | |
| - name: Check all submodules are ancestors of origin/HEAD or configured branch | |
| run: | | |
| status_state="pending" | |
| declare -Ar exceptions=( | |
| [contracts]=origin/develop | |
| [contracts-legacy]=origin/v2-main | |
| [nitro-testnode]=origin/master | |
| [bold]=origin/main | |
| [safe-smart-account]=origin/release/v1.5.0 | |
| [arbitrator/langs/c]=origin/vm-storage-cache | |
| [arbitrator/tools/wasmer]=origin/stylus | |
| [contracts-local/lib/openzeppelin-contracts]=origin/release-v4.7 | |
| ) | |
| divergent=0 | |
| # The commit SHA of the PR or the current commit if a merge_group event | |
| commit_sha="${{ github.event.pull_request.head.sha || github.sha }}" | |
| for mod in `git submodule --quiet foreach 'echo $name'`; do | |
| branch=origin/HEAD | |
| if [[ -v exceptions[$mod] ]]; then | |
| branch=${exceptions[$mod]} | |
| fi | |
| if ! git -C $mod merge-base --is-ancestor HEAD $branch; then | |
| echo $mod diverges from $branch | |
| divergent=1 | |
| fi | |
| done | |
| repo_url="${{ github.api_url }}/repos/$GITHUB_REPOSITORY" | |
| if [ $divergent -eq 0 ]; then | |
| status_state="success" | |
| else | |
| resp="$(curl -sSL --fail-with-body \ | |
| -H "Accept: application/vnd.github+json" \ | |
| -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ | |
| -H "X-GitHub-Api-Version: 2022-11-28" \ | |
| "${repo_url}/commits/$commit_sha/statuses")" | |
| if ! jq -e '.[] | select(.context == "Submodule Pin Check")' > /dev/null <<< "$resp"; then | |
| # Submodule pin check is failling and no status exists | |
| # Keep it without a status to keep the green checkmark appearing | |
| # Otherwise, the commit and PR's CI will appear to be indefinitely pending | |
| # Merging will still be blocked until the required status appears | |
| exit 0 | |
| fi | |
| fi | |
| curl -sSL --fail-with-body \ | |
| -X POST \ | |
| -H "Accept: application/vnd.github+json" \ | |
| -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ | |
| -H "X-GitHub-Api-Version: 2022-11-28" \ | |
| "${repo_url}/statuses/$commit_sha" \ | |
| -d '{"context":"Submodule Pin Check","state":"'"$status_state"'"}' |