Merge branch 'master' into simulate/fix-revert-err-code

Author: s1na

.gitea/workflows/release.yml

@@ -122,6 +122,27 @@ jobs:
         LINUX_SIGNING_KEY: ${{ secrets.LINUX_SIGNING_KEY }}
         AZURE_BLOBSTORE_TOKEN: ${{ secrets.AZURE_BLOBSTORE_TOKEN }}
 
+  keeper:
+    name: Keeper Build
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Go
+      uses: actions/setup-go@v5
+      with:
+        go-version: 1.24
+        cache: false
+
+    - name: Install cross toolchain
+      run: |
+        apt-get update
+        apt-get -yq --no-install-suggests --no-install-recommends install gcc-multilib
+
+    - name: Build (amd64)
+      run: |
+        go run build/ci.go keeper -dlgo
+
   windows:
     name: Windows Build
     runs-on: "win-11"

.github/workflows/go.yml

@@ -34,6 +34,47 @@ jobs:
         go run build/ci.go check_generate
         go run build/ci.go check_baddeps
 
+  keeper:
+    name: Keeper Builds
+    needs: test
+    runs-on: [self-hosted-ghr, size-l-x64]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: true
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.25'
+          cache: false
+
+      - name: Build
+        run: go run build/ci.go keeper
+
+  test-32bit:
+    name: "32bit tests"
+    needs: test
+    runs-on: [self-hosted-ghr, size-l-x64]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: false
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.25'
+          cache: false
+
+      - name: Install cross toolchain
+        run: |
+          apt-get update
+          apt-get -yq --no-install-suggests --no-install-recommends install gcc-multilib
+
+      - name: Build
+        run: go run build/ci.go test -arch 386 -short -p 8
+
   test:
     name: Test
     needs: lint

.github/workflows/validate_pr.yml

@@ -8,16 +8,76 @@ jobs:
   validate-pr:
     runs-on: ubuntu-latest
     steps:
+      - name: Check for Spam PR
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const prTitle = context.payload.pull_request.title;
+            const spamRegex = /^(feat|chore|fix)(\(.*\))?\s*:/i;
+
+            if (spamRegex.test(prTitle)) {
+              // Leave a comment explaining why
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.payload.pull_request.number,
+                body: `## PR Closed as Spam
+
+            This PR was automatically closed because the title format \`feat:\`, \`fix:\`, or \`chore:\` is commonly associated with spam contributions.
+
+            If this is a legitimate contribution, please:
+            1. Review our contribution guidelines
+            2. Use the correct PR title format: \`directory, ...: description\`
+            3. Open a new PR with the proper title format
+
+            Thank you for your understanding.`
+              });
+
+              // Close the PR
+              await github.rest.pulls.update({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                pull_number: context.payload.pull_request.number,
+                state: 'closed'
+              });
+
+              core.setFailed('PR closed as spam due to suspicious title format');
+              return;
+            }
+
+            console.log('✅ PR passed spam check');
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
       - name: Check PR Title Format
         uses: actions/github-script@v7
         with:
           script: |
+            const fs = require('fs');
+            const path = require('path');
             const prTitle = context.payload.pull_request.title;
             const titleRegex = /^([\w\s,{}/.]+): .+/;
             
             if (!titleRegex.test(prTitle)) {
               core.setFailed(`PR title "${prTitle}" does not match required format: directory, ...: description`);
               return;
             }
+
+            const match = prTitle.match(titleRegex);
+            const dirPart = match[1];
+            const directories = dirPart.split(',').map(d => d.trim());
+            const missingDirs = [];
+            for (const dir of directories) {
+              const fullPath = path.join(process.env.GITHUB_WORKSPACE, dir);
+              if (!fs.existsSync(fullPath)) {
+                missingDirs.push(dir);
+              }
+            }
+            
+            if (missingDirs.length > 0) {
+              core.setFailed(`The following directories in the PR title do not exist: ${missingDirs.join(', ')}`);
+              return;
+            }
             
             console.log('✅ PR title format is valid');

.gitignore

@@ -55,4 +55,5 @@ cmd/ethkey/ethkey
 cmd/evm/evm
 cmd/geth/geth
 cmd/rlpdump/rlpdump
-cmd/workload/workload
+cmd/workload/workload
+cmd/keeper/keeper

SECURITY.md

@@ -21,7 +21,6 @@ Audit reports are published in the `docs` folder: https://github.com/ethereum/go
 
 To find out how to disclose a vulnerability in Ethereum visit [https://bounty.ethereum.org](https://bounty.ethereum.org) or email bounty@ethereum.org. Please read the [disclosure page](https://github.com/ethereum/go-ethereum/security/advisories?state=published) for more information about publicly disclosed security vulnerabilities.
 
-Use the built-in `geth version-check` feature to check whether the software is affected by any known vulnerability. This command will fetch the latest [`vulnerabilities.json`](https://geth.ethereum.org/docs/vulnerabilities/vulnerabilities.json) file which contains known security vulnerabilities concerning `geth`, and cross-check the data against its own version number.
 
 The following key may be used to communicate sensitive information to developers.
 

accounts/abi/bind/v2/dep_tree_test.go

@@ -158,10 +158,10 @@ func testLinkCase(tcInput linkTestCaseInput) error {
 		overrideAddrs  = make(map[rune]common.Address)
 	)
 	// generate deterministic addresses for the override set.
-	rand.Seed(42)
+	rng := rand.New(rand.NewSource(42))
 	for contract := range tcInput.overrides {
 		var addr common.Address
-		rand.Read(addr[:])
+		rng.Read(addr[:])
 		overrideAddrs[contract] = addr
 		overridesAddrs[addr] = struct{}{}
 	}

accounts/abi/bind/v2/util_test.go

@@ -144,10 +144,9 @@ func TestWaitDeployedCornerCases(t *testing.T) {
 	done := make(chan struct{})
 	go func() {
 		defer close(done)
-		want := errors.New("context canceled")
 		_, err := bind.WaitDeployed(ctx, backend.Client(), tx.Hash())
-		if err == nil || errors.Is(want, err) {
-			t.Errorf("error mismatch: want %v, got %v", want, err)
+		if !errors.Is(err, context.Canceled) {
+			t.Errorf("error mismatch: want %v, got %v", context.Canceled, err)
 		}
 	}()
 

accounts/accounts.go

@@ -24,8 +24,8 @@ import (
 	"github.com/ethereum/go-ethereum"
 	"github.com/ethereum/go-ethereum/common"
 	"github.com/ethereum/go-ethereum/core/types"
+	"github.com/ethereum/go-ethereum/crypto/keccak"
 	"github.com/ethereum/go-ethereum/event"
-	"golang.org/x/crypto/sha3"
 )
 
 // Account represents an Ethereum account located at a specific location defined
@@ -196,7 +196,7 @@ func TextHash(data []byte) []byte {
 // This gives context to the signed message and prevents signing of transactions.
 func TextAndHash(data []byte) ([]byte, string) {
 	msg := fmt.Sprintf("\x19Ethereum Signed Message:\n%d%s", len(data), data)
-	hasher := sha3.NewLegacyKeccak256()
+	hasher := keccak.NewLegacyKeccak256()
 	hasher.Write([]byte(msg))
 	return hasher.Sum(nil), msg
 }

accounts/keystore/keystore.go

@@ -418,6 +418,7 @@ func (ks *KeyStore) Export(a accounts.Account, passphrase, newPassphrase string)
 	if err != nil {
 		return nil, err
 	}
+	defer zeroKey(key.PrivateKey)
 	var N, P int
 	if store, ok := ks.storage.(*keyStorePassphrase); ok {
 		N, P = store.scryptN, store.scryptP
@@ -477,6 +478,7 @@ func (ks *KeyStore) Update(a accounts.Account, passphrase, newPassphrase string)
 	if err != nil {
 		return err
 	}
+	defer zeroKey(key.PrivateKey)
 	return ks.storage.StoreKey(a.URL.Path, key, newPassphrase)
 }
 

accounts/keystore/presale.go

@@ -81,6 +81,9 @@ func decryptPreSaleKey(fileContent []byte, password string) (key *Key, err error
 	*/
 	passBytes := []byte(password)
 	derivedKey := pbkdf2.Key(passBytes, passBytes, 2000, 16, sha256.New)
+	if len(cipherText)%aes.BlockSize != 0 {
+		return nil, errors.New("ciphertext must be a multiple of block size")
+	}
 	plainText, err := aesCBCDecrypt(derivedKey, cipherText, iv)
 	if err != nil {
 		return nil, err