From c44e7a7e744d23ab8c49a39d1242ac86efbeebbe Mon Sep 17 00:00:00 2001 From: cawthorne Date: Thu, 2 Apr 2026 13:46:50 +0100 Subject: [PATCH 1/8] chore: move aptos smoke workflow back to develop --- .github/actions/get-core-ref/get_core_ref.sh | 6 +++--- .github/actions/get-core-ref/test_get_core_ref.sh | 15 +++++++++++++-- .github/workflows/aptos-run-smoke-tests.yml | 11 +++-------- README.md | 4 ++-- integration-tests/templates/core.toml | 3 +++ 5 files changed, 24 insertions(+), 15 deletions(-) diff --git a/.github/actions/get-core-ref/get_core_ref.sh b/.github/actions/get-core-ref/get_core_ref.sh index fb763fbf9..2f412381c 100755 --- a/.github/actions/get-core-ref/get_core_ref.sh +++ b/.github/actions/get-core-ref/get_core_ref.sh @@ -1,9 +1,9 @@ #!/bin/bash -core_ref="develop-plugins" +core_ref="${DEFAULT_CORE_REF:-develop-plugins}" -# Extract and trim the value after core_ref:, handle multiple spaces -if [[ $PR_BODY =~ core_ref:[[:space:]]*([^;[:space:]]+)[[:space:]]*$ ]]; then +# Extract the value after core_ref:, allowing the documented semicolon terminator. +if [[ $PR_BODY =~ core_ref:[[:space:]]*([^;[:space:]]+) ]]; then potential_ref="${BASH_REMATCH[1]}" # Only allow alphanumeric, dash, underscore, forward slash diff --git a/.github/actions/get-core-ref/test_get_core_ref.sh b/.github/actions/get-core-ref/test_get_core_ref.sh index a2ef517f3..e419e0e26 100755 --- a/.github/actions/get-core-ref/test_get_core_ref.sh +++ b/.github/actions/get-core-ref/test_get_core_ref.sh @@ -16,12 +16,14 @@ run_test() { local test_name="$1" local pr_body="$2" local expected="$3" + local default_ref="${4:-develop-plugins}" echo "Test: $test_name" echo "Input: $pr_body" setup_test_env export PR_BODY="$pr_body" + export DEFAULT_CORE_REF="$default_ref" ./get_core_ref.sh @@ -42,6 +44,10 @@ run_test "Simple valid ref" \ "core_ref: develop" \ "develop" +run_test "Documented semicolon syntax" \ + "core_ref: feature/aptos-core-branch;" \ + "feature/aptos-core-branch" + run_test "Complex valid ref" \ "core_ref: feature/abc-123_test" \ "feature/abc-123_test" @@ -66,11 +72,11 @@ run_test "Command injection via backticks" \ run_test "Command injection via semicolon" \ "core_ref: valid-ref; touch HACKED2" \ - "develop-plugins" + "valid-ref" run_test "Command injection via pipeline" \ "core_ref: valid-ref | touch HACKED3" \ - "develop-plugins" + "valid-ref" run_test "Command injection via subshell" \ "core_ref: \$(touch HACKED4)" \ @@ -97,6 +103,11 @@ run_test "Extra whitespace" \ " core_ref: spaces-everywhere " \ "spaces-everywhere" +run_test "Workflow-specific default override" \ + "some other text" \ + "develop" \ + "develop" + # Final security check if ls HACKED* 1>/dev/null 2>&1; then echo "❌ CRITICAL: Command injection was successful!" diff --git a/.github/workflows/aptos-run-smoke-tests.yml b/.github/workflows/aptos-run-smoke-tests.yml index 77f7534e4..b6d8da72b 100644 --- a/.github/workflows/aptos-run-smoke-tests.yml +++ b/.github/workflows/aptos-run-smoke-tests.yml @@ -20,7 +20,7 @@ jobs: contents: read env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - DEFAULT_CORE_REF: aptos-init + DEFAULT_CORE_REF: develop runs-on: ubuntu-latest steps: - name: Checkout code @@ -28,18 +28,13 @@ jobs: - name: Get core ref from PR body if: github.event_name == 'pull_request' - run: | - comment=$(echo "${{ github.event.pull_request.body }}") - core_ref=$(echo $comment | grep -oP 'core ref: \K\S+' || true) - if [ ! -z "$core_ref" ]; then - echo "CUSTOM_CORE_REF=${core_ref}" >> "${GITHUB_ENV}" - fi + uses: ./.github/actions/get-core-ref - name: Checkout chainlink repo uses: actions/checkout@v4 with: repository: smartcontractkit/chainlink - ref: ${{ env.CUSTOM_CORE_REF || env.DEFAULT_CORE_REF }} + ref: ${{ env.core_ref || env.DEFAULT_CORE_REF }} path: temp/chainlink - name: Build chainlink image diff --git a/README.md b/README.md index 31c27ebda..deab6b29a 100644 --- a/README.md +++ b/README.md @@ -21,5 +21,5 @@ Local development and tests how to 3. `go test` ### Custom images on PRs -If you want to test the CI with a custom core image you need to specify in the PR body either the commit sha or branch name in the following format `core_ref:;` e.g `core_ref:develop;`. -_Note:_ Develop does not work until the core aptos-init branch is merged +If you want to test the CI with a custom core image you need to specify in the PR body either the commit sha or branch name in the following format `core_ref:;`, for example `core_ref:develop;`. +If you do not provide an override, the smoke workflow uses `develop` by default. diff --git a/integration-tests/templates/core.toml b/integration-tests/templates/core.toml index ea7890124..91c5a2b3a 100644 --- a/integration-tests/templates/core.toml +++ b/integration-tests/templates/core.toml @@ -6,6 +6,9 @@ FeedsManager = true LogPoller = true UICSAKeys = true +[Capabilities.Local] +[Capabilities.Local.Capabilities."mock-streams-trigger@1.0.0"] + [OCR2] Enabled = true From 1a8c132c7cc4847ffdbdb0ca30b4ec0ccde93b63 Mon Sep 17 00:00:00 2001 From: cawthorne Date: Thu, 2 Apr 2026 15:08:28 +0100 Subject: [PATCH 2/8] fix: point aptos smoke at paired core branch --- .github/workflows/aptos-run-smoke-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/aptos-run-smoke-tests.yml b/.github/workflows/aptos-run-smoke-tests.yml index b6d8da72b..8142bdbb4 100644 --- a/.github/workflows/aptos-run-smoke-tests.yml +++ b/.github/workflows/aptos-run-smoke-tests.yml @@ -20,7 +20,7 @@ jobs: contents: read env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - DEFAULT_CORE_REF: develop + DEFAULT_CORE_REF: feature/aptos-develop-mock-trigger runs-on: ubuntu-latest steps: - name: Checkout code From 106c06aa586e29984b7be166ad8f79303cf2a26b Mon Sep 17 00:00:00 2001 From: cawthorne Date: Thu, 2 Apr 2026 16:26:38 +0100 Subject: [PATCH 3/8] fix: preserve mock trigger config in smoke harness --- integration-tests/deploy/config.go | 28 ++++++++++---- integration-tests/deploy/config_test.go | 50 +++++++++++++++++++++++++ 2 files changed, 71 insertions(+), 7 deletions(-) create mode 100644 integration-tests/deploy/config_test.go diff --git a/integration-tests/deploy/config.go b/integration-tests/deploy/config.go index 6165d7a5a..2cc3fac9f 100644 --- a/integration-tests/deploy/config.go +++ b/integration-tests/deploy/config.go @@ -16,13 +16,14 @@ var ( ) type CoreConfigToml struct { - Log CoreLogTomlConfig `toml:"Log"` - Feature CoreFeatureTomlConfig `toml:"Feature"` - OCR2 CoreOCR2TomlConfig `toml:"OCR2"` - P2P CoreP2PTomlConfig `toml:"P2P"` - WebServer CoreWebServerTomlConfig `toml:"WebServer"` - Aptos []CoreAptosTomlConfig `toml:"Aptos"` - EVM []CoreEVMTomlConfig `toml:"EVM"` + Log CoreLogTomlConfig `toml:"Log"` + Feature CoreFeatureTomlConfig `toml:"Feature"` + Capabilities CoreCapabilitiesTomlConfig `toml:"Capabilities"` + OCR2 CoreOCR2TomlConfig `toml:"OCR2"` + P2P CoreP2PTomlConfig `toml:"P2P"` + WebServer CoreWebServerTomlConfig `toml:"WebServer"` + Aptos []CoreAptosTomlConfig `toml:"Aptos"` + EVM []CoreEVMTomlConfig `toml:"EVM"` } type CoreLogTomlConfig struct { @@ -35,6 +36,19 @@ type CoreFeatureTomlConfig struct { UICSAKeys bool `toml:"UICSAKeys"` } +type CoreCapabilitiesTomlConfig struct { + Local CoreLocalCapabilitiesTomlConfig `toml:"Local"` +} + +type CoreLocalCapabilitiesTomlConfig struct { + Capabilities map[string]CoreCapabilityNodeTomlConfig `toml:"Capabilities"` +} + +type CoreCapabilityNodeTomlConfig struct { + BinaryPathOverride string `toml:"BinaryPathOverride,omitempty"` + Config map[string]string `toml:"Config,omitempty"` +} + type CoreOCR2TomlConfig struct { Enabled bool `toml:"Enabled"` } diff --git a/integration-tests/deploy/config_test.go b/integration-tests/deploy/config_test.go new file mode 100644 index 000000000..3945deb60 --- /dev/null +++ b/integration-tests/deploy/config_test.go @@ -0,0 +1,50 @@ +package deploy + +import ( + "os" + "path/filepath" + "testing" + + "github.com/BurntSushi/toml" + "github.com/stretchr/testify/require" + + "github.com/smartcontractkit/chainlink-aptos/integration-tests/scripts" +) + +func TestMarshalCoreTomlPreservesLocalCapabilities(t *testing.T) { + t.Parallel() + + input := ` +[Capabilities.Local] +[Capabilities.Local.Capabilities."mock-streams-trigger@1.0.0"] + +[WebServer] +HTTPPort = 6688 +AllowOrigins = '*' +[WebServer.TLS] +HTTPSPort = 0 +` + + var cfg CoreConfigToml + _, err := toml.Decode(input, &cfg) + require.NoError(t, err) + + out, err := marshalCoreToml(&cfg) + require.NoError(t, err) + require.Contains(t, out, `[Capabilities.Local.Capabilities."mock-streams-trigger@1.0.0"]`) +} + +func TestCoreTemplateRoundTripPreservesMockTrigger(t *testing.T) { + t.Parallel() + + input, err := os.ReadFile(filepath.Join(scripts.Templates, "core.toml")) + require.NoError(t, err) + + var cfg CoreConfigToml + _, err = toml.Decode(string(input), &cfg) + require.NoError(t, err) + + out, err := marshalCoreToml(&cfg) + require.NoError(t, err) + require.Contains(t, out, `[Capabilities.Local.Capabilities."mock-streams-trigger@1.0.0"]`) +} From 8f96a6a99d80f9f040e6f6d079bfe69115c3d9dc Mon Sep 17 00:00:00 2001 From: cawthorne Date: Mon, 6 Apr 2026 13:21:30 +0100 Subject: [PATCH 4/8] docs: explain mock trigger compatibility config --- integration-tests/deploy/config.go | 2 ++ integration-tests/templates/core.toml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/integration-tests/deploy/config.go b/integration-tests/deploy/config.go index 2cc3fac9f..d98cc1352 100644 --- a/integration-tests/deploy/config.go +++ b/integration-tests/deploy/config.go @@ -41,6 +41,8 @@ type CoreCapabilitiesTomlConfig struct { } type CoreLocalCapabilitiesTomlConfig struct { + // Preserve explicit local capability stanzas when we decode and re-encode + // core.toml; the mock trigger opt-in is represented by an otherwise-empty table. Capabilities map[string]CoreCapabilityNodeTomlConfig `toml:"Capabilities"` } diff --git a/integration-tests/templates/core.toml b/integration-tests/templates/core.toml index 91c5a2b3a..60bb11b1c 100644 --- a/integration-tests/templates/core.toml +++ b/integration-tests/templates/core.toml @@ -7,6 +7,8 @@ LogPoller = true UICSAKeys = true [Capabilities.Local] +# This empty stanza opt-ins the smoke nodes to the mock trigger that keeps the +# legacy workflow-based Aptos smoke path working against core `develop`. [Capabilities.Local.Capabilities."mock-streams-trigger@1.0.0"] [OCR2] From 386e7305a2c8fc5e3fa070656a8b228302ec2ac5 Mon Sep 17 00:00:00 2001 From: cawthorne Date: Tue, 7 Apr 2026 14:21:26 +0100 Subject: [PATCH 5/8] docs: stop referencing aptos-init in example env --- .example.env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.example.env b/.example.env index bac9d2631..22ed35047 100644 --- a/.example.env +++ b/.example.env @@ -28,4 +28,4 @@ CORE_P2P_PORT=6690 # Build config CORE_REPO="https://github.com/smartcontractkit/chainlink.git" -CORE_REF=aptos-init +CORE_REF=develop From 64f288b8fbdefb9e4017442eb2a0b071c6c760a0 Mon Sep 17 00:00:00 2001 From: cawthorne Date: Wed, 22 Apr 2026 19:15:42 +0100 Subject: [PATCH 6/8] chore: point aptos smoke workflow back to develop --- .github/workflows/aptos-run-smoke-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/aptos-run-smoke-tests.yml b/.github/workflows/aptos-run-smoke-tests.yml index 5ea762f3d..1f16ba297 100644 --- a/.github/workflows/aptos-run-smoke-tests.yml +++ b/.github/workflows/aptos-run-smoke-tests.yml @@ -20,7 +20,7 @@ jobs: contents: read env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - DEFAULT_CORE_REF: feature/aptos-develop-mock-trigger + DEFAULT_CORE_REF: develop runs-on: ubuntu-latest steps: - name: Checkout code From 28fa4d17689a86feeb7a3c7cbadd8cac8f0f788c Mon Sep 17 00:00:00 2001 From: cawthorne Date: Wed, 22 Apr 2026 19:19:20 +0100 Subject: [PATCH 7/8] chore: pin aptos smoke workflow core ref --- .github/workflows/aptos-run-smoke-tests.yml | 11 ++--------- README.md | 2 +- 2 files changed, 3 insertions(+), 10 deletions(-) diff --git a/.github/workflows/aptos-run-smoke-tests.yml b/.github/workflows/aptos-run-smoke-tests.yml index 1f16ba297..939ba8bce 100644 --- a/.github/workflows/aptos-run-smoke-tests.yml +++ b/.github/workflows/aptos-run-smoke-tests.yml @@ -20,7 +20,7 @@ jobs: contents: read env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - DEFAULT_CORE_REF: develop + DEFAULT_CORE_REF: 43a6f2748d47fb6ec96a64505dfa66f1c302100b runs-on: ubuntu-latest steps: - name: Checkout code @@ -28,14 +28,7 @@ jobs: - name: Get core ref from PR body if: github.event_name == 'pull_request' - env: - PR_BODY: ${{ github.event.pull_request.body }} - run: | - comment=$(echo "${PR_BODY}") - core_ref=$(echo $comment | grep -oP 'core ref: \K\S+' || true) - if [ ! -z "$core_ref" ]; then - echo "CUSTOM_CORE_REF=${core_ref}" >> "${GITHUB_ENV}" - fi + uses: ./.github/actions/get-core-ref - name: Checkout chainlink repo uses: actions/checkout@v6 diff --git a/README.md b/README.md index deab6b29a..0c2c19664 100644 --- a/README.md +++ b/README.md @@ -22,4 +22,4 @@ Local development and tests how to ### Custom images on PRs If you want to test the CI with a custom core image you need to specify in the PR body either the commit sha or branch name in the following format `core_ref:;`, for example `core_ref:develop;`. -If you do not provide an override, the smoke workflow uses `develop` by default. +If you do not provide an override, the smoke workflow uses the merged `smartcontractkit/chainlink#21828` commit by default. From dc956053dbcb809634c6e7e607fc57eb9af72dde Mon Sep 17 00:00:00 2001 From: cawthorne Date: Wed, 22 Apr 2026 19:21:11 +0100 Subject: [PATCH 8/8] test: use neutral core ref examples (cherry picked from commit a09f1df4829f87a90b9c83fa055e798fe3d7ec22) --- .github/actions/get-core-ref/test_get_core_ref.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/actions/get-core-ref/test_get_core_ref.sh b/.github/actions/get-core-ref/test_get_core_ref.sh index e419e0e26..0f3d7b38b 100755 --- a/.github/actions/get-core-ref/test_get_core_ref.sh +++ b/.github/actions/get-core-ref/test_get_core_ref.sh @@ -45,12 +45,12 @@ run_test "Simple valid ref" \ "develop" run_test "Documented semicolon syntax" \ - "core_ref: feature/aptos-core-branch;" \ - "feature/aptos-core-branch" + "core_ref: develop;" \ + "develop" run_test "Complex valid ref" \ - "core_ref: feature/abc-123_test" \ - "feature/abc-123_test" + "core_ref: release/abc-123_test" \ + "release/abc-123_test" run_test "Multiple colons" \ "core_ref: abc:def:ghi" \