Conversation
…ted requests (#49) Co-authored-by: Christian Drappi <c@seismic.systems>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| timeout-minutes: 5 | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: dtolnay/rust-toolchain@nightly | ||
| with: | ||
| components: rustfmt | ||
| - run: cargo fmt --all --check | ||
|
|
||
| build: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 days ago
In general, the fix is to add an explicit permissions: block that restricts the GITHUB_TOKEN to the minimum required scope. Since these jobs only need to read the repository source, setting contents: read at the workflow root is an appropriate baseline. If any job later requires broader permissions, it can define its own permissions: section that overrides the root for that job only.
The single best way to fix this without changing existing behavior is:
- Add a root‑level
permissions:block after theon:block (beforeconcurrency:) in.github/workflows/seismic.yml. - Set
contents: read, which is sufficient foractions/checkoutand typical CI tasks that don’t push or modify GitHub resources. - Do not modify any job definitions or steps, since none of them currently rely on write permissions.
Concretely, in .github/workflows/seismic.yml, between line 7 (the last line of the on: section) and line 9 (the start of concurrency:), insert:
permissions:
contents: readNo additional imports, methods, or definitions are required; this is pure workflow configuration.
| @@ -6,6 +6,9 @@ | ||
| pull_request: | ||
| branches: [seismic, usm] | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | ||
| cancel-in-progress: true |
.github/workflows/seismic.yml
Outdated
| runs-on: large-github-runner | ||
| timeout-minutes: 30 | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: dtolnay/rust-toolchain@stable | ||
| - uses: Swatinem/rust-cache@v2 | ||
| with: | ||
| shared-key: "build-cache" | ||
| - name: sforge build | ||
| run: cargo build --bin sforge | ||
| - name: sanvil build | ||
| run: cargo build --bin sanvil | ||
|
|
||
| warnings: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 days ago
In general, the fix is to add an explicit permissions block to the workflow (at the top level under name / on) or to individual jobs, granting only the minimal scopes needed. Since all shown jobs only read code and external resources and do not write back to the repository or PRs, the safest baseline is contents: read. If other jobs (like viem or contract-tests) later need more, they can override permissions per job.
The single best fix with minimal functional change is to add a root-level permissions block right after the name: Seismic CI line. This will apply to all jobs that don’t define their own permissions and will satisfy CodeQL’s requirement for explicit scoping of GITHUB_TOKEN. Based on the visible steps (checkout, toolchain setup, caching, HTTP requests, builds, tests), contents: read is sufficient, and no other permissions (e.g., pull-requests: write, issues: write) are required. No additional imports or external libraries are needed, as this is a YAML configuration change only.
Concretely, in .github/workflows/seismic.yml, insert:
permissions:
contents: readbetween line 1 (name: Seismic CI) and line 3 (on:). This documents and enforces minimal read-only access for the GITHUB_TOKEN across all jobs, including the build job at line 29 that CodeQL flagged.
| @@ -1,4 +1,6 @@ | ||
| name: Seismic CI | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: |
| runs-on: large-github-runner | ||
| timeout-minutes: 30 | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: dtolnay/rust-toolchain@stable | ||
| - uses: taiki-e/install-action@nextest | ||
| - uses: Swatinem/rust-cache@v2 | ||
| with: | ||
| shared-key: "test-cache" | ||
| - name: seismic unit tests | ||
| run: cargo nextest run test_seismic_tx_encoding | ||
| - name: seismic integration tests | ||
| run: cargo nextest run test_seismic_ | ||
| # TODO: make these work & run | ||
| # - name: sforge tests | ||
| # run: cargo test --bin sforge | ||
| # - name: sanvil tests | ||
| # run: cargo test --bin sanvil | ||
|
|
||
| viem: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
| runs-on: large-github-runner | ||
| timeout-minutes: 30 | ||
| env: | ||
| SFOUNDRY_ROOT: /home/runner/work/seismic-foundry/seismic-foundry | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: oven-sh/setup-bun@v2 | ||
| with: | ||
| bun-version: 1.2.5 | ||
| - uses: dtolnay/rust-toolchain@stable | ||
| - uses: Swatinem/rust-cache@v2 | ||
| with: | ||
| shared-key: "viem-cache" | ||
| - name: sanvil build | ||
| run: cargo build --bin sanvil | ||
| - name: Install dependencies | ||
| run: bun install | ||
| - name: Run viem tests vs. Anvil | ||
| run: bun viem:test | ||
|
|
||
| contract-tests: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 days ago
To fix this, add an explicit permissions block that limits the default GITHUB_TOKEN scope to what the workflow actually needs. Since the jobs only check out code and run builds/tests, they require only read access to repository contents (and possibly packages, though nothing here explicitly uses packages via the GitHub API). The simplest and safest change is to set workflow‑wide permissions to contents: read, which each job will inherit unless overridden.
Concretely, in .github/workflows/seismic.yml, insert a permissions: section near the top at the workflow level (between on: and concurrency: or after name: is standard). This block should specify contents: read. No other code or steps need to change, and no additional methods or imports are required, because this is purely a YAML configuration adjustment for GitHub Actions.
| @@ -6,10 +6,12 @@ | ||
| pull_request: | ||
| branches: [seismic, usm] | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | ||
| cancel-in-progress: true | ||
|
|
||
| env: | ||
| CARGO_TERM_COLOR: always | ||
| CARGO_NET_GIT_FETCH_WITH_CLI: true |
| runs-on: self-hosted | ||
| timeout-minutes: 30 | ||
| env: | ||
| CODE_PATH: /home/ubuntu | ||
| SFORGE_BINARY: /home/ubuntu/.seismic/bin/sforge | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: oven-sh/setup-bun@v2 | ||
| with: | ||
| bun-version: 1.2.5 | ||
| - uses: dtolnay/rust-toolchain@stable | ||
| - uses: Swatinem/rust-cache@v2 | ||
| with: | ||
| shared-key: "contract-tests-cache" | ||
| - name: Install JS dependencies | ||
| run: bun install | ||
| - name: Clean previous installations | ||
| run: rm -rf $HOME/.seismic/bin/sforge || true | ||
| - name: Install sforge binary | ||
| run: | | ||
| cargo install --root=$HOME/.seismic --profile dev --path ./crates/forge --locked | ||
| echo "$HOME/.seismic/bin" >> $GITHUB_PATH | ||
| - name: Verify sforge installation | ||
| run: | | ||
| ls -la $HOME/.seismic/bin/sforge | ||
| $HOME/.seismic/bin/sforge --version || echo "sforge failed to run" | ||
| - name: Run contract tests with sforge | ||
| run: bun forge:test |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
foundryup was not installing scast for some reason. Also updated README with scast info and some small updates.
… test init (#140) Co-authored-by: Christian Drappi <c@seismic.systems> Co-authored-by: Ameya Deshmukh <ad@seismic.systems>
delete outdated developers.md file, add new contributors.md file (modified from https://github.com/SeismicSystems/documentation/blob/main/foundry/documentation.md), and point README to it.
use .into() function to convert MERCURY to SpecId. This allows removing MERCURY from the specid, like we did in SeismicSystems/seismic-revm#184 This will work for both current setup (where MERCURY is part of SpecID), and after we repoint revm to use the changes in seismic-revm. Opting to not point to the temporary reth-sdk as part of this PR, but might do it in a followup to test future changes.
## Summary - Add comprehensive `CLAUDE.md` with build instructions (macOS/Linux), test commands, project layout, Seismic-specific modifications, code style, and CI documentation - Include troubleshooting table for known issues (zsh filter escaping, upstream test divergences, network-dependent tests, ssolc installation) - Remove `CLAUDE.md` from `.gitignore` so it can be tracked ## Test plan - [x] All three binaries (`sforge`, `sanvil`, `scast`) build and run with documented commands - [x] All Seismic CI tests pass (`test_seismic_tx_encoding`, `test_seismic_*`, `private_storage_*`) - [x] Doc tests pass when excluding `cast` crate (which requires network) - [x] Every command in the CLAUDE.md verified on macOS arm64 cc @cdrappi --------- Co-authored-by: Christian Drappi <christiandrappi@gmail.com>
Uses SeismicSystems/seismic-compilers#14 When compiling with -vvv we can now see the commit version: ``` $ sforge build -vvv [⠊] Compiling... [⠑] Compiling 44 files with ssolc 0.8.31 (676bdec) [⠘] ssolc 0.8.31 (676bdec) finished in 615.21ms ``` Before we'd see `Compiler ... with Solc 0.8.31` only.
This updates the compiler print to be able to tell whcih exact ssolc commit is used. This brings in SeismicSystems/seismic-compilers@5a398ff Also added some comments to explain how the `seismic` config field works as I got confused about what the code was doing.
Update upstream's release.yml script to work for seismic binaries (basically just added `s` in front of everything. Turned off the docker releases because don't see a use case for them at this point. This will make nightly releases, which are pruned monthly afaiu.
Afaiu its a superset, and this clippy command will compile + check all binaries (not only the 2 hardcoded) with all features (ran into some issues in the release ci recently because we weren't ever testing with the js-tracer feature flag).
| runs-on: ubuntu-latest | ||
| timeout-minutes: 30 | ||
| steps: | ||
| - uses: actions/checkout@v5 | ||
| - uses: dtolnay/rust-toolchain@clippy | ||
| - uses: Swatinem/rust-cache@v2 | ||
| with: | ||
| cache-on-failure: true | ||
| - run: cargo clippy --workspace --all-targets --all-features | ||
| # Not enforcing warnings here because there are too many to fix atm, but we may want to turn this back on. | ||
| # env: | ||
| # RUSTFLAGS: -Dwarnings | ||
|
|
||
| test: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 days ago
To fix this, add an explicit permissions block that limits the GITHUB_TOKEN to read‑only repository contents (and other scopes only if needed). The simplest and safest approach here is to set permissions at the workflow root so that it applies to all jobs (rustfmt, build, clippy, test, viem, etc.), since none of them appear to need write access. A minimal starting point is:
permissions:
contents: readThis should be inserted near the top level of .github/workflows/seismic.yml, alongside on:, concurrency:, and env:. No other functionality changes are required because the jobs only read the code and run local tooling. If, elsewhere in the truncated viem job (lines 92–142), there were actions that needed writes (e.g., commenting on PRs), they could later override permissions per job; but based on the visible snippet, a workflow‑wide contents: read is appropriate.
Concretely:
- Edit
.github/workflows/seismic.yml. - After the
on:block (lines 3–7), or beforeconcurrency:, add a new top‑levelpermissions:section:contents: read.
No imports or additional methods are needed, since this is GitHub Actions YAML configuration only.
| @@ -6,6 +6,9 @@ | ||
| pull_request: | ||
| branches: [seismic, usm] | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | ||
| cancel-in-progress: true |
Ran the workflow manually and it succeeded: https://github.com/SeismicSystems/seismic-foundry/actions/runs/22312870726 Set it to: - make a release once a week (or whenever manually triggered) - build for 3 platforms (ubuntu-x86, mac-x86, mac-arm). Disabled all the others because had issues with github's self hosted runners, plus I don't think there's demand at this point in time
Adding option to pass --unsafe-via-ir option down to ssolc. This updates the seismic-compiler to get the similar changes from SeismicSystems/seismic-compilers#18 Needed because versions of ssolc (SeismicSystems/seismic-solidity#204) require --unsafe-via-ir argument, which foundry's config didn't support before this. Now one can change foundry.toml to have ``` via_ir = true unsafe_via_ir = true ``` and both of these will be passed down to ssolc. chore: Also fixed .gitignore since it was ignoring crates/cli/src/opts/build by mistake.
9 participants
No description provided.