ci: add explicit permissions to workflows to mitigate security conce… #3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Foundry Post Merge | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - '.github/workflows/foundry-post-merge.yml' | |
| - 'src/**' | |
| - 'lib/**' | |
| - 'foundry.toml' | |
| - '**/*.sol' | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| env: | |
| FOUNDRY_PROFILE: medium | |
| jobs: | |
| # ----------------------------------------------------------------------- | |
| # Forge Test (Intense) | |
| # ----------------------------------------------------------------------- | |
| continuous-fuzzing: | |
| name: Test (Intense) | |
| runs-on: protocol-x64-16core | |
| strategy: | |
| fail-fast: true | |
| steps: | |
| # Check out repository with all submodules for complete codebase access. | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| # Restore Forge cache | |
| - name: Cache Forge Build | |
| uses: actions/cache@v3 | |
| with: | |
| path: | | |
| cache/ | |
| out/ | |
| key: ${{ runner.os }}-forge-${{ hashFiles('**/foundry.toml', '**/remappings.txt', 'src/**/*.sol', 'lib/**/*.sol') }} | |
| restore-keys: | | |
| ${{ runner.os }}-forge- | |
| # Install the Foundry toolchain. | |
| - name: "Install Foundry" | |
| uses: foundry-rs/foundry-toolchain@v1 | |
| with: | |
| version: stable | |
| # Build the project and display contract sizes. | |
| - name: "Forge Build" | |
| run: | | |
| forge --version | |
| forge build --sizes | |
| id: build | |
| # Run Forge Test (Intense) | |
| - name: Forge Test (Intense) | |
| run: | | |
| echo -e "\033[1;33mWarning: This workflow may take several hours to complete.\033[0m" | |
| echo -e "\033[1;33mThis intense fuzzing workflow is optional but helps catch edge cases through extended testing.\033[0m" | |
| FOUNDRY_PROFILE=intense forge test -vvv |