fix: include OCR secrets as part of deployment.Environment

There are many cases where a changeset requires access to the OCR secrets and because it is not accessible via `deployment.Environment`, users are left no choice but to pass secrets as config in a changesets.
By plumbing OCR secrets in `deployment.Environment`, user will no longer need to do the workaround.

Update code to use OCR secrets from the env instead of from requests.

JIRA: https://smartcontract-it.atlassian.net/browse/DPA-1357

.changeset/hot-islands-dress.md

@@ -0,0 +1,5 @@
+---
+"chainlink": patch
+---
+
+#internal refactor: inject ocr secrets via env instead of config

core/scripts/keystone/src/88_gen_ocr3_config.go

@@ -13,9 +13,8 @@ func mustReadConfig(fileName string) (output ksdeploy.TopLevelConfigSource) {
 func generateOCR3Config(nodeList string, configFile string, chainID int64, pubKeysPath string) ksdeploy.OCR2OracleConfig {
 	topLevelCfg := mustReadConfig(configFile)
 	cfg := topLevelCfg.OracleConfig
-	cfg.OCRSecrets = deployment.XXXGenerateTestOCRSecrets()
 	nca := downloadNodePubKeys(nodeList, chainID, pubKeysPath)
-	c, err := ksdeploy.GenerateOCR3Config(cfg, nca)
+	c, err := ksdeploy.GenerateOCR3Config(cfg, nca, deployment.XXXGenerateTestOCRSecrets())
 	helpers.PanicErr(err)
 	return c
 }

deployment/ccip/changeset/cs_active_candidate.go

@@ -137,7 +137,7 @@ func SetCandidatePluginChangeset(
 	}
 
 	newDONArgs, err := internal.BuildOCR3ConfigForCCIPHome(
-		cfg.OCRSecrets,
+		e.OCRSecrets,
 		state.Chains[cfg.NewChainSelector].OffRamp,
 		e.Chains[cfg.NewChainSelector],
 		nodes.NonBootstraps(),

deployment/ccip/changeset/cs_active_candidate_test.go

@@ -144,7 +144,7 @@ func TestActiveCandidate(t *testing.T) {
 		nil,
 	)
 	ocr3ConfigMap, err := internal.BuildOCR3ConfigForCCIPHome(
-		deployment.XXXGenerateTestOCRSecrets(),
+		e.OCRSecrets,
 		state.Chains[tenv.FeedChainSel].OffRamp,
 		e.Chains[tenv.FeedChainSel],
 		nodes.NonBootstraps(),

deployment/ccip/changeset/cs_add_chain.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/smartcontractkit/chainlink-ccip/chainconfig"
 	"github.com/smartcontractkit/chainlink-ccip/pkg/types/ccipocr3"
+
 	"github.com/smartcontractkit/chainlink/deployment/ccip/changeset/internal"
 	"github.com/smartcontractkit/chainlink/deployment/common/proposalutils"
 	"github.com/smartcontractkit/chainlink/v2/core/capabilities/ccip/types"
@@ -142,7 +143,6 @@ type AddDonAndSetCandidateChangesetConfig struct {
 	PluginType        types.PluginType
 	NodeIDs           []string
 	CCIPOCRParams     CCIPOCRParams
-	OCRSecrets        deployment.OCRSecrets
 }
 
 func (a AddDonAndSetCandidateChangesetConfig) Validate(e deployment.Environment, state CCIPOnChainState) (deployment.Nodes, error) {
@@ -191,7 +191,7 @@ func (a AddDonAndSetCandidateChangesetConfig) Validate(e deployment.Environment,
 		return nil, fmt.Errorf("invalid ccip ocr params: %w", err)
 	}
 
-	if a.OCRSecrets.IsEmpty() {
+	if e.OCRSecrets.IsEmpty() {
 		return nil, fmt.Errorf("OCR secrets must be set")
 	}
 
@@ -215,7 +215,7 @@ func AddDonAndSetCandidateChangeset(
 	}
 
 	newDONArgs, err := internal.BuildOCR3ConfigForCCIPHome(
-		cfg.OCRSecrets,
+		e.OCRSecrets,
 		state.Chains[cfg.NewChainSelector].OffRamp,
 		e.Chains[cfg.NewChainSelector],
 		nodes.NonBootstraps(),

deployment/ccip/changeset/cs_add_chain_test.go

@@ -84,7 +84,6 @@ func TestAddChainInbound(t *testing.T) {
 		HomeChainSel:       e.HomeChainSel,
 		FeedChainSel:       e.FeedChainSel,
 		ChainConfigByChain: chainConfig,
-		OCRSecrets:         deployment.XXXGenerateTestOCRSecrets(),
 	})
 	require.NoError(t, err)
 
@@ -191,7 +190,6 @@ func TestAddChainInbound(t *testing.T) {
 				NewChainSelector:  newChain,
 				PluginType:        types.PluginTypeCCIPCommit,
 				NodeIDs:           nodeIDs,
-				OCRSecrets:        deployment.XXXGenerateTestOCRSecrets(),
 				CCIPOCRParams: DefaultOCRParams(
 					e.FeedChainSel,
 					tokenConfig.GetTokenInfo(logger.TestLogger(t), state.Chains[newChain].LinkToken, state.Chains[newChain].Weth9),
@@ -207,7 +205,6 @@ func TestAddChainInbound(t *testing.T) {
 				NewChainSelector:  newChain,
 				PluginType:        types.PluginTypeCCIPExec,
 				NodeIDs:           nodeIDs,
-				OCRSecrets:        deployment.XXXGenerateTestOCRSecrets(),
 				CCIPOCRParams: DefaultOCRParams(
 					e.FeedChainSel,
 					tokenConfig.GetTokenInfo(logger.TestLogger(t), state.Chains[newChain].LinkToken, state.Chains[newChain].Weth9),

deployment/ccip/changeset/cs_initial_add_chain.go

@@ -18,6 +18,7 @@ import (
 	"github.com/smartcontractkit/chainlink-common/pkg/config"
 	"github.com/smartcontractkit/chainlink-common/pkg/logger"
 	"github.com/smartcontractkit/chainlink-common/pkg/merklemulti"
+
 	"github.com/smartcontractkit/chainlink/deployment"
 	"github.com/smartcontractkit/chainlink/deployment/ccip/changeset/internal"
 	"github.com/smartcontractkit/chainlink/deployment/common/types"
@@ -75,7 +76,6 @@ type NewChainsConfig struct {
 	// Common to all chains
 	HomeChainSel uint64
 	FeedChainSel uint64
-	OCRSecrets   deployment.OCRSecrets
 	// Per chain config
 	ChainConfigByChain map[uint64]CCIPOCRParams
 }
@@ -95,9 +95,6 @@ func (c NewChainsConfig) Validate() error {
 	if err := deployment.IsValidChainSelector(c.FeedChainSel); err != nil {
 		return fmt.Errorf("invalid feed chain selector: %d - %w", c.FeedChainSel, err)
 	}
-	if c.OCRSecrets.IsEmpty() {
-		return fmt.Errorf("no OCR secrets provided")
-	}
 	// Validate chain config
 	for chain, cfg := range c.ChainConfigByChain {
 		if err := cfg.Validate(); err != nil {
@@ -165,7 +162,7 @@ func configureChain(
 	e deployment.Environment,
 	c NewChainsConfig,
 ) error {
-	if c.OCRSecrets.IsEmpty() {
+	if e.OCRSecrets.IsEmpty() {
 		return fmt.Errorf("OCR secrets are empty")
 	}
 	nodes, err := deployment.NodeInfo(e.NodeIDs, e.Offchain)
@@ -215,7 +212,7 @@ func configureChain(
 		// For each chain, we create a DON on the home chain (2 OCR instances)
 		if err := addDON(
 			e.Logger,
-			c.OCRSecrets,
+			e.OCRSecrets,
 			capReg,
 			ccipHome,
 			rmnHome.Address(),

deployment/ccip/changeset/test_helpers.go

@@ -372,7 +372,6 @@ func NewMemoryEnvironmentWithJobsAndContracts(t *testing.T, lggr logger.Logger,
 			Config: NewChainsConfig{
 				HomeChainSel:       e.HomeChainSel,
 				FeedChainSel:       e.FeedChainSel,
-				OCRSecrets:         deployment.XXXGenerateTestOCRSecrets(),
 				ChainConfigByChain: chainConfigs,
 			},
 		},

deployment/common/changeset/test_helpers.go

@@ -90,6 +90,7 @@ func ApplyChangesets(t *testing.T, e deployment.Environment, timelocksPerChain m
 			Chains:            e.Chains,
 			NodeIDs:           e.NodeIDs,
 			Offchain:          e.Offchain,
+			OCRSecrets:        e.OCRSecrets,
 		}
 	}
 	return currentEnv, nil

deployment/environment.go

@@ -77,6 +77,7 @@ type Environment struct {
 	NodeIDs           []string
 	Offchain          OffchainClient
 	GetContext        func() context.Context
+	OCRSecrets        OCRSecrets
 }
 
 func NewEnvironment(
@@ -87,6 +88,7 @@ func NewEnvironment(
 	nodeIDs []string,
 	offchain OffchainClient,
 	ctx func() context.Context,
+	secrets OCRSecrets,
 ) *Environment {
 	return &Environment{
 		Name:              name,
@@ -96,6 +98,7 @@ func NewEnvironment(
 		NodeIDs:           nodeIDs,
 		Offchain:          offchain,
 		GetContext:        ctx,
+		OCRSecrets:        secrets,
 	}
 }
 

deployment/environment/devenv/environment.go

@@ -52,5 +52,6 @@ func NewEnvironment(ctx func() context.Context, lggr logger.Logger, config Envir
 		nodeIDs,
 		offChain,
 		ctx,
+		deployment.XXXGenerateTestOCRSecrets(),
 	), jd.don, nil
 }

deployment/environment/memory/environment.go

@@ -140,6 +140,7 @@ func NewMemoryEnvironmentFromChainsNodes(
 		nodeIDs, // Note these have the p2p_ prefix.
 		NewMemoryJobClient(nodes),
 		ctx,
+		deployment.XXXGenerateTestOCRSecrets(),
 	)
 }
 
@@ -159,5 +160,6 @@ func NewMemoryEnvironment(t *testing.T, lggr logger.Logger, logLevel zapcore.Lev
 		nodeIDs,
 		NewMemoryJobClient(nodes),
 		func() context.Context { return tests.Context(t) },
+		deployment.XXXGenerateTestOCRSecrets(),
 	)
 }

deployment/keystone/deploy.go

@@ -39,8 +39,8 @@ type ConfigureContractsRequest struct {
 	RegistryChainSel uint64
 	Env              *deployment.Environment
 
-	Dons       []DonCapabilities        // externally sourced based on the environment
-	OCR3Config *OracleConfigWithSecrets // TODO: probably should be a map of don to config; but currently we only have one wf don therefore one config
+	Dons       []DonCapabilities // externally sourced based on the environment
+	OCR3Config *OracleConfig     // TODO: probably should be a map of don to config; but currently we only have one wf don therefore one config
 
 	// TODO rm this option; unused
 	DoContractDeploy bool // if false, the contracts are assumed to be deployed and the address book is used
@@ -346,7 +346,7 @@ func ConfigureForwardContracts(env *deployment.Environment, dons []RegisteredDon
 
 // Depreciated: use changeset.ConfigureOCR3Contract instead
 // ocr3 contract on the registry chain for the wf dons
-func ConfigureOCR3Contract(env *deployment.Environment, chainSel uint64, dons []RegisteredDon, addrBook deployment.AddressBook, cfg *OracleConfigWithSecrets) error {
+func ConfigureOCR3Contract(env *deployment.Environment, chainSel uint64, dons []RegisteredDon, addrBook deployment.AddressBook, cfg *OracleConfig) error {
 	registryChain, ok := env.Chains[chainSel]
 	if !ok {
 		return fmt.Errorf("chain %d not found in environment", chainSel)
@@ -380,6 +380,7 @@ func ConfigureOCR3Contract(env *deployment.Environment, chainSel uint64, dons []
 			contract:    contract,
 			nodes:       don.Nodes,
 			contractSet: &contracts,
+			ocrSecrets:  env.OCRSecrets,
 		})
 		if err != nil {
 			return fmt.Errorf("failed to configure OCR3 contract for don %s: %w", don.Name, err)
@@ -396,7 +397,7 @@ type ConfigureOCR3Resp struct {
 type ConfigureOCR3Config struct {
 	ChainSel   uint64
 	NodeIDs    []string
-	OCR3Config *OracleConfigWithSecrets
+	OCR3Config *OracleConfig
 	DryRun     bool
 
 	UseMCMS bool
@@ -440,6 +441,7 @@ func ConfigureOCR3ContractFromJD(env *deployment.Environment, cfg ConfigureOCR3C
 		dryRun:      cfg.DryRun,
 		contractSet: &contracts,
 		useMCMS:     cfg.UseMCMS,
+		ocrSecrets:  env.OCRSecrets,
 	})
 	if err != nil {
 		return nil, err

deployment/keystone/deploy_test.go

@@ -107,6 +107,7 @@ func TestDeployCLO(t *testing.T) {
 		Offchain:          clo.NewJobClient(lggr, clo.JobClientConfig{Nops: allNops}),
 		Chains:            allChains,
 		Logger:            lggr,
+		OCRSecrets:        deployment.XXXGenerateTestOCRSecrets(),
 	}
 	// assume that all the nodes in the provided input nops are part of the don
 	for _, nop := range allNops {
@@ -119,11 +120,8 @@ func TestDeployCLO(t *testing.T) {
 	registryChainSel, err := chainsel.SelectorFromChainId(11155111)
 	require.NoError(t, err)
 
-	var ocr3Config = keystone.OracleConfigWithSecrets{
-		OracleConfig: keystone.OracleConfig{
-			MaxFaultyOracles: len(wfNops) / 3,
-		},
-		OCRSecrets: deployment.XXXGenerateTestOCRSecrets(),
+	var ocr3Config = keystone.OracleConfig{
+		MaxFaultyOracles: len(wfNops) / 3,
 	}
 
 	ctx := tests.Context(t)

deployment/keystone/ocr3config.go

@@ -21,6 +21,7 @@ import (
 	"github.com/smartcontractkit/ccip-owner-contracts/pkg/gethwrappers"
 	"github.com/smartcontractkit/ccip-owner-contracts/pkg/proposal/mcms"
 	"github.com/smartcontractkit/ccip-owner-contracts/pkg/proposal/timelock"
+
 	"github.com/smartcontractkit/chainlink/deployment"
 	"github.com/smartcontractkit/chainlink/deployment/common/proposalutils"
 	kocr3 "github.com/smartcontractkit/chainlink/v2/core/gethwrappers/keystone/generated/ocr3_capability"
@@ -30,12 +31,9 @@ import (
 )
 
 type TopLevelConfigSource struct {
-	OracleConfig OracleConfigWithSecrets
-}
-type OracleConfigWithSecrets struct {
-	OracleConfig
-	deployment.OCRSecrets `json:"-" toml:"-"` // don't spill secrets
+	OracleConfig OracleConfig
 }
+
 type OracleConfig struct {
 	MaxQueryLengthBytes       uint32
 	MaxObservationLengthBytes uint32
@@ -151,10 +149,10 @@ func (c *OCR2OracleConfig) UnmarshalJSON(data []byte) error {
 	return nil
 }
 
-func GenerateOCR3Config(cfg OracleConfigWithSecrets, nca []NodeKeys) (OCR2OracleConfig, error) {
+func GenerateOCR3Config(cfg OracleConfig, nca []NodeKeys, secrets deployment.OCRSecrets) (OCR2OracleConfig, error) {
 	onchainPubKeys := [][]byte{}
 	allPubKeys := map[string]any{}
-	if cfg.OCRSecrets.IsEmpty() {
+	if secrets.IsEmpty() {
 		return OCR2OracleConfig{}, errors.New("OCRSecrets is required")
 	}
 	for _, n := range nca {
@@ -236,8 +234,8 @@ func GenerateOCR3Config(cfg OracleConfigWithSecrets, nca []NodeKeys) (OCR2Oracle
 	}
 
 	signers, transmitters, f, onchainConfig, offchainConfigVersion, offchainConfig, err := ocr3confighelper.ContractSetConfigArgsDeterministic(
-		cfg.EphemeralSk,
-		cfg.SharedSecret,
+		secrets.EphemeralSk,
+		secrets.SharedSecret,
 		time.Duration(cfg.DeltaProgressMillis)*time.Millisecond,
 		time.Duration(cfg.DeltaResendMillis)*time.Millisecond,
 		time.Duration(cfg.DeltaInitialMillis)*time.Millisecond,
@@ -284,19 +282,20 @@ func GenerateOCR3Config(cfg OracleConfigWithSecrets, nca []NodeKeys) (OCR2Oracle
 }
 
 type configureOCR3Request struct {
-	cfg      *OracleConfigWithSecrets
-	chain    deployment.Chain
-	contract *kocr3.OCR3Capability
-	nodes    []deployment.Node
-	dryRun   bool
+	cfg        *OracleConfig
+	chain      deployment.Chain
+	contract   *kocr3.OCR3Capability
+	nodes      []deployment.Node
+	dryRun     bool
+	ocrSecrets deployment.OCRSecrets
 
 	useMCMS     bool
 	contractSet *ContractSet
 }
 
 func (r configureOCR3Request) generateOCR3Config() (OCR2OracleConfig, error) {
 	nks := makeNodeKeysSlice(r.nodes, r.chain.Selector)
-	return GenerateOCR3Config(*r.cfg, nks)
+	return GenerateOCR3Config(*r.cfg, nks, r.ocrSecrets)
 }
 
 type configureOCR3Response struct {

deployment/keystone/ocr3config_test.go

@@ -11,13 +11,14 @@ import (
 
 	"github.com/ethereum/go-ethereum/common"
 	chain_selectors "github.com/smartcontractkit/chain-selectors"
-	"github.com/smartcontractkit/chainlink/deployment"
-	"github.com/smartcontractkit/chainlink/deployment/common/view"
-	"github.com/smartcontractkit/chainlink/v2/core/services/keystore/keys/p2pkey"
 	types2 "github.com/smartcontractkit/libocr/offchainreporting2/types"
 	"github.com/smartcontractkit/libocr/offchainreporting2plus/types"
 	types3 "github.com/smartcontractkit/libocr/offchainreporting2plus/types"
 	"github.com/test-go/testify/require"
+
+	"github.com/smartcontractkit/chainlink/deployment"
+	"github.com/smartcontractkit/chainlink/deployment/common/view"
+	"github.com/smartcontractkit/chainlink/v2/core/services/keystore/keys/p2pkey"
 )
 
 var wantOCR3Config = `{
@@ -85,11 +86,12 @@ func Test_configureOCR3Request_generateOCR3Config(t *testing.T) {
 	require.NoError(t, err)
 
 	r := configureOCR3Request{
-		cfg:   &OracleConfigWithSecrets{OracleConfig: cfg, OCRSecrets: deployment.XXXGenerateTestOCRSecrets()},
+		cfg:   &cfg,
 		nodes: nodes,
 		chain: deployment.Chain{
 			Selector: chain_selectors.ETHEREUM_TESTNET_SEPOLIA.Selector,
 		},
+		ocrSecrets: deployment.XXXGenerateTestOCRSecrets(),
 	}
 	got, err := r.generateOCR3Config()
 	require.NoError(t, err)

integration-tests/testsetups/ccip/test_helpers.go

@@ -244,7 +244,6 @@ func NewLocalDevEnvironment(
 			Config: changeset.NewChainsConfig{
 				HomeChainSel:       homeChainSel,
 				FeedChainSel:       feedSel,
-				OCRSecrets:         deployment.XXXGenerateTestOCRSecrets(),
 				ChainConfigByChain: chainConfigs,
 			},
 		},