[CAPPL-222] feat(workflows): adds a secrets syncer for workflow registry

.github/CODEOWNERS

@@ -99,6 +99,7 @@ core/scripts/gateway @smartcontractkit/dev-services
 # TODO: transmission folder, owner should be found
 /contracts/src/v0.8/vrf @smartcontractkit/dev-services
 /contracts/src/v0.8/keystone @smartcontractkit/keystone
+/contracts/src/v0.8/workflow @smartcontractkit/dev-services
 
 /core/gethwrappers/ccip @smartcontractkit/ccip-onchain
 /core/gethwrappers/functions @smartcontractkit/dev-services
@@ -107,6 +108,7 @@ core/scripts/gateway @smartcontractkit/dev-services
 /core/gethwrappers/llo-feeds @smartcontractkit/data-streams-engineers
 /core/gethwrappers/operatorforwarder @smartcontractkit/data-feeds-engineers
 /core/gethwrappers/shared @smartcontractkit/core-solidity
+/core/gethwrappers/workflow @smartcontractkit/dev-services
 
 # The following don't exist yet but should. They are already included here to allow the teams to
 # set these folders up and own them immediately.

.github/actions/golangci-lint/action.yml

@@ -1,10 +1,6 @@
 name: CI lint for Golang
 description: Runs CI lint for Golang
 inputs:
-  # general inputs
-  name:
-    description: Name of the lint action
-    required: true
   go-directory:
     description: Go directory to run commands from
     default: "."
@@ -25,10 +21,17 @@ inputs:
 runs:
   using: composite
   steps:
-    - uses: actions/checkout@v4.2.1
+    - name: Checkout repo (full)
+      uses: actions/checkout@v4.2.1
+      # Only do a full checkout on merge_groups
+      if: github.event_name == 'merge_group'
       with:
-        # We only need a full clone on merge_group events for golangci-lint.
-        fetch-depth: ${{ github.event_name == 'merge_group' && '0' || '1' }}"
+        fetch-depth: 0
+    - name: Checkout repo
+      uses: actions/checkout@v4.2.1
+      if: github.event_name != 'merge_group'
+      with:
+        fetch-depth: 1
     - name: Setup Go
       uses: ./.github/actions/setup-go
       with:

.github/actions/goreleaser-build-sign-publish/action.yml

@@ -33,14 +33,14 @@ runs:
       name: Set up QEMU 
       uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
     - name: Setup docker buildx
-      uses: docker/setup-buildx-action@2b51285047da1547ffb1b2203d8be4c0af6b1f20 # v3.2.0
+      uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.0
     - name: Set up Go
       uses: ./.github/actions/setup-go
       with:
         go-version-file: 'go.mod'
         only-modules: 'true'
     - name: Setup goreleaser
-      uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
+      uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
       with:
         distribution: goreleaser-pro
         install-only: true
@@ -49,12 +49,12 @@ runs:
         GORELEASER_KEY: ${{ inputs.goreleaser-key }}
 
     - name: Login to docker registry
-      uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
+      uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
       with:
         registry: ${{ inputs.docker-registry }}
 
     - name: Install syft
-      uses: anchore/sbom-action/download-syft@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2
+      uses: anchore/sbom-action/download-syft@fc46e51fd3cb168ffb36c6d1915723c47db58abb # v0.17.7
 
     - name: Run goreleaser release
       shell: bash

.github/e2e-tests.yml

@@ -943,7 +943,21 @@ runner-test-matrix:
       - PR E2E Core Tests
       - Merge Queue E2E Core Tests
       - Nightly E2E Tests
-    test_cmd: cd integration-tests/ && go test smoke/ccip_test.go -timeout 12m -test.parallel=1 -count=1 -json
+    test_cmd: cd integration-tests/ && go test smoke/ccip_test.go -timeout 12m -test.parallel=2 -count=1 -json
+    pyroscope_env: ci-smoke-ccipv1_6-evm-simulated
+    test_env_vars:
+      E2E_TEST_SELECTED_NETWORK: SIMULATED_1,SIMULATED_2
+      E2E_JD_VERSION: 0.4.0
+
+  - id: smoke/ccip_messaging_test.go:*
+    path: integration-tests/smoke/ccip_messaging_test.go
+    test_env_type: docker
+    runs_on: ubuntu-latest
+    triggers:
+      - PR E2E Core Tests
+      - Merge Queue E2E Core Tests
+      - Nightly E2E Tests
+    test_cmd: cd integration-tests/ && go test smoke/ccip_messaging_test.go -timeout 12m -test.parallel=1 -count=1 -json
     pyroscope_env: ci-smoke-ccipv1_6-evm-simulated
     test_env_vars:
       E2E_TEST_SELECTED_NETWORK: SIMULATED_1,SIMULATED_2
@@ -1178,4 +1192,4 @@ runner-test-matrix:
       TEST_LOG_LEVEL: debug
       E2E_TEST_GRAFANA_DASHBOARD_URL: /d/6vjVx-1V8/ccip-long-running-tests
 
-  # END: CCIP tests
+  # END: CCIP tests

.github/workflows/build-publish-develop-pr.yml

@@ -24,7 +24,10 @@ on:
         default: "false"
 
 env:
-  GIT_REF: ${{ github.event.inputs.git_ref || github.ref }}
+  # Use github.sha here otherwise a race condition exists if
+  # a commit is pushed to develop before merge is run.
+  CHECKOUT_REF: ${{ github.event.inputs.git_ref || github.sha }}
+
 
 jobs:
   merge:
@@ -38,7 +41,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4.2.1
         with:
-          ref: ${{ env.GIT_REF }}
+          ref: ${{ env.CHECKOUT_REF }}
 
       - name: Configure aws credentials
         uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
@@ -48,13 +51,13 @@ jobs:
           mask-aws-account-id: true
           role-session-name: "merge"
 
-      - uses: actions/cache/restore@v4
+      - uses: actions/cache/restore@v4.1.1
         with:
           path: dist/linux_amd64_v1
           key: chainlink-amd64-${{ github.sha }}
           fail-on-cache-miss: true
 
-      - uses: actions/cache/restore@v4
+      - uses: actions/cache/restore@v4.1.1
         with:
           path: dist/linux_arm64_v8.0
           key: chainlink-arm64-${{ github.sha }}
@@ -91,7 +94,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4.2.1
         with:
-          ref: ${{ env.GIT_REF }}
+          ref: ${{ env.CHECKOUT_REF }}
           fetch-depth: 0
 
       - name: Configure aws credentials
@@ -103,7 +106,7 @@ jobs:
           role-session-name: "split-${{ matrix.goarch }}"
 
       - id: cache
-        uses: actions/cache@v4
+        uses: actions/cache@v4.1.1
         with:
           path: dist/${{ matrix.dist_name }}
           key: chainlink-${{ matrix.goarch }}-${{ github.sha }}
@@ -125,9 +128,9 @@ jobs:
       release-type: ${{ steps.get-image-tag.outputs.release-type }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4.2.1
         with:
-          ref: ${{ env.GIT_REF }}
+          ref: ${{ env.CHECKOUT_REF }}
 
       - name: Get image tag
         id: get-image-tag

.github/workflows/ci-core.yml

@@ -34,8 +34,8 @@ jobs:
       pull-requests: read
     outputs:
       deployment-changes: ${{ steps.match-some.outputs.deployment == 'true' }}
-      should-run-ci-core: ${{ steps.match-every.outputs.non-ignored == 'true' || steps.match-some.outputs.core-ci == 'true' || github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' }}
-      should-run-golangci: ${{ steps.match-every.outputs.non-integration-tests == 'true' || github.event_name == 'workflow_dispatch' }}
+      should-run-ci-core: ${{ steps.match-some.outputs.core-ci == 'true' || steps.match-every.outputs.non-ignored == 'true' ||  github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' }}
+      should-run-golangci: ${{ steps.match-some.outputs.golang-ci == 'true' || steps.match-every.outputs.non-ignored == 'true' || github.event_name == 'workflow_dispatch' }}
     runs-on: ubuntu-latest
     steps:
       - name: Checkout the repo
@@ -48,19 +48,25 @@ jobs:
           # "if any changed file matches one or more of the conditions" (https://github.com/dorny/paths-filter/issues/225)
           predicate-quantifier: some
           # deployment - any changes to files in `deployments/`
+          # core-ci - any changes that could affect this workflow definition
+          # golang-ci - any changes that could affect the linting result
           filters: |
             deployment:
               - 'deployment/**'
             core-ci:
               - '.github/workflows/ci-core.yml'
               - '.github/actions/**'
+            golang-ci:
+              - '.golangci.yml'
+              - '.github/workflows/ci-core.yml'
+              - '.github/actions/**'
       - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
         id: match-every
         with:
           # "if any changed file match all of the conditions" (https://github.com/dorny/paths-filter/issues/225)
           predicate-quantifier: every
           # non-integration-tests - only changes made outside of the `integration-tests` directory
-          # everything-except-ignored - only changes except for the negated ones
+          # non-ignored - only changes except for the negated ones
           #  - This is opt-in on purpose. To be safe, new files are assumed to have an affect on CI Core unless listed here specifically.
           filters: |
             non-integration-tests:
@@ -103,9 +109,6 @@ jobs:
       - name: Golang Lint
         uses: ./.github/actions/golangci-lint
         if: ${{ needs.filter.outputs.should-run-golangci == 'true' }}
-        with:
-          id: core
-          name: lint
       - name: Notify Slack
         if: ${{ failure() && needs.run-frequency.outputs.one-per-day-frequency == 'true' }}
         uses: slackapi/slack-github-action@6c661ce58804a1a20f6dc5fbee7f0381b469e001 # v1.25.0
@@ -166,7 +169,7 @@ jobs:
         uses: ./.github/actions/setup-go
         with:
           # race/fuzz tests don't benefit repeated caching, so restore from develop's build cache
-          restore-build-cache-only: ${{ matrix.type.cmd == 'go_core_race_tests' || matrix.type.cmd == 'go_core_fuzz' }}
+          restore-build-cache-only: ${{ matrix.type.cmd == 'go_core_fuzz' }}
           build-cache-version: ${{ matrix.type.cmd }}
 
       - name: Replace chainlink-evm deps
@@ -220,12 +223,13 @@ jobs:
           go install ./pkg/chainlink/cmd/chainlink-starknet
           popd
 
-      - name: Increase Race Timeout
-        # Increase race timeout for scheduled runs only
+      - name: Increase Timeouts for Fuzz/Race
+        # Increase timeouts for scheduled runs only
         if: ${{ github.event.schedule != '' && needs.filter.outputs.should-run-ci-core == 'true' }}
         run: |
           echo "TIMEOUT=10m" >> $GITHUB_ENV
           echo "COUNT=50" >> $GITHUB_ENV
+          echo "FUZZ_TIMEOUT_MINUTES=10">> $GITHUB_ENV
 
       - name: Install gotestloghelper
         if: ${{ needs.filter.outputs.should-run-ci-core == 'true' }}
@@ -459,20 +463,19 @@ jobs:
           SONAR_SCANNER_OPTS: "-Xms6g -Xmx8g"
 
   trigger-flaky-test-detection-for-root-project:
-    name: Find New Flaky Tests In Root Project
+    name: Find New Flaky Tests In Chainlink Project
     uses: ./.github/workflows/find-new-flaky-tests.yml
     if: ${{ github.event_name == 'pull_request' }}
     with:
       repoUrl: 'https://github.com/smartcontractkit/chainlink'
       projectPath: '.'
       baseRef: ${{ github.base_ref }}
       headRef: ${{ github.head_ref }}
-      runThreshold: '1'
-      runWithRace: true
+      runThreshold: '0.99'
       findByTestFilesDiff: true
       findByAffectedPackages: false
       slackNotificationAfterTestsChannelId: 'C07TRF65CNS' #flaky-test-detector-notifications
-      extraArgs: '{ "skipped_tests": "TestChainComponents" }'
+      extraArgs: '{ "skipped_tests": "TestChainComponents", "run_with_race": "true", "print_failed_tests": "true", "test_repeat_count": "3", "min_pass_ratio": "0.01" }'
     secrets:
       SLACK_BOT_TOKEN: ${{ secrets.QA_SLACK_API_KEY }}
 
@@ -486,12 +489,11 @@ jobs:
       projectPath: 'deployment'
       baseRef: ${{ github.base_ref }}
       headRef: ${{ github.head_ref }}
-      runThreshold: '1'
-      runWithRace: true
+      runThreshold: '0.99'
       findByTestFilesDiff: true
       findByAffectedPackages: false
       slackNotificationAfterTestsChannelId: 'C07TRF65CNS' #flaky-test-detector-notifications
-      extraArgs: '{ "skipped_tests": "TestAddLane" }'
+      extraArgs: '{ "skipped_tests": "TestAddLane", "run_with_race": "true", "print_failed_tests": "true", "test_repeat_count": "3", "min_pass_ratio": "0.01" }'
     secrets:
       SLACK_BOT_TOKEN: ${{ secrets.QA_SLACK_API_KEY }}
 

.github/workflows/delete-caches.yml

@@ -16,27 +16,48 @@ jobs:
       #   See also: https://docs.github.com/en/rest/actions/cache?apiVersion=2022-11-28#delete-a-github-actions-cache-for-a-repository-using-a-cache-id
       actions: write
       contents: read
+    env:
+      REPO: ${{ github.repository }}
+      PR_NUMBER: ${{ github.event.pull_request.number }}
     steps:
       - name: Check out code
         uses: actions/checkout@v4.1.2
 
-      - name: Cleanup Branch Caches
-        run: |
-          gh extension install actions/gh-actions-cache
-
-          REPO=${{ github.repository }}
-          BRANCH=refs/pull/${{ github.event.pull_request.number }}/merge
+      - name: Setup gh-actions-cache extension
+        run: gh extension install actions/gh-actions-cache
 
-          echo "Fetching list of cache key"
-          cacheKeysForPR=$(gh actions-cache list -R $REPO -B $BRANCH | cut -f 1 )
+      - name: Retrieve Trunk SHA
+        id: get-sha
+        run: |
+          SHA=$(gh pr view -R $REPO $PR_NUMBER --json mergeCommit --jq .mergeCommit.oid)
+          echo "sha=$SHA" >> $GITHUB_OUTPUT
 
-          ## Setting this to not fail the workflow while deleting cache keys. 
+      - name: Cleanup Caches
+        env:
+          TRUNK_SHA: ${{ steps.get-sha.outputs.sha }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
           set +e
-          echo "Deleting caches..."
-          for cacheKey in $cacheKeysForPR
-          do
-              gh actions-cache delete $cacheKey -R $REPO -B $BRANCH --confirm
+
+          PR_BRANCH=refs/pull/$PR_NUMBER/merge          
+          echo "Fetching list of cache keys for the PR branch ($PR_BRANCH)"
+          PR_CACHE_KEYS=$(gh actions-cache list -R $REPO -B $PR_BRANCH | cut -f 1)
+
+          echo "Deleting caches for PR branch ($PR_BRANCH)..."
+          for CACHE_KEY in $PR_CACHE_KEYS; do
+              gh actions-cache delete $CACHE_KEY -R $REPO -B $PR_BRANCH --confirm
           done
+
+          if [[ -n "$TRUNK_SHA" ]]; then
+            echo "Found corresponding merge commit $TRUNK_SHA"
+            QUEUE_BRANCH="gh-readonly-queue/develop/pr-${PR_NUMBER}-${TRUNK_SHA}"
+            echo "Fetching list of cache keys for the merge queue branch ($QUEUE_BRANCH)"            
+            QUEUE_CACHE_KEYS=$(gh actions-cache list -R $REPO -B $QUEUE_BRANCH | cut -f 1)
+
+            echo "Deleting caches for merge queue branch ($QUEUE_BRANCH)..."
+            for CACHE_KEY in $QUEUE_CACHE_KEYS; do
+                gh actions-cache delete $CACHE_KEY -R $REPO -B $QUEUE_BRANCH --confirm
+            done
+          fi
+
           echo "Done"
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}