fix update recovery project use github action ci/cd#352
Merged
Conversation
Signed-off-by: AU_gdev_19 <64915515+Dargon789@users.noreply.github.com>
…in permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: AU_gdev_19 <64915515+Dargon789@users.noreply.github.com>
Signed-off-by: AU_gdev_19 <64915515+Dargon789@users.noreply.github.com>
Circleci project setup
…ndry-rs#10622) * fix(bindings): ensure forge bind generates snake_case file names * refactor: use heck crate for snake_case conversion --------- Co-authored-by: zerosnacks <95942363+zerosnacks@users.noreply.github.com>
- Sign transactions using "eth_signTransaction" on local node with unlocked accounts. - Same TX building logic as in "cast send --unlocked". - Added a test case to validate the new functionality.
foundry-rs#10646) chore(wallets): improve error message on signer instantiation failure
* chore: replaced anvil hardforks with alloy hardforks * fixes * fixes * fixes * removed redundant op and alloy hardforks enum * fixes * fixes * bumped alloy hardforks and kept default to prague and isthmus * bumped alloy-hardforks and fixes --------- Co-authored-by: zerosnacks <95942363+zerosnacks@users.noreply.github.com>
* fix(`anvil`): latest evm version should be prague * fix test * nit
Bumps the cargo group with 1 update in the / directory: [tracing-subscriber](https://github.com/tokio-rs/tracing). Updates `tracing-subscriber` from 0.3.19 to 0.3.20 - [Release notes](https://github.com/tokio-rs/tracing/releases) - [Commits](tokio-rs/tracing@tracing-subscriber-0.3.19...tracing-subscriber-0.3.20) --- updated-dependencies: - dependency-name: tracing-subscriber dependency-version: 0.3.20 dependency-type: direct:production dependency-group: cargo ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: AU_gdev_19 <64915515+Dargon789@users.noreply.github.com>
Signed-off-by: AU_gdev_19 <64915515+Dargon789@users.noreply.github.com>
Signed-off-by: AU_gdev_19 <64915515+Dargon789@users.noreply.github.com>
Signed-off-by: AU_gdev_19 <64915515+Dargon789@users.noreply.github.com>
Signed-off-by: AU_gdev_19 <64915515+Dargon789@users.noreply.github.com>
…in permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: AU_gdev_19 <64915515+Dargon789@users.noreply.github.com>
Signed-off-by: AU_gdev_19 <64915515+Dargon789@users.noreply.github.com>
Signed-off-by: AU_gdev_19 <64915515+Dargon789@users.noreply.github.com>
…rgery Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>
…#334) * fix: add Tempo transaction receipt type support in TryFrom conversion (foundry-rs#13047) Amp-Thread-ID: https://ampcode.com/threads/T-019bbf45-d7c8-75ed-8c05-bc1638d487ee Co-authored-by: Matthias Seitz <matthias.seitz@outlook.de> Co-authored-by: Amp <amp@ampcode.com> * feat(cheatcodes): add getRecordedLogsJson cheatcode (foundry-rs#13093) Adds a new cheatcode `getRecordedLogsJson` that returns recorded logs as a JSON string, similar to the existing `getStateDiffJson` pattern. This allows users to easily post-process recorded logs externally without needing to manually transform the Log[] array to JSON. JSON format: ```json [{"topics": ["0x..."], "data": "0x...", "emitter": "0x..."}] ``` Closes foundry-rs#12854 * feat: add Sourcify support to forge clone (foundry-rs#12900) * Integrate Sourcify API for contract cloning Added support for Sourcify API in `forge clone` command. * Add reqwest dependency with json feature * Remove unused import in clone.rs Removed unused import of BTreeMap. * Refactor EtherscanClient to ExplorerClient * Change sourcify module from private to public * Implement test for sourcify clone functionality Add test for cloning with sourcify source * Update clone.rs * Add url dependency to Cargo.toml * cargo fmt * Enhance Sourcify client with cached creation data Updated the Sourcify client to cache creation data and reuse it across API calls, improving efficiency. Modified the contract source code retrieval to include additional creation data fields. * Improve error handling for contract data retrieval Refactor contract source code and creation data retrieval to use fallback values when API requests fail or fields are unavailable. * Enhance contract_source_code with improved caching Updated contract_source_code to include additional fields in the API request and improved caching of creation data. Removed fallback logic for fetching creation data from the API. * Refactor creation_data handling in clone.rs Removed redundant creation_data initialization and caching. * Refactor response deserialization to use untagged enum * fix: use serde_json::Value for abi in Sourcify parsing The #[serde(untagged)] enum SourcifyContractResponse failed to deserialize because Box<RawValue> doesn't work with untagged enums. RawValue requires borrowing from the original JSON, but untagged enums buffer data during variant matching. Changes: - Change abi field from Box<RawValue> to serde_json::Value - Truncate response in error messages to avoid huge output * feat: add --sourcify-url option for custom Sourcify API endpoint * feat: imply --source sourcify when --sourcify-url is specified * feat: support full path in --sourcify-url When --sourcify-url contains v2/contract/chain, only append address and fields instead of building the full path again. --------- Co-authored-by: grandizzy <grandizzy.the.egg@gmail.com> * perf: add dist profile for smaller release binaries (foundry-rs#13097) * perf: add dist profile for smaller release binaries Add a new 'dist' Cargo profile optimized for distribution: - Fat LTO and codegen-units=1 for better optimization - Strip symbols for smaller binaries - opt-level="s" overrides for non-perf-critical dependencies Benchmarks on Solady test suite show dist is 8% faster than release while being 45% smaller (43MB vs 78MB). Update release workflows to use the dist profile instead of maxperf. * Apply suggestion from @DaniPopes --------- Co-authored-by: DaniPopes <57450786+DaniPopes@users.noreply.github.com> * chore(deps): update figment to figment2 v0.11 (foundry-rs#13099) * chore(deps): update figment to figment2 v0.11 * rename * feat: add precompile decoding for Prague BLS12-381 and Osaka P256VERIFY (foundry-rs#13094) * feat: add precompile decoding for Prague BLS12-381 and Osaka P256VERIFY * wip * wip * fix(traces): use raw byte decoding for P256VERIFY precompile P256VERIFY (RIP-7212) uses concatenated raw bytes, not ABI encoding: - Input: hash (32) + r (32) + s (32) + qx (32) + qy (32) = 160 bytes - Output: 32 bytes where 0x...01 means success * fix(traces): use raw byte decoding for all precompiles Precompiles use concatenated raw bytes, not ABI encoding: - ecrecover: hash (32) + v (32) + r (32) + s (32), returns address in last 20 bytes - sha256/ripemd160: raw input, raw 32-byte output (ripemd in last 20 bytes) - ecadd: x1/y1/x2/y2 (32 each), returns x/y (32 each) - ecmul: x1/y1/s (32 each), returns x/y (32 each) - ecpairing: returns 32-byte bool (1 = success) - bls12PairingCheck: returns 32-byte bool (1 = success) * fix(traces): restore ABI-based precompile decoding * fix * fix(anvil): use suggested priority fee by default (foundry-rs#13092) * fix(anvil): use suggested priority fee by default * test: fix anvil trace expectations --------- Co-authored-by: tefyosL-sol <gasgoblinn@gmail.com> * chore: aggregate PRs (foundry-rs#13100) * chore: aggregate PRs This PR aggregates changes from the following PRs: - Closes foundry-rs#13032 by @\splinter012 - Closes foundry-rs#13059 by @\phrwlk * fmt * chore(evm): misleading error message in traces serialization (foundry-rs#13081) Co-authored-by: tefyosL-sol <gasgoblinn@gmail.com> --------- Co-authored-by: Desant pivo <pivasdesant@gmail.com> Co-authored-by: Matthias Seitz <matthias.seitz@outlook.de> Co-authored-by: Amp <amp@ampcode.com> Co-authored-by: grandizzy <38490174+grandizzy@users.noreply.github.com> Co-authored-by: Avory <avorycorelli@gmail.com> Co-authored-by: grandizzy <grandizzy.the.egg@gmail.com> Co-authored-by: onbjerg <onbjerg@users.noreply.github.com> Co-authored-by: DaniPopes <57450786+DaniPopes@users.noreply.github.com> Co-authored-by: Theodore Solis <gasgobling@gmail.com> Co-authored-by: tefyosL-sol <gasgoblinn@gmail.com>
Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Update vergen from v8 to v9 API: - vergen = "9" with features ["build", "cargo"] - vergen-git2 = "9" - Update build.rs: EmitBuilder -> Emitter + BuildBuilder + Git2Builder
* feat(cast): add eip7594 support - Added support for EIP-7594 (PeerDAS) in transaction handling, allowing users to specify blob transactions using the new format. - Added tests for both EIP-4844 and EIP-7594 blob transactions in the CLI. * Use EIP-7594 format by default
…ry-rs#13114) * feat(cast): add --curl flag to output equivalent curl commands Adds a `--curl` flag to cast RPC commands that outputs the equivalent curl command instead of executing the RPC request. This is useful when working with systems that have curl but not cast installed. Example: $ cast bn --curl -r https://eth.example.com curl -X POST -H 'Content-Type: application/json' --data-raw '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}' 'https://eth.example.com' Supported commands: - cast rpc - cast block-number (bn) - cast chain-id - cast gas-price The flag respects configured headers and JWT authentication, including them in the generated curl command. Co-authored-by: Amp <amp@ampcode.com> Amp-Thread-ID: https://ampcode.com/threads/T-019bc94c-581c-71ed-aca2-19ab23ccf77b * feat(cast call): add --curl support Enables the --curl flag for cast call to print equivalent curl commands instead of executing the RPC request. * feat(cast send): add --curl support Enables the --curl flag for cast send to print equivalent curl commands instead of executing the RPC request. * feat(cast erc20): add --curl support to all subcommands Enables the --curl flag for all cast erc20 subcommands (balance, transfer, approve, allowance, name, symbol, decimals, total-supply, mint, burn) to print equivalent curl commands instead of executing the RPC request. * test(cast): add CLI tests for --curl flag Adds tests for: - cast rpc --curl - cast block-number --curl - cast chain-id --curl - cast gas-price --curl - cast call --curl - cast erc20 balance --curl - cast erc20 name --curl - cast erc20 decimals --curl - cast erc20 total-supply --curl Each test verifies the generated curl command contains: - curl -X POST - Content-Type: application/json header - The correct RPC method - The target URL Amp-Thread-ID: https://ampcode.com/threads/T-019bc94c-581c-71ed-aca2-19ab23ccf77b Co-authored-by: Amp <amp@ampcode.com> * fix: clippy lints in curl_transport - Use inlined format args for escaped_payload - Replace println! with crate::sh_println! (disallowed macro) - Remove redundant clone in Service impl for &CurlTransport * chore: fix rustfmt * fix(cast call): handle --curl mode early to avoid RPC calls The --curl flag was not working correctly for 'cast call' because the command made RPC calls (get_chain, ENS resolution) before the actual eth_call was made. The CurlTransport would intercept the first RPC call and exit, outputting eth_chainId instead of eth_call. This fix adds a run_curl() method that: 1. Handles --curl mode before any provider interaction 2. Manually encodes function signature and args 3. Constructs the eth_call JSON-RPC request 4. Uses generate_curl_command helper to output the curl command ENS names are not supported in --curl mode since they require RPC calls to resolve. * test: update expected output for cast_send_estimate_gas_error The error decoding behavior changed - the decoded error name and arguments are no longer appended to the error message. Update the expected test output to match the current behavior. * fix(curl): add standalone generate_curl_command function Add a public generate_curl_command function that can be used to generate curl commands without going through the CurlTransport layer. This is needed by cast call --curl to generate the eth_call curl command early before any RPC calls are made. * fix: clippy and rustfmt issues, restore test expected output - Remove redundant hex import in call.rs tests (clippy) - Fix rustfmt by breaking method chain across lines - Restore AddressInsufficientBalance suffix in test expected output --------- Co-authored-by: Amp <amp@ampcode.com> Co-authored-by: Tempo AI <amp@tempoxyz.slack.com>
Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
… in path expression (#347) Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* benches\LATEST.md * Update benches/LATEST.md Co-authored-by: sourcery-ai[bot] <58596630+sourcery-ai[bot]@users.noreply.github.com> Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> --------- Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com> Co-authored-by: sourcery-ai[bot] <58596630+sourcery-ai[bot]@users.noreply.github.com>
Review or Edit in CodeSandboxOpen the branch in Web Editor • VS Code • Insiders |
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Sorry @Dargon789, your pull request is larger than the review limit of 150000 diff characters
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
Summary of ChangesHello @Dargon789, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request delivers a substantial update to the Foundry ecosystem, integrating support for emerging Ethereum transaction types and enhancing developer tooling. It introduces full compatibility for Tempo transactions and the EIP-7594 (PeerDAS) blob transaction format, alongside new precompile tracing. The Highlights
Ignored Files
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a wide range of updates, including significant dependency upgrades, new features like Sourcify support in forge clone and a cast trace command, and extensive refactoring for Tempo transaction support. While the majority of the changes are well-implemented and include corresponding tests, there are several issues in the newly added CircleCI configuration files that need to be addressed. Specifically, there's redundancy and invalid YAML syntax in some of the CI files.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| let name = file.file_name().unwrap(); | ||
| let file = entry?.path(); | ||
| // Only operate on regular files to avoid following symlinks or directories | ||
| let metadata = fs::symlink_metadata(&file)?; |
Check failure
Code scanning / CodeQL
Uncontrolled data used in path expression
This autofix suggestion was applied.
Show autofix suggestion
Hide autofix suggestion
This autofix suggestion was applied.
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
In general, to fix uncontrolled path usage you either (1) validate or canonicalize the path and ensure it resides within a trusted base directory before using it, or (2) restrict operations to simple file names and prevent path traversal. Here we already compute canonical_from_dir and later ensure that the canonicalized file path starts with this directory. The simplest improvement, consistent with existing behavior, is to canonicalize each entry path once, verify it is inside canonical_from_dir, and then use this vetted canonical path both for the file-type check (symlink_metadata) and for the eventual copy. This moves the sink (fs::symlink_metadata) to operate only on a sanitized path, addressing the CodeQL concern.
Concretely, in copy_testdata in crates/test-utils/src/script.rs, we will:
- Canonicalize
fileimmediately intocanonical_file, and if that fails, skip the entry. - Call
fs::symlink_metadataoncanonical_fileinstead of onfile. - Use
canonical_filewhen copying (while still using the validatednamefor the destination). - Remove the now-redundant later
file.canonicalize()block, since we already canonicalize and check containment once.
This keeps behavior equivalent (we still only process regular files within canonical_from_dir with safe names) while ensuring the tainted input is sanitized before being passed to any filesystem metadata or copy operations.
Suggested changeset
1
crates/test-utils/src/script.rs
| @@ -123,13 +123,21 @@ | ||
| fs::create_dir_all(&to_dir)?; | ||
| for entry in fs::read_dir(&from_dir)? { | ||
| let file = entry?.path(); | ||
| // Canonicalize the file path and ensure it stays within canonical_from_dir | ||
| let canonical_file = match file.canonicalize() { | ||
| Ok(path) => path, | ||
| Err(_) => continue, | ||
| }; | ||
| if !canonical_file.starts_with(&canonical_from_dir) { | ||
| continue; | ||
| } | ||
| // Only operate on regular files to avoid following symlinks or directories | ||
| let metadata = fs::symlink_metadata(&file)?; | ||
| let metadata = fs::symlink_metadata(&canonical_file)?; | ||
| let ftype = metadata.file_type(); | ||
| if !ftype.is_file() { | ||
| continue; | ||
| } | ||
| let name = match file.file_name() { | ||
| let name = match canonical_file.file_name() { | ||
| Some(name) => name, | ||
| None => continue, | ||
| }; | ||
| @@ -139,15 +142,7 @@ | ||
| // Skip invalid (potentially dangerous) file names | ||
| continue; | ||
| } | ||
| // Verify canonicalized file is in canonical_from_dir to avoid symlink traversal | ||
| if let Ok(canonical_file) = file.canonicalize() { | ||
| if !canonical_file.starts_with(&canonical_from_dir) { | ||
| continue; | ||
| } | ||
| } else { | ||
| continue; | ||
| } | ||
| fs::copy(&file, to_dir.join(name))?; | ||
| fs::copy(&canonical_file, to_dir.join(name))?; | ||
| } | ||
| Ok(()) | ||
| } |
Copilot is powered by AI and may make mistakes. Always verify output.
Dargon789
committed this autofix suggestion 4 months ago.
| continue; | ||
| } | ||
| fs::copy(file, to_dir.join(name))?; | ||
| fs::copy(&file, to_dir.join(name))?; |
Check failure
Code scanning / CodeQL
Uncontrolled data used in path expression
Dargon789
commented
Jan 28, 2026
… in path expression Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>
This was
linked to
issues
Feb 19, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
Solution
PR Checklist
37b29ad
eb5d6c1
Circleci project setup #47
eb5d6c1
07dee81
17b50b4
8575916