fix(ci): workflow correctness and consistency fixes

[iap]

Summary

Eight correctness and consistency fixes across CI workflows and supporting scripts.

Changes

• contracts-mainnet-readiness.yml, release-gate.Dockerfile: pin slither-analyzer==0.11.5 to match the reusable Slither workflow
• secrets-drift-guard.yml: remove overbroad 0x[hex]{64} pattern that flagged any bytes32 constant; tighten to key-assignment context only
• scripts/github/verify-governance.sh: skip dismiss_stale_reviews check on dev (0 required approvals, no reviews to dismiss)
• contracts-evidence-manifest.yml: add canary to push trigger (was missing alongside main and dev)
• contracts-release-gate-container.yml: use inputs context instead of github.event.inputs; add Docker Buildx setup for layer caching
• contracts-ci.yml: fix wait-port to use port number instead of full URL
• release-pr-checklist.yml, release-evidence-validator.yml: add comment explaining pull_request_target usage
• contracts/script/ci/run-release-gate-container.sh: add --cache-from/--cache-to type=gha to Docker build

Scope

• .github/workflows
• contracts/docker
• contracts/script/ci
• scripts/github

Risk

Low. No contract logic or test changes. The secrets-drift-guard pattern change reduces false positives; real private key leaks are still caught by the key-assignment pattern and the dedicated Gitleaks scan.

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflows to improve CI/CD reliability and consistency.
  • Pinned dependency versions for deterministic container builds.
  • Enhanced Docker build caching for faster and more efficient CI execution.
  • Refined branch protection verification logic to support conditional enforcement across different deployment branches.
  • Added clarifying documentation to workflow files regarding security and permissions handling.

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

License Issues

.github/workflows/contracts-release-gate-container.yml

Package	Version	License	Issue Type
docker/setup-buildx-action	3.*.*	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
actions/docker/setup-buildx-action	3.*.*	🟢 8.6	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Security-Policy 🟢 9 security policy file detected Maintained 🟢 10 30 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Packaging 🟢 10 packaging workflow detected Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 SAST 🟢 10 SAST tool is run on all commits

Scanned Files

• .github/workflows/contracts-release-gate-container.yml

[coderabbitai]

Walkthrough

This PR updates GitHub Actions workflows, container build configuration, and branch governance scripts to pin slither-analyzer dependencies, add BuildKit GitHub Actions caching to Docker builds, extend workflow triggers to include the canary branch, improve secret detection patterns, document security assumptions, and conditionally enforce stale review dismissal on protected branches.

Changes

CI Infrastructure and Governance Updates

Layer / File(s)	Summary
Dependency Pinning .github/workflows/contracts-mainnet-readiness.yml, contracts/docker/release-gate.Dockerfile	slither-analyzer is pinned to version 0.11.5 across workflow and Dockerfile, replacing unpinned pip install commands.
Container Build and Release Gate .github/workflows/contracts-release-gate-container.yml, contracts/script/ci/run-release-gate-container.sh	Docker BuildKit cache is enabled via --cache-from and --cache-to flags in the build script; workflow dispatch input is updated to use inputs.gate_mode instead of github.event.inputs.gate_mode; docker/setup-buildx-action@v3 is added before the build step.
Workflow Triggers and Execution Steps .github/workflows/contracts-ci.yml, .github/workflows/contracts-evidence-manifest.yml	contracts-evidence-manifest workflow trigger is extended to include canary branch alongside main; contracts-ci supersim readiness check changes from HTTP endpoint (http://127.0.0.1:8420/ready) to direct port monitoring (pnpm wait-port 8420).
Security and Governance Rules .github/workflows/secrets-drift-guard.yml, .github/workflows/release-evidence-validator.yml, .github/workflows/release-pr-checklist.yml, scripts/github/verify-governance.sh	Secret detection regex is updated for more portable mnemonic/seed/private-key pattern matching; pull_request_target security assumptions are documented in two workflows; verify-governance.sh adds a require_stale parameter to conditionally enforce dismiss_stale_reviews on branches (dev does not require it; canary and main do).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• trade/mark#19: Makes targeted updates to the same release-gate workflows, Dockerfile, run-release-gate script, and verify-governance.sh branch-check behavior introduced in this PR.

Suggested labels

codex

Poem

A rabbit hops through CI gates,
Pinning versions, oh how it rates!
BuildKit cache speeds up the flow,
Governance rules help branches grow.
🐰✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the primary changes: fixing and improving consistency in CI workflows and supporting scripts across multiple files.
Description check	✅ Passed	The description is comprehensive and well-structured, covering the summary, specific changes, scope, and risk assessment. All key modifications are documented clearly.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/workflow-correctness

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6c1094573d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/contracts-release-gate-container.yml:
- Around line 43-44: The setup-buildx step is redundant because the script uses
plain docker build; update the CI to actually use the created builder by
changing the build invocation in
contracts/script/ci/run-release-gate-container.sh from docker build to docker
buildx build (preserve existing flags, add --load or --push as needed for local
image usage) so the docker/setup-buildx-action@v3-created builder is used;
alternatively remove the docker/setup-buildx-action@v3 step if you prefer to
keep docker build (option B).

In @.github/workflows/secrets-drift-guard.yml:
- Line 45: Update the secrets-drift guard regex that currently matches
"(MNEMONIC|SEED_PHRASE|PRIVATE_KEY)[[:space:]]*[:=][[:space:]]*[^[:space:]]{12,}"
so it also detects quoted multi-word seed phrases; replace that pattern with one
that accepts either a contiguous token of 12+ non-space chars OR a quoted string
(single or double quotes) containing spaces, e.g. a pattern that alternates
between [^[:space:]]{12,} and "(...)" or '(...)'. Keep the same capture group
for the keys (MNEMONIC|SEED_PHRASE|PRIVATE_KEY) and preserve the existing
whitespace+assignment matching when making this substitution.

In `@contracts/script/ci/run-release-gate-container.sh`:
- Around line 15-20: The docker build invocation uses --cache-to "type=gha"
which will fail outside GitHub Actions; guard adding the cache flags by checking
for ACTIONS_CACHE_URL and ACTIONS_RUNTIME_TOKEN (or at least ACTIONS_CACHE_URL)
before including --cache-to (and optionally --cache-from) in the docker build
command so local runs (IMAGE_TAG default mark-release-gate:local) skip the GHA
cache export; modify the script around the docker build block to conditionally
append the --cache-to/--cache-from flags when those env vars are present and
fall back to a plain docker build when they are absent.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: b0986870-f672-4f4d-9911-6965906ecd6e

📥 Commits

Reviewing files that changed from the base of the PR and between 98e49c1 and 6c10945.

📒 Files selected for processing (10)

• .github/workflows/contracts-ci.yml
• .github/workflows/contracts-evidence-manifest.yml
• .github/workflows/contracts-mainnet-readiness.yml
• .github/workflows/contracts-release-gate-container.yml
• .github/workflows/release-evidence-validator.yml
• .github/workflows/release-pr-checklist.yml
• .github/workflows/secrets-drift-guard.yml
• contracts/docker/release-gate.Dockerfile
• contracts/script/ci/run-release-gate-container.sh
• scripts/github/verify-governance.sh