From 27c6e74f66dfd520ddb85503f8fe803312697e15 Mon Sep 17 00:00:00 2001
From: Roger Barker <roger.barker@swirldslabs.com>
Date: Wed, 18 Sep 2024 10:21:39 -0500
Subject: [PATCH 1/5] ci: Fix issue with github_env echo statements

**Details**:

Updates the OPERATOR_KEY_MAIN environment variable storage to use a
masked value.

**Related Issues**:

Fixes: #3011

Signed-off-by: Roger Barker <roger.barker@swirldslabs.com>
---
 .github/workflows/acceptance-workflow.yml |  4 +++-
 .github/workflows/conformity-workflow.yml | 14 +++++++++++++-
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/acceptance-workflow.yml b/.github/workflows/acceptance-workflow.yml
index ac5810f571..c5f862b34d 100644
--- a/.github/workflows/acceptance-workflow.yml
+++ b/.github/workflows/acceptance-workflow.yml
@@ -73,7 +73,9 @@ jobs:
         if: ${{ inputs.operator_id }}
         run: |
           echo "OPERATOR_ID_MAIN=${{ inputs.operator_id }}" >> $GITHUB_ENV
-          echo "OPERATOR_KEY_MAIN=${{ inputs.operator_key }}" >> $GITHUB_ENV
+          OPERATOR_KEY=${{ inputs.operator_key}}
+          echo "::add-mask::${OPERATOR_KEY}"
+          echo "OPERATOR_KEY_MAIN=${OPERATOR_KEY}" >> $GITHUB_ENV
 
       - name: Run hedera local
         run: npx hedera restart -d --network-tag=${{inputs.networkTag}} --mirror-tag=${{inputs.mirrorTag}} --verbose=trace
diff --git a/.github/workflows/conformity-workflow.yml b/.github/workflows/conformity-workflow.yml
index 71545d8bbe..9d923ce869 100644
--- a/.github/workflows/conformity-workflow.yml
+++ b/.github/workflows/conformity-workflow.yml
@@ -12,6 +12,11 @@ jobs:
     runs-on: smart-contracts-linux-medium
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Checkout execution-apis repo
         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
@@ -43,6 +48,11 @@ jobs:
     needs: clone-and-build-execution-apis
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
@@ -76,7 +86,9 @@ jobs:
         if: ${{ inputs.operator_id }}
         run: |
           echo "OPERATOR_ID_MAIN=${{ inputs.operator_id }}" >> $GITHUB_ENV
-          echo "OPERATOR_KEY_MAIN=${{ inputs.operator_key }}" >> $GITHUB_ENV
+          OPERATOR_KEY=${{ inputs.operator_key}}
+          echo "::add-mask::${OPERATOR_KEY}"
+          echo "OPERATOR_KEY_MAIN=${OPERATOR_KEY}" >> $GITHUB_ENV
 
       - name: Run hedera local
         run: npx hedera restart -d --network-tag=${{inputs.networkTag}} --mirror-tag=${{inputs.mirrorTag}} --verbose=trace

From 9f1c9144f06eed82be1d9c552f13e579649398aa Mon Sep 17 00:00:00 2001
From: Roger Barker <roger.barker@swirldslabs.com>
Date: Wed, 18 Sep 2024 11:10:12 -0500
Subject: [PATCH 2/5] Updated how we pass operator_key to acceptance workflow

Signed-off-by: Roger Barker <roger.barker@swirldslabs.com>
---
 .github/workflows/acceptance-public.yml   | 12 ++++++++++++
 .github/workflows/acceptance-workflow.yml | 15 +++++++--------
 .github/workflows/conformity-workflow.yml | 17 +++++++++--------
 3 files changed, 28 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/acceptance-public.yml b/.github/workflows/acceptance-public.yml
index cee001eaaf..7284d724e2 100644
--- a/.github/workflows/acceptance-public.yml
+++ b/.github/workflows/acceptance-public.yml
@@ -27,6 +27,7 @@ jobs:
       testfilter: api_batch1
       envfile: ${{ inputs.network }}Acceptance.env
       operator_id: ${{ inputs.operator_id }}
+    secrets:
       operator_key: ${{ inputs.operator_key }}
 
   api_batch_2:
@@ -36,6 +37,7 @@ jobs:
       testfilter: api_batch2
       envfile: ${{ inputs.network }}Acceptance.env
       operator_id: ${{ inputs.operator_id }}
+    secrets:
       operator_key: ${{ inputs.operator_key }}
 
   api_batch_3:
@@ -45,6 +47,7 @@ jobs:
       testfilter: api_batch3
       envfile: ${{ inputs.network }}Acceptance.env
       operator_id: ${{ inputs.operator_id }}
+    secrets:
       operator_key: ${{ inputs.operator_key }}
 
   erc20:
@@ -54,6 +57,7 @@ jobs:
       testfilter: erc20
       envfile: ${{ inputs.network }}Acceptance.env
       operator_id: ${{ inputs.operator_id }}
+    secrets:
       operator_key: ${{ inputs.operator_key }}
 
   ratelimiter:
@@ -63,6 +67,7 @@ jobs:
       testfilter: ratelimiter
       envfile: ${{ inputs.network }}Acceptance.env
       operator_id: ${{ inputs.operator_id }}
+    secrets:
       operator_key: ${{ inputs.operator_key }}
 
   tokencreate:
@@ -72,6 +77,7 @@ jobs:
       testfilter: tokencreate
       envfile: ${{ inputs.network }}Acceptance.env
       operator_id: ${{ inputs.operator_id }}
+    secrets:
       operator_key: ${{ inputs.operator_key }}
 
   tokenmanagement:
@@ -81,6 +87,7 @@ jobs:
       testfilter: tokenmanagement
       envfile: ${{ inputs.network }}Acceptance.env
       operator_id: ${{ inputs.operator_id }}
+    secrets:
       operator_key: ${{ inputs.operator_key }}
 
   htsprecompilev1:
@@ -90,6 +97,7 @@ jobs:
       testfilter: htsprecompilev1
       envfile: ${{ inputs.network }}Acceptance.env
       operator_id: ${{ inputs.operator_id }}
+    secrets:
       operator_key: ${{ inputs.operator_key }}
 
   precompilecalls:
@@ -99,6 +107,7 @@ jobs:
       testfilter: precompile
       envfile: ${{ inputs.network }}Acceptance.env
       operator_id: ${{ inputs.operator_id }}
+    secrets:
       operator_key: ${{ inputs.operator_key }}
 
   websocket-batch-1:
@@ -109,6 +118,7 @@ jobs:
       test_ws_server: true
       envfile: ${{ inputs.network }}Acceptance.env
       operator_id: ${{ inputs.operator_id }}
+    secrets:
       operator_key: ${{ inputs.operator_key }}
 
   websocket-batch-2:
@@ -119,6 +129,7 @@ jobs:
       test_ws_server: true
       envfile: ${{ inputs.network }}Acceptance.env
       operator_id: ${{ inputs.operator_id }}
+    secrets:
       operator_key: ${{ inputs.operator_key }}
 
   websocket-batch-3:
@@ -129,6 +140,7 @@ jobs:
       test_ws_server: true
       envfile: ${{ inputs.network }}Acceptance.env
       operator_id: ${{ inputs.operator_id }}
+    secrets:
       operator_key: ${{ inputs.operator_key }}
 
   publish_results:
diff --git a/.github/workflows/acceptance-workflow.yml b/.github/workflows/acceptance-workflow.yml
index c5f862b34d..b991f14581 100644
--- a/.github/workflows/acceptance-workflow.yml
+++ b/.github/workflows/acceptance-workflow.yml
@@ -17,9 +17,6 @@ on:
       operator_id:
         required: false
         type: string
-      operator_key:
-        required: false
-        type: string
       networkTag:
         required: false
         type: string
@@ -29,6 +26,10 @@ on:
       relayTag:
         required: false
         type: string
+    secrets:
+      operator_key:
+        description: 'The ED25519 or ECDSA  DER encoded private key of the operator'
+        required: false
 
 jobs:
   acceptance-workflow:
@@ -71,14 +72,12 @@ jobs:
 
       - name: Set operator id and key env variable if CI is manual
         if: ${{ inputs.operator_id }}
-        run: |
-          echo "OPERATOR_ID_MAIN=${{ inputs.operator_id }}" >> $GITHUB_ENV
-          OPERATOR_KEY=${{ inputs.operator_key}}
-          echo "::add-mask::${OPERATOR_KEY}"
-          echo "OPERATOR_KEY_MAIN=${OPERATOR_KEY}" >> $GITHUB_ENV
+        run: echo "OPERATOR_ID_MAIN=${{ inputs.operator_id }}" >> $GITHUB_ENV
 
       - name: Run hedera local
         run: npx hedera restart -d --network-tag=${{inputs.networkTag}} --mirror-tag=${{inputs.mirrorTag}} --verbose=trace
+        env:
+          OPERATOR_KEY_MAIN: ${{ secrets.operator_key }}
 
       - name: Stop  relay
         run: docker stop json-rpc-relay json-rpc-relay-ws
diff --git a/.github/workflows/conformity-workflow.yml b/.github/workflows/conformity-workflow.yml
index 9d923ce869..ca0a83cfc1 100644
--- a/.github/workflows/conformity-workflow.yml
+++ b/.github/workflows/conformity-workflow.yml
@@ -82,16 +82,17 @@ jobs:
       - name: Install hedera local
         run: npm install @hashgraph/hedera-local -g
 
-      - name: Set operator id and key env variable if CI is manual
-        if: ${{ inputs.operator_id }}
-        run: |
-          echo "OPERATOR_ID_MAIN=${{ inputs.operator_id }}" >> $GITHUB_ENV
-          OPERATOR_KEY=${{ inputs.operator_key}}
-          echo "::add-mask::${OPERATOR_KEY}"
-          echo "OPERATOR_KEY_MAIN=${OPERATOR_KEY}" >> $GITHUB_ENV
+#      Note: this step will never run as there are no input parameters on the workflow file or job.
+#      - name: Set operator id env variable if CI is manual
+#        if: ${{ inputs.operator_id }}
+#        run: |
+#          echo "OPERATOR_ID_MAIN=${{ inputs.operator_id }}" >> $GITHUB_ENV
+
 
       - name: Run hedera local
-        run: npx hedera restart -d --network-tag=${{inputs.networkTag}} --mirror-tag=${{inputs.mirrorTag}} --verbose=trace
+        # Note: Since there are no input parameters to the workflow or job network tag and mirror tag are ALWAYS blank on this step
+        #run: npx hedera restart -d --network-tag=${{inputs.networkTag}} --mirror-tag=${{inputs.mirrorTag}} --verbose=trace
+        run: npx hedera restart -d --network-tag="" --mirror-tag="" --verbose=trace
 
       - name: Stop  relay
         run: docker stop json-rpc-relay json-rpc-relay-ws

From d2158f0b94f1371531eea0608ce2be2d7603d585 Mon Sep 17 00:00:00 2001
From: Roger Barker <roger.barker@swirldslabs.com>
Date: Wed, 18 Sep 2024 11:19:31 -0500
Subject: [PATCH 3/5] Clean up title of Set Operator ID step

Signed-off-by: Roger Barker <roger.barker@swirldslabs.com>
---
 .github/workflows/acceptance-workflow.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/acceptance-workflow.yml b/.github/workflows/acceptance-workflow.yml
index b991f14581..25c729d1db 100644
--- a/.github/workflows/acceptance-workflow.yml
+++ b/.github/workflows/acceptance-workflow.yml
@@ -70,7 +70,7 @@ jobs:
       - name: Install hedera local
         run: npm install @hashgraph/hedera-local -g
 
-      - name: Set operator id and key env variable if CI is manual
+      - name: Set operator id env variable if CI is manual
         if: ${{ inputs.operator_id }}
         run: echo "OPERATOR_ID_MAIN=${{ inputs.operator_id }}" >> $GITHUB_ENV
 

From b2230eb493f300c406aac2fdb6d8a771d0af486d Mon Sep 17 00:00:00 2001
From: Roger Barker <roger.barker@swirldslabs.com>
Date: Wed, 18 Sep 2024 11:36:24 -0500
Subject: [PATCH 4/5] Moved OPERATOR_ID_MAIN environment variable definition up
 to the job level env section. Removing the need for the manual assign step in
 acceptance-workflow

Signed-off-by: Roger Barker <roger.barker@swirldslabs.com>
---
 .github/workflows/acceptance-workflow.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/acceptance-workflow.yml b/.github/workflows/acceptance-workflow.yml
index 25c729d1db..e7668e8dbc 100644
--- a/.github/workflows/acceptance-workflow.yml
+++ b/.github/workflows/acceptance-workflow.yml
@@ -38,6 +38,10 @@ jobs:
     permissions:
       contents: write
       # issues: read
+
+    env:
+      OPERATOR_ID_MAIN: ${{ inputs.operator_id }}
+
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
@@ -70,10 +74,6 @@ jobs:
       - name: Install hedera local
         run: npm install @hashgraph/hedera-local -g
 
-      - name: Set operator id env variable if CI is manual
-        if: ${{ inputs.operator_id }}
-        run: echo "OPERATOR_ID_MAIN=${{ inputs.operator_id }}" >> $GITHUB_ENV
-
       - name: Run hedera local
         run: npx hedera restart -d --network-tag=${{inputs.networkTag}} --mirror-tag=${{inputs.mirrorTag}} --verbose=trace
         env:

From d80c7d58e813314520d6dfd89b3368a94a10b7a2 Mon Sep 17 00:00:00 2001
From: Roger Barker <roger.barker@swirldslabs.com>
Date: Wed, 18 Sep 2024 11:38:27 -0500
Subject: [PATCH 5/5] Cleanup in conformity workflow

Signed-off-by: Roger Barker <roger.barker@swirldslabs.com>
---
 .github/workflows/conformity-workflow.yml | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/.github/workflows/conformity-workflow.yml b/.github/workflows/conformity-workflow.yml
index ca0a83cfc1..4da57bc942 100644
--- a/.github/workflows/conformity-workflow.yml
+++ b/.github/workflows/conformity-workflow.yml
@@ -82,17 +82,8 @@ jobs:
       - name: Install hedera local
         run: npm install @hashgraph/hedera-local -g
 
-#      Note: this step will never run as there are no input parameters on the workflow file or job.
-#      - name: Set operator id env variable if CI is manual
-#        if: ${{ inputs.operator_id }}
-#        run: |
-#          echo "OPERATOR_ID_MAIN=${{ inputs.operator_id }}" >> $GITHUB_ENV
-
-
       - name: Run hedera local
-        # Note: Since there are no input parameters to the workflow or job network tag and mirror tag are ALWAYS blank on this step
-        #run: npx hedera restart -d --network-tag=${{inputs.networkTag}} --mirror-tag=${{inputs.mirrorTag}} --verbose=trace
-        run: npx hedera restart -d --network-tag="" --mirror-tag="" --verbose=trace
+        run: npx hedera restart -d --verbose=trace
 
       - name: Stop  relay
         run: docker stop json-rpc-relay json-rpc-relay-ws