hiero-ledger · May 21, 2024 · May 22, 2024 · May 23, 2024 · Jun 3, 2024 · Jun 3, 2024
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1,2 +1,30 @@
 # Default code owners for entire repository
-*   @SimiHunjan @ochikov @petreze @svetoslav-nikol0v @agadzhalov
+*   @hashgraph/hedera-sdk @hashgraph/hedera-sdk-js-maintainers
+
+#########################
+#####  Core Files  ######
+#########################
+
+# NOTE: Must be placed last to ensure enforcement over all other rules
+
+# Protection Rules for Github Configuration Files and Actions Workflows
+/.github/                                       @hashgraph/release-engineering @hashgraph/release-engineering-managers
+/.github/workflows/                             @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-js-maintainers
+
+# Codacy Tool Configurations
+/config/                                        @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-js-maintainers
+.remarkrc                                       @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-js-maintainers
+
+# Self-protection for root CODEOWNERS files (this file should not exist and should definitely require approval)
+/CODEOWNERS                                     @hashgraph/release-engineering @hashgraph/release-engineering-managers
+
+# Protect the repository root files
+/README.md                                      @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-js-maintainers
+**/LICENSE                                      @hashgraph/release-engineering @hashgraph/release-engineering-managers
+
+# CodeCov configuration
+**/codecov.yml                                  @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-js-maintainers
+
+# Git Ignore definitions
+**/.gitignore                                   @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-js-maintainers
+**/.gitignore.*                                 @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-js-maintainers
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -19,6 +19,9 @@ defaults:
 permissions:
   contents: read
 
+env:
+  CG_EXEC: export R_UID=$(id -u); CGROUP_LOGLEVEL=DEBUG cgexec -g cpu,memory:user.slice/user-${R_UID}.slice/user@${R_UID}.service/e2e-${{ github.run_id }} --sticky ionice -c 2 -n 2 nice -n 19
+
 jobs:
   build:
     name: Build using Node ${{ matrix.node }}
@@ -28,6 +31,11 @@ jobs:
         node: [ "16", "18" ]
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          egress-policy: audit
+
       - name: Checkout Code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
@@ -39,7 +47,7 @@ jobs:
           version: 3.35.1
 
       - name: Install PNPM
-        uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0
+        uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
         with:
           version: 8.15.4
 
@@ -60,6 +68,52 @@ jobs:
         node: [ "16" ]
 
     steps:
+      - name: Setup Control Groups
+        run: |
+            echo "::group::Get System Configuration"
+              USR_ID="$(id -un)"
+              GRP_ID="$(id -gn)"
+              E2E_MEM_LIMIT="30064771072"
+              AGENT_MEM_LIMIT="2147483648"
+              USER_SLICE="user.slice/user-$(id -u).slice"
+              USER_SERVICE="${USER_SLICE}/user@$(id -u).service"
+              E2E_GROUP_NAME="${USER_SERVICE}/e2e-${{ github.run_id }}"
+              AGENT_GROUP_NAME="${USER_SERVICE}/agent-${{ github.run_id }}"
+            echo "::endgroup::"
+
+            echo "::group::Install Control Group Tools"
+              if ! command -v cgcreate >/dev/null 2>&1; then
+                sudo apt-get update
+                sudo apt-get install -y cgroup-tools
+              fi
+            echo "::endgroup::"
+
+            echo "::group::Create Control Groups"
+              sudo cgcreate -g cpu,memory:${USER_SLICE} -a ${USR_ID}:${GRP_ID} -t ${USR_ID}:${GRP_ID}
+              sudo cgcreate -g cpu,memory:${USER_SERVICE} -a ${USR_ID}:${GRP_ID} -t ${USR_ID}:${GRP_ID}
+              sudo cgcreate -g cpu,memory:${E2E_GROUP_NAME} -a ${USR_ID}:${GRP_ID} -t ${USR_ID}:${GRP_ID}
+              sudo cgcreate -g cpu,memory:${AGENT_GROUP_NAME} -a ${USR_ID}:${GRP_ID} -t ${USR_ID}:${GRP_ID}
+            echo "::endgroup::"
+
+            echo "::group::Set Control Group Limits"
+              cgset -r cpu.weight=768 ${E2E_GROUP_NAME}
+              cgset -r cpu.weight=500 ${AGENT_GROUP_NAME}
+              cgset -r memory.max=${E2E_MEM_LIMIT} ${E2E_GROUP_NAME}
+              cgset -r memory.max=${AGENT_MEM_LIMIT} ${AGENT_GROUP_NAME}
+              cgset -r memory.swap.max=${E2E_MEM_LIMIT} ${E2E_GROUP_NAME}
+              cgset -r memory.swap.max=${AGENT_MEM_LIMIT} ${AGENT_GROUP_NAME}
+            echo "::endgroup::"
+
+            echo "::group::Move Runner Processes to Control Groups"
+              sudo cgclassify --sticky -g cpu,memory:${AGENT_GROUP_NAME} $(pgrep 'Runner.Listener' | tr '\n' ' ')
+              sudo cgclassify -g cpu,memory:${AGENT_GROUP_NAME} $(pgrep 'Runner.Worker' | tr '\n' ' ')
+            echo "::endgroup::"
+
+      -  name: Harden Runner
+         uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+         with:
+           egress-policy: audit
+
       - name: Checkout Code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
@@ -79,7 +133,7 @@ jobs:
           cat .env
 
       - name: Install PNPM
-        uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0
+        uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
         with:
           version: 8.15.4
 
@@ -102,38 +156,38 @@ jobs:
         id: start-local-node
         if: ${{ steps.build-sdk.conclusion == 'success' && !cancelled() && always() }}
         run: |
-          npx @hashgraph/hedera-local start -d --network-tag=0.49.7 --balance=100000
+          ${{ env.CG_EXEC }} npx @hashgraph/hedera-local start -d --network-tag=0.49.7 --balance=100000
           # Wait for the network to fully start
-          sleep 30 
+          sleep 30
 
       - name: Run Hedera SDK Integration Tests Codecov
         if: ${{ steps.build-sdk.conclusion == 'success' && steps.start-local-node.conclusion == 'success' && !cancelled() && always() }}
-        run: task test:integration:codecov
-
-      - name: Stop the local node
-        id: stop-local-node
-        if: ${{ steps.start-local-node.conclusion == 'success' && !cancelled() && always() }}
-        run: npx @hashgraph/hedera-local stop
+        run: ${{ env.CG_EXEC }} task test:integration:codecov
 
       - name: Build @hashgraph/cryptography
         working-directory: packages/cryptography
-        if: ${{ steps.build-sdk.conclusion == 'success' && steps.stop-local-node.conclusion == 'success' && !cancelled() && always() }}
-        run: task build
+        if: ${{ steps.build-sdk.conclusion == 'success' && steps.start-local-node.conclusion == 'success' && !cancelled() && always() }}
+        run: ${{ env.CG_EXEC }} task build
 
       - name: Unit Test @hashgraph/cryptography
         working-directory: packages/cryptography
-        if: ${{ steps.build-sdk.conclusion == 'success' && steps.stop-local-node.conclusion == 'success' && !cancelled() && always() }}
-        run: task test:unit
+        if: ${{ steps.build-sdk.conclusion == 'success' && steps.start-local-node.conclusion == 'success' && !cancelled() && always() }}
+        run: ${{ env.CG_EXEC }} task test:unit
 
       - name: Codecov @hashgraph/cryptography
         working-directory: packages/cryptography
-        if: ${{ steps.build-sdk.conclusion == 'success' && steps.stop-local-node.conclusion == 'success' && !cancelled() && always() }}
-        run: task test:unit:codecov
+        if: ${{ steps.build-sdk.conclusion == 'success' && steps.start-local-node.conclusion == 'success' && !cancelled() && always() }}
+        run: ${{ env.CG_EXEC }} task test:unit:codecov
 
       - name: Unit Test @hashgraph/sdk
-        if: ${{ steps.build-sdk.conclusion == 'success' && steps.stop-local-node.conclusion == 'success' && steps.playwright-deps.conclusion == 'success' && !cancelled() && always() }}
-        run: task test:unit
+        if: ${{ steps.build-sdk.conclusion == 'success' && steps.start-local-node.conclusion == 'success' && steps.playwright-deps.conclusion == 'success' && !cancelled() && always() }}
+        run: ${{ env.CG_EXEC }} task test:unit
 
       - name: Codecov @hashgraph/sdk
-        if: ${{ steps.build-sdk.conclusion == 'success' && steps.stop-local-node.conclusion == 'success' && !cancelled() && always() }}
-        run: task test:unit:codecov
+        if: ${{ steps.build-sdk.conclusion == 'success' && steps.start-local-node.conclusion == 'success' && !cancelled() && always() }}
+        run: ${{ env.CG_EXEC }} task test:unit:codecov
+
+      - name: Stop the local node
+        id: stop-local-node
+        if: ${{ steps.start-local-node.conclusion == 'success' && !cancelled() && always() }}
+        run: ${{ env.CG_EXEC }} npx @hashgraph/hedera-local stop
diff --git a/.github/workflows/common_js.yml b/.github/workflows/common_js.yml
@@ -27,6 +27,11 @@ jobs:
         node: [ "16", "18" ]
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          egress-policy: audit
+
       - name: Checkout Code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
@@ -38,7 +43,7 @@ jobs:
           version: 3.35.1
 
       - name: Install PNPM
-        uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0
+        uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
         with:
           version: 8.15.4
 

diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml
@@ -17,6 +17,11 @@ jobs:
     name: Documentation
     runs-on: [self-hosted, Linux, medium, ephemeral]
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          egress-policy: audit
+
       - name: Checkout Code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
@@ -33,7 +38,7 @@ jobs:
           node-version: 18
 
       - name: Install PNPM
-        uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0
+        uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
         with:
           version: 8.15.4
 
@@ -50,6 +55,6 @@ jobs:
 
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@decdde0ac072f6dcbe43649d82d9c635fff5b4e4 # v4.0.4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/publish_release.yaml b/.github/workflows/publish_release.yaml
@@ -32,6 +32,11 @@ jobs:
       prerelease: ${{ steps.tag.outputs.prerelease }}
       type: ${{ steps.tag.outputs.type }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          egress-policy: audit
+
       - name: Checkout Code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
@@ -64,19 +69,19 @@ jobs:
         run: |
           REF_NAME="$(git describe --exact-match --tags $(git log -n1 --pretty='%h'))"
           IS_VALID_SEMVER="$(semver validate "${REF_NAME}")"
-          
+
           if [[ "${IS_VALID_SEMVER}" != "valid" ]]; then
             echo "::error title=Invalid Tag::The tag '${REF_NAME}' is not a valid SemVer tag."
             exit 1
           fi
-          
+
           RELEASE_VERSION="$(semver get release "${REF_NAME}")"
           PREREL_VERSION="$(semver get prerel "${REF_NAME}")"
           PREREL_VERSION_LC="$(printf "%s" "${PREREL_VERSION}" | tr '[:upper:]' '[:lower:]')"
 
           IS_PRERELEASE="false"
           [[ -n "${PREREL_VERSION}" ]] && IS_PRERELEASE="true"
-          
+
           PREREL_TYPE="unknown"
           if [[ "${IS_PRERELEASE}" == "true" ]]; then
             if [[ "${PREREL_VERSION_LC}" =~ "beta" ]]; then
@@ -87,12 +92,12 @@ jobs:
           else
             PREREL_TYPE="production"
           fi
-          
+
           FINAL_VERSION="${RELEASE_VERSION}"
           [[ -n "${PREREL_VERSION}" ]] && FINAL_VERSION="${RELEASE_VERSION}-${PREREL_VERSION}"
-          
+
           TAG_NAME="v${FINAL_VERSION}"
-          
+
           echo "name=${TAG_NAME}" >>"${GITHUB_OUTPUT}"
           echo "version=${FINAL_VERSION}" >>"${GITHUB_OUTPUT}"
           echo "prerelease=${IS_PRERELEASE}" >>"${GITHUB_OUTPUT}"
@@ -105,7 +110,7 @@ jobs:
             echo "::error title=Version Mismatch::The version in package.json (${{ steps.npm-package.outputs.version }}) does not match the version in the tag (${{ steps.tag.outputs.version }})."
             exit 1
           fi
-          
+
           if [[ "${{ steps.tag.outputs.type }}" != "production" && "${{ steps.tag.outputs.type }}" != "beta" ]]; then
             echo "::error title=Unsupported PreRelease::The tag '${{ steps.tag.outputs.name }}' is an unsupported prerelease tag. Only 'beta' prereleases are supported."
             exit 2
@@ -120,6 +125,11 @@ jobs:
     name: Safety Checks
     runs-on: [self-hosted, Linux, medium, ephemeral]
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          egress-policy: audit
+
       - name: Checkout Code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
@@ -131,7 +141,7 @@ jobs:
           version: 3.35.1
 
       - name: Install PNPM
-        uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0
+        uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
         with:
           version: 8.15.4
 
@@ -150,6 +160,11 @@ jobs:
       - validate-release
       - run-safety-checks
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          egress-policy: audit
+
       - name: Checkout Code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
@@ -161,7 +176,7 @@ jobs:
           version: 3.35.1
 
       - name: Install PNPM
-        uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0
+        uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
         with:
           version: 8.15.4
 
@@ -209,7 +224,7 @@ jobs:
           PUBLISH_ARGS="--access public --no-git-checks"
           [[ "${{ github.event.inputs.dry-run-enabled }}" == "true" ]] && PUBLISH_ARGS="${PUBLISH_ARGS} --dry-run"
           [[ "${{ needs.validate-release.outputs.prerelease }}" == "true" ]] && PUBLISH_ARGS="${PUBLISH_ARGS} --tag ${{ needs.validate-release.outputs.type }}"
-          
+
           echo "args=${PUBLISH_ARGS}" >>"${GITHUB_OUTPUT}"
           # Add the registry authentication stanza with variable substitution to the .npmrc configuration file.
           echo '//registry.npmjs.org/:_authToken=${NPM_TOKEN}' >>".npmrc"