Alpha

.coderabbit.yaml

@@ -0,0 +1,28 @@
+language: "en"
+reviews:
+    request_changes_workflow: false
+    high_level_summary: true
+    poem: true
+    review_status: true
+    collapse_walkthrough: false
+    path_instructions:
+        - path: "**/*.ts"
+          instructions: "Review the JavaScript code for conformity with the Semi-Standard style guide, highlighting any deviations."
+        - path: "**/*.ts"
+          instructions: "Analyze the logic of the code and the efficiency of the algorithms used. Suggest improvements if any inefficient algorithms are found."
+        - path: "/**/*.spec.ts"
+          instructions: |
+              "Assess the unit test code employing the jest testing framework. Confirm that:
+              - The tests adhere to jest's established best practices.
+              - Test descriptions are sufficiently detailed to clarify the purpose of each test."
+    auto_review:
+        enabled: true
+        ignore_title_keywords:
+            - "WIP"
+            - "DO NOT MERGE"
+        drafts: true
+        base_branches:
+            - "master"
+            - "alpha"
+chat:
+    auto_reply: true

.github/workflows/authenticate-commits.yml

@@ -0,0 +1,48 @@
+name: Authenticate Commits
+on:
+  pull_request:
+    types: [opened, reopened, synchronize]
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Import allowed SSH keys
+        env:
+          ALLOWED_SIGNERS: ${{ vars.MIDDLEWARE_ALLOWED_SIGNERS }}
+        run: |
+          mkdir -p ~/.ssh
+          echo "$ALLOWED_SIGNERS" > ~/.ssh/allowed_signers
+          git config --global gpg.ssh.allowedSignersFile "~/.ssh/allowed_signers"
+
+      - name: Validate commit signatures
+        env:
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
+        run: |
+          # Function to verify a commit
+          verify_commit() {
+            local commit=$1
+            local status=$(git show --pretty="format:%G?" $commit | head -n 1)
+
+            if [ "$status" != "G" ]; then
+              local committer=$(git log -1 --pretty=format:'%cn (%ce)' $commit)
+              echo "Commit $commit from $committer has an invalid signature or is not signed by an allowed key."
+              exit 1
+            fi
+
+          }
+
+          # Get all commits in the PR
+          commits=$(git rev-list $BASE_SHA..$HEAD_SHA)
+
+          # Iterate over all commits in the PR and verify each one
+          for COMMIT in $commits; do
+            verify_commit $COMMIT
+          done
+
+          echo "All commits are signed with allowed keys."

.github/workflows/docker-image.yml

@@ -13,24 +13,33 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
+        with:
+          submodules: 'true'
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
 
       - name: Log in to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.ASSOCIATION_DOCKER_USERNAME }}
           password: ${{ secrets.ASSOCIATION_DOCKER_TOKEN }}
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@v5
         with:
           images: ${{ secrets.ASSOCIATION_DOCKER_HUB_REPO }}
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5
         with:
           context: .
+          platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}

.github/workflows/fast-forward.yml

@@ -0,0 +1,27 @@
+name: fast-forward
+on:
+  issue_comment:
+    types: [created, edited]
+jobs:
+  fast-forward:
+    # Only run if the comment contains the /fast-forward command.
+    if: ${{ contains(github.event.comment.body, '/fast-forward')
+      && github.event.issue.pull_request }}
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+
+    steps:
+      - name: Fast forwarding
+        uses: sequoia-pgp/fast-forward@v1
+        with:
+          merge: true
+          # To reduce the workflow's verbosity, use 'on-error'
+          # to only post a comment when an error occurs, or 'never' to
+          # never post a comment.  (In all cases the information is
+          # still available in the step's summary.)
+          comment: on-error
+          GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} ## This allows to trigger push action from within this workflow. Read more - https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow

.github/workflows/main.yml

@@ -2,7 +2,7 @@ name: CI
 
 on:
   push:
-    branches: [master, alpha]
+    branches: [master, alpha, confidential-assets]
   pull_request:
     types: [assigned, opened, synchronize, reopened]
 
@@ -14,6 +14,9 @@ jobs:
       CI: true
     steps:
       - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          submodules: 'true'
       - uses: actions/setup-node@v3
         with:
           node-version: '18.x'
@@ -30,6 +33,9 @@ jobs:
       CI: true
     steps:
       - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          submodules: 'true'
       - uses: actions/setup-node@v3
         with:
           node-version: '18.x'
@@ -46,6 +52,9 @@ jobs:
       CI: true
     steps:
       - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          submodules: 'true'
       - uses: actions/setup-node@v3
         with:
           node-version: '18.x'
@@ -59,16 +68,69 @@ jobs:
     name: Building and releasing project
     runs-on: ubuntu-latest
     needs: [lint, build, test]
+    if: github.event_name == 'push'
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+          submodules: 'true'
       - uses: actions/setup-node@v3
         with:
           node-version: '18.x'
           cache: 'yarn'
       - name: install dependencies
         run: yarn --frozen-lockfile
+      - name: Setup SSH signing key
+        run: |
+          echo "$SSH_KEY_PRIVATE" | tr -d '\r' > /tmp/id_ed25519
+          echo $SSH_KEY_PUBLIC > /tmp/id_ed25519.pub
+          chmod 600 /tmp/id_ed25519
+          eval "$(ssh-agent -s)"
+          ssh-add /tmp/id_ed25519
+          git config --global gpg.format ssh
+          git config --global commit.gpgsign true
+          git config --global user.signingkey /tmp/id_ed25519.pub
+          mkdir -p ~/.config/git
+          echo "${{ vars.RB_EMAIL }} $SSH_KEY_PUBLIC" > ~/.config/git/allowed_signers
+          git config --global gpg.ssh.allowedSignersFile ~/.config/git/allowed_signers
+        shell: bash
+        env:
+          SSH_KEY_PRIVATE: ${{ secrets.SSH_PRIVATE_KEY }}
+          SSH_KEY_PUBLIC: ${{ vars.SSH_PUBLIC_KEY }}
       - name: release
         env:
-          GH_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+          GH_TOKEN: ${{ secrets.GH_RELEASE_BOT_PAT }}
+          GIT_AUTHOR_NAME: ${{ vars.RB_NAME }}
+          GIT_AUTHOR_EMAIL: ${{ vars.RB_EMAIL }}
+          GIT_COMMITTER_NAME: ${{ vars.RB_COMMITTER_NAME }}
+          GIT_COMMITTER_EMAIL: ${{ vars.RB_COMMITTER_EMAIL }}
         run: yarn semantic-release
+      - name: Clear SSH key
+        run: |
+          shred /tmp/id_ed25519
+
+  check-fast-forward:
+    name: Check if fast forwarding is possible
+    runs-on: ubuntu-latest
+    needs: [lint, build, test]
+    if: github.event_name == 'pull_request'
+
+    permissions:
+      contents: read
+      # We appear to need write permission for both pull-requests and
+      # issues in order to post a comment to a pull request.
+      pull-requests: write
+      issues: write
+
+    steps:
+      - name: Checking if fast forwarding is possible
+        uses: sequoia-pgp/fast-forward@v1
+        with:
+          merge: false
+          # To reduce the workflow's verbosity, use 'on-error'
+          # to only post a comment when an error occurs, or 'never' to
+          # never post a comment.  (In all cases the information is
+          # still available in the step's summary.)
+          comment: never
 # TODO @polymath-eric: add SonarCloud step when the account confusion is sorted

.gitignore

@@ -1,7 +1,7 @@
 # compiled output
 /dist
 /node_modules
-polymesh-rest-api-swagger-spec.json
+polymesh-private-rest-api-swagger-spec.yaml
 
 # Logs
 logs
@@ -36,3 +36,4 @@ lerna-debug.log*
 
 # Env
 *.env
+polymesh-rest-api-swagger-spec.json

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "src/polymesh-rest-api"]
+	path = src/polymesh-rest-api
+	url = https://github.com/PolymeshAssociation/polymesh-rest-api

.vscode/settings.json

@@ -9,7 +9,7 @@
     "**/.pnp.*": true
   },
   "eslint.nodePath": ".yarn/sdks",
-  "prettier.prettierPath": ".yarn/sdks/prettier/index.js",
+  "prettier.prettierPath": "",
   "typescript.enablePromptUseWorkspaceTsdk": true,
   "cSpell.ignorePaths": [
     "package.json",
@@ -26,6 +26,7 @@
   ],
   "cSpell.words": [
     "Custodied",
+    "Gamal",
     "Hashicorp",
     "Isin",
     "metatype",

Jenkinsfile

@@ -12,7 +12,7 @@ def withSecretEnv(List<Map> varAndPasswordList, Closure closure) {
 
 node {
 
-    env.PROJECT_NAME = 'polymesh-rest-api'
+    env.PROJECT_NAME = 'polymesh-private-rest-api'
     env.GIT_REPO     = "ssh://git@ssh.gitea.polymesh.dev:4444/Deployment/${PROJECT_NAME}.git"
 
     properties([[$class: 'BuildDiscarderProperty',