vegaprotocol
diff --git a/‎.github/ISSUE_TEMPLATE/api_ticket.md
Lines changed: 49 additions & 0 deletions b/‎.github/ISSUE_TEMPLATE/api_ticket.md
Lines changed: 49 additions & 0 deletions
diff --git a/‎.github/actions/sign-windows-binary/action.yml
Lines changed: 97 additions & 0 deletions b/‎.github/actions/sign-windows-binary/action.yml
Lines changed: 97 additions & 0 deletions
diff --git a/‎.github/workflows/codeql.yml
Lines changed: 7 additions & 4 deletions b/‎.github/workflows/codeql.yml
Lines changed: 7 additions & 4 deletions
diff --git a/‎.github/workflows/golangci-lint.yml
Lines changed: 5 additions & 5 deletions b/‎.github/workflows/golangci-lint.yml
Lines changed: 5 additions & 5 deletions
diff --git a/‎.github/workflows/release-binaries.yml
Lines changed: 9 additions & 10 deletions b/‎.github/workflows/release-binaries.yml
Lines changed: 9 additions & 10 deletions
diff --git a/‎.github/workflows/release-docs.yml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/release-docs.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.golangci.toml
Lines changed: 34 additions & 2 deletions b/‎.golangci.toml
Lines changed: 34 additions & 2 deletions
diff --git a/‎.spelling
Lines changed: 3 additions & 0 deletions b/‎.spelling
Lines changed: 3 additions & 0 deletions
@@ -0,0 +1,49 @@
+---
+name: API request
+about: A request for an API to support a feature
+title: '[API]: '
+labels: "api"
+assignees: ''
+---
+
+# API Overview
+
+**In order to** ... (context - overcome a problem or meet a requirement)
+**We will build an API to**... (what - describe what the API needs to do)
+**So that** ... (why - we create these outcomes)
+
+- 
+- 
+- 
+
+## Specs
+[Spec name](URL) to spec or section within a spec
+
+## API request details
+
+- [ ] Create an API that... (specific details about the API's functionality and what it should provide)
+- [ ] 
+
+### Filtering requirements (inputs)
+  - [ ] 
+  - [ ] 
+
+### Sample API output (optional)
+
+```
+
+```
+
+## Questions 
+Open questions about the feature implementation, what can be done with the APIs, or currently unresolved questions around the feature.
+
+## API test scenarios
+Detailed scenarios that can be executed as feature tests to verify that the API has been implemented as expected.
+
+GIVEN (setup/context) 
+WHEN (action) 
+THEN (assertion) For example...
+See [here](https://github.com/vegaprotocol/vega/tree/develop/core/integration) for more format information and examples.
+
+### Additional Details (optional)
+Any additional information that provides context or gives information that will help us develop the feature. 
@@ -0,0 +1,97 @@
+---
+name: 'Sign windows binary'
+description: 'Sign binary using EV certificate'
+
+inputs:
+  current-working-directory:
+    description: 'The working directory, where the binary is located in'
+    required: true
+    default: './'
+  binary-file:
+    description: 'Binary file to sign'
+    required: true
+    default: ''
+  gcp-credentials:
+    description: 'GCP credentials'
+    required: true
+    default: ''
+  ev-cert-pem:
+    description: 'EV certificate PEM'
+    required: true
+    default: ''
+
+runs:
+  using: "composite"
+  steps:
+    - name: "Import signing certificate"
+      shell: bash
+      run: |
+        cd "${{ inputs.current-working-directory }}" && \
+        echo "${{ inputs.ev-cert-pem }}" > certificate_chain.pem
+
+    - name: "Download Java v17"
+      uses: oracle-actions/setup-java@v1
+      with:
+        website: oracle.com
+        release: 17
+
+    - name: "Setup python"
+      uses: actions/setup-python@v4
+      with:
+        python-version: "3.9"
+
+    - name: "Authenticate to the Google Cloud"
+      uses: "google-github-actions/auth@v1"
+      with:
+        credentials_json: "${{ inputs.gcp-credentials }}"
+
+    - name: "Set up Cloud SDK"
+      uses: "google-github-actions/setup-gcloud@v1"
+      env:
+        CLOUDSDK_PYTHON: "python3"
+
+    - name: "Check the Google Cloud CLI"
+      shell: bash
+      run: "gcloud info"
+
+    - name: "Download signing tool and verify sha265 checksum"
+      shell: bash
+      run: |
+        cd "${{ inputs.current-working-directory }}" && \
+        curl -L -o jsign.jar "https://github.com/ebourg/jsign/releases/download/4.2/jsign-4.2.jar" && \
+        echo '290377fc4f593256200b3ea4061b7409e8276255f449d4c6de7833faf0850cc1 jsign.jar' | sha256sum -c
+
+    # We sign binaries with the EV Certificate. You MUST NOT have a key in a file to sign binary.
+    # The only options to store keys are:
+    #   - HSM architecture(e.g., AWS or Google)
+    #   - Physical USB stick with hardware stored key
+    # We are using the first option to be able to sign the binaries within the CI servers without
+    # physical access to them. However, this signing method requires the signing tool supporting the HSM key.
+    #
+    # The high-level signing procedure looks like below:
+    #   1. Calculate the SHA256 Hash for the app
+    #   2. Send a request to sign the hash to the Google Cloud
+    #   3. Google signs our signature with a physically stored key on Google's HSM server and returns the signature over the network
+    #   4. Add our certificate and the signature received from the Google HSM to the EXE file
+    #   5. Our signature hash is again signed with the timestamp authority's private key, and the final hash is added to our binary.
+    #   6. Final executable with all necessary signing information included is produced
+    - name: "Sign binary"
+      shell: bash
+      run: |
+        cd "${{ inputs.current-working-directory }}" && \
+        java -jar jsign.jar \
+          --storetype GOOGLECLOUD \
+          --storepass "$(gcloud auth print-access-token)" \
+          --keystore "projects/vegaprotocol/locations/europe-west2/keyRings/windows-sign-apps" \
+          --alias "digicert-ev-signing-key-ecc-256" \
+          --certfile "./certificate_chain.pem" \
+          --tsmode RFC3161 \
+          --tsaurl http://timestamp.globalsign.com/tsa/r6advanced1 \
+          "${{ inputs.binary-file }}"
+
+    - name: "Clean up"
+      shell: bash
+      run: |
+        cd "${{ inputs.current-working-directory }}" && \
+        rm -f certificate_chain.pem && \
+        rm -f jsign.jar
@@ -26,21 +26,24 @@ jobs:
         language: ['go']
 
     steps:
+      - uses: actions/setup-go@v4
+        with:
+          go-version: '>=1.21.0'
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@v3
         with:
           languages: ${{ matrix.language }}
 
       # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: github/codeql-action/autobuild@v3
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@v3
         with:
           category: "/language:${{matrix.language}}"
@@ -20,12 +20,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v5
         with:
-          go-version: '1.20'
-      - uses: actions/checkout@v3
+          go-version: '1.21.5'
+      - uses: actions/checkout@v4
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@v3.7.0
         with:
-          version: v1.53.2
+          version: v1.55.2
           args: --config .golangci.toml
@@ -75,7 +75,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: '1.20'
+          go-version: '1.21'
         id: go
 
       - name: Check out code
@@ -142,7 +142,7 @@ jobs:
         uses: actions/setup-go@v2
 
         with:
-          go-version: '1.20'
+          go-version: '1.21'
         id: go
 
       - name: Check out code
@@ -264,7 +264,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: '1.20'
+          go-version: '1.21'
         id: go
 
       - name: Check out code
@@ -288,15 +288,14 @@ jobs:
         run: go build -o build/${{ matrix.app }}.exe ./cmd/${{ matrix.app }}
 
       - name: "Sign binary"
-        # we do notarization to vegawallet only
         if: ${{ matrix.app == 'vegawallet' }}
-        uses: Dana-Prajea/code-sign-action@98c79121b376beab8d6a9484f445089db4461bca
+        uses: ./.github/actions/sign-windows-binary
         with:
-          certificate: ${{ secrets.WINDOWS_CERTIFICATE }}
-          password: ${{ secrets.WINDOWS_CERTIFICATE_PASS }}
-          certificatesha1: ${{ secrets.WINDOWS_CERTIFICATE_HASH }}
-          folder: "build"
-          timestampUrl: "http://timestamp.sectigo.com"
+          current-working-directory: build
+          binary-file: ${{ matrix.app }}.exe
+          gcp-credentials: ${{ secrets.GCP_CREDENTIALS }}
+          ev-cert-pem: ${{ secrets.EV_SIGN_CERT_FULL_CHAIN_PEM }}
+
 
       - name: Check version
         if: ${{ env.GOARCH == 'amd64' }}
 
@@ -37,7 +37,7 @@ jobs:
         name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: '1.20'
+          go-version: '1.21'
       -
         name: Get dependencies
         run: cd vega; bash script/gettools.sh
 
@@ -56,7 +56,6 @@ disable = [
     "varnamelen",
     "wrapcheck",
     "wsl",
-
     ## New linters, disabled until we evaluate if we want them
     "wastedassign",
     "nakedret",
@@ -68,9 +67,15 @@ disable = [
     "depguard",
     "revive",
 
+    ## new with 1.55.2, need to evaluate
+    "testifylint",
+    "inamedparam",
+    "perfsprint",
+    "typecheck",
+    "protogetter",
+
     ## Disabled on-pupose.
     "exhaustruct", # We often make incomplete structs.
-    "gci", # Doesn't match our code style.
     "lll", # We don't have a line length.
     "nlreturn", # Doesn't match our code style.
     "nonamedreturns", # We don't mind named returns.
@@ -91,6 +96,33 @@ enable = [
     # "fieldalignment", to enable one day
 ]
 
+[linters-settings.goheader]
+template = """
+Copyright (C) 2023 Gobalsky Labs Limited
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>."""
+
+[linters-settings.gci]
+custom-order = true
+sections = [
+    "standard", # Standard section: captures all standard packages.
+    "prefix(code.vegaprotocol.io/vega)", # Custom section: groups all imports with the specified Prefix.
+    "default", # Default section: contains all imports that could not be matched to another section type.
+    "blank", # Blank section: contains all blank imports. This section is not present unless explicitly enabled.
+    "dot",
+]
+
 [[issues.exclude-rules]]
 linters = ["staticcheck"]
 text = "SA1019:"
 
@@ -23,6 +23,7 @@ cleanup
 Cleanup
 clef
 codegen
+cometbft
 config
 cyclomatic
 dApp
@@ -85,6 +86,8 @@ mutexes
 nodewallet
 notarising
 OpenRPC
+perp
+perps
 phish
 Prometheus
 proto
Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@ jobs:`
`37`	`37`	`name: Set up Go`
`38`	`38`	`uses: actions/setup-go@v2`
`39`	`39`	`with:`
`40`		`- go-version: '1.20'`
	`40`	`+ go-version: '1.21'`
`41`	`41`	`-`
`42`	`42`	`name: Get dependencies`
`43`	`43`	`run: cd vega; bash script/gettools.sh`