OpenZeppelin
diff --git a/‎.github/README.md‎
Lines changed: 21 additions & 0 deletions b/‎.github/README.md‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎.github/actions/prepare/action.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/actions/prepare/action.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/release-please/.config.json‎
Lines changed: 65 additions & 0 deletions b/‎.github/release-please/.config.json‎
Lines changed: 65 additions & 0 deletions
diff --git a/‎.github/release-please/manifest.json‎
Lines changed: 1 addition & 0 deletions b/‎.github/release-please/manifest.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.github/workflows/ci.yaml‎
Lines changed: 5 additions & 6 deletions b/‎.github/workflows/ci.yaml‎
Lines changed: 5 additions & 6 deletions
diff --git a/‎.github/workflows/cla.yml‎
Lines changed: 88 additions & 6 deletions b/‎.github/workflows/cla.yml‎
Lines changed: 88 additions & 6 deletions
diff --git a/‎.github/workflows/rc.yml‎
Lines changed: 93 additions & 0 deletions b/‎.github/workflows/rc.yml‎
Lines changed: 93 additions & 0 deletions
@@ -0,0 +1,21 @@
+# CI/CD Release Workflow
+
+---
+
+## Workflows
+
+- To trigger a release, use [rc.yml](workflows/rc.yml) workflow.
+  - It will need specific commit SHA in long format to start the workflow.
+  - All the commits until that specific commit sha will be included in the release.
+  - Checks version from `Cargo.toml` and validates if it needs to creates a new release branch. If there is a release branch that already exists for the same version in `Cargo.toml` the workflow will fail.
+  - Release branch is created in this pattern `release-v<version>`.
+
+- Second workflow [release-please.yml](workflows/release-please.yml) will get triggered on push to release branch automatically.
+  - This workflow checks if there is any "higher versioned" branches than the current one since this workflow will be triggered for any pushes ( eg. hotfixes ).
+  - We use [release-please](https://github.com/googleapis/release-please) for managing releases. If there are no "higher versioned" branches release-please step will be triggered.
+  - Release please automatically creates a PR with Changelog notes to release branch which keeps track of all commits in that release branch and adds a label `autorelease: pending`. It uses [config](release-please/.config.json) & [manifest](release-please/manifest.json) files to generate changelog and track versions. If there are any changes to `Cargo.lock` that commit is pushed to the PR.
+  - Once approved merge the PR. On merging `release-please` automatically creates a github release with changelog notes & tags the release with that version.
+  - Workflow has a step to unlock conversation in the now closed PR so that release-please can post a comment and update the label `autorelease: tagged`.
+  - SBOM generation, Binaries creation for different arch & Docker build and push jobs are triggered.
+
+- If everything looks good post release, raise a PR and merge the `release-v<version>` branch to main (manual step for now).
@@ -9,7 +9,7 @@ runs:
   using: composite
   steps:
     - name: setup rust tool chain
-      uses: dtolnay/rust-toolchain@stable
+      uses: dtolnay/rust-toolchain@fcf085fcb4b4b8f63f96906cd713eb52181b5ea4  # stable
       with:
         toolchain: stable
         components: rustfmt, clippy
 
@@ -0,0 +1,65 @@
+{
+  "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
+  "packages": {
+    ".": {}
+  },
+  "release-type": "rust",
+  "include-component-in-tag": false,
+  "pull-request-title-pattern": "chore: Release version ${version}",
+  "pull-request-header": "🤖 Created a Release ⚡ ⚡",
+  "pull-request-footer": "Merge this pull request to trigger the next release.",
+  "changelog-sections": [
+    {
+      "type": "feat",
+      "section": "🚀 Features"
+    },
+    {
+        "type": "fix",
+        "section": "🐛 Bug Fixes"
+    },
+    {
+      "type": "revert",
+      "section": "◀️ Reverts"
+    },
+    {
+      "type": "docs",
+      "section": "📚 Documentation",
+      "hidden": false
+    },
+    {
+      "type": "refactor",
+      "section": "🚜 Code Refactoring",
+      "hidden": true
+    },
+    {
+      "type": "style",
+      "section": "🎨 Styles",
+      "hidden": true
+    },
+    {
+      "type": "chore",
+      "section": "⚙️ Miscellaneous Chores",
+      "hidden": true
+    },
+    {
+        "type": "refactor",
+        "section": "🚜 Code Refactoring",
+        "hidden": true
+    },
+    {
+        "type": "test",
+        "section": "🧪 Tests",
+        "hidden": true
+    },
+    {
+      "type": "build",
+      "section": "🛠️ Build System",
+      "hidden": true
+    },
+    {
+      "type": "ci",
+      "section": "🥏 Continuous Integration",
+      "hidden": true
+    }
+  ]
+}
@@ -0,0 +1 @@
+{".":"0.0.0"}
@@ -186,12 +186,11 @@ jobs:
           path: clippy-results.sarif
           retention-days: 1
 
-      # TODO: enable this when the repo is made public.
-      # - name: Upload
-      #   uses: github/codeql-action/upload-sarif@dd196fa9ce80b6bacc74ca1c32bd5b0ba22efca7  # v3.28.3
-      #   with:
-      #     sarif_file: clippy-results.sarif
-      #     wait-for-processing: true
+      - name: Upload
+        uses: github/codeql-action/upload-sarif@dd196fa9ce80b6bacc74ca1c32bd5b0ba22efca7  # v3.28.3
+        with:
+          sarif_file: clippy-results.sarif
+          wait-for-processing: true
 
       # - name: Report status
       #   run: cargo clippy --all-features --all-targets -- -D warnings --allow deprecated
 
@@ -4,23 +4,24 @@ on:
   issue_comment:
     types: [created]
   pull_request_target:
-    types: [opened, closed, synchronize]
+    types: [opened, closed, synchronize, labeled]
 
 permissions:
   actions: write
   contents: write
   pull-requests: write
   statuses: write
+  checks: write
+  issues: write
 
 jobs:
   CLAAssistant:
     runs-on: ubuntu-latest
     steps:
-      # TODO: enable when repo is public
-      # - name: Harden the runner (Audit all outbound calls)
-       #   uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481  # v2.11.0
-      #   with:
-      #     egress-policy: audit
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481  # v2.11.0
+        with:
+          egress-policy: audit
 
       - name: Checkout Private Repo for Allowlist
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
@@ -35,7 +36,18 @@ jobs:
         run: |
           ALLOWLIST=$(cat allowlist.txt)
           echo "allowlist=$ALLOWLIST" >> $GITHUB_OUTPUT
+      - name: Check if user is in allowlist
+        id: check_allowlist
+        run: |
+          PR_USER=${{ github.event.pull_request.user.login }}
+          if [[ "${{ steps.read_allowlist.outputs.allowlist }}" == *"$PR_USER"* ]]; then
+            echo "is_allowed=true" >> $GITHUB_OUTPUT
+          else
+            echo "is_allowed=false" >> $GITHUB_OUTPUT
+            fi
       - name: CLA Assistant
+        continue-on-error: true
+        id: cla_assistant
         if: (github.event.comment.body == 'recheck' || github.event.comment.body ==
           'I confirm that I have read and hereby agree to the OpenZeppelin Contributor
           License Agreement') || github.event_name == 'pull_request_target'
@@ -59,3 +71,73 @@ jobs:
             below. Thanks.
           custom-pr-sign-comment: I confirm that I have read and hereby agree to the
             OpenZeppelin Contributor License Agreement
+
+      - name: Label PR as CLA Unsigned
+        if: ${{ steps.cla_assistant.outcome != 'success' }}
+        run: |
+          if [[ "${{ github.event_name }}" == "pull_request_target" ]]; then
+            PR_NUMBER="${{ github.event.pull_request.number }}"
+          elif [[ "${{ github.event_name }}" == "issue_comment" ]]; then
+            PR_NUMBER="${{ github.event.issue.number }}"
+          fi
+          ENDPOINT="https://api.github.com/repos/${{ github.repository }}/issues/$PR_NUMBER/labels"
+          curl -L -X POST \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            -d '{"labels":["cla: unsigned"]}' \
+            $ENDPOINT
+          exit 1
+
+      - name: Label PR as CLA Signed
+        if: ${{ steps.cla_assistant.outcome == 'success' && steps.check_allowlist.outputs.is_allowed
+          == 'false' }}
+        run: |-
+          if [[ "${{ github.event_name }}" == "pull_request_target" ]]; then
+            PR_NUMBER="${{ github.event.pull_request.number }}"
+          elif [[ "${{ github.event_name }}" == "issue_comment" ]]; then
+            PR_NUMBER="${{ github.event.issue.number }}"
+          fi
+          ENDPOINT="https://api.github.com/repos/${{ github.repository }}/issues/$PR_NUMBER/labels"
+          # Remove 'cla: unsigned' label if present
+          curl -L -X DELETE \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            "$ENDPOINT/cla:%20unsigned" || true
+          # Add 'cla: signed' label
+          curl -L -X POST \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            -d '{"labels":["cla: signed"]}' \
+            $ENDPOINT
+
+      - name: Label PR as CLA Allowlist
+        if: ${{ steps.check_allowlist.outputs.is_allowed == 'true' }}
+        run: |-
+          if [[ "${{ github.event_name }}" == "pull_request_target" ]]; then
+            PR_NUMBER="${{ github.event.pull_request.number }}"
+          elif [[ "${{ github.event_name }}" == "issue_comment" ]]; then
+            PR_NUMBER="${{ github.event.issue.number }}"
+          fi
+          ENDPOINT="https://api.github.com/repos/${{ github.repository }}/issues/$PR_NUMBER/labels"
+          # Remove 'cla: unsigned' label if present
+          curl -L -X DELETE \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            "$ENDPOINT/cla:%20unsigned" || true
+          # Remove 'cla: signed' label if present
+          curl -L -X DELETE \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            "$ENDPOINT/cla:%20signed" || true
+          # Add allowlist label
+          curl -L -X POST \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            -d '{"labels":["cla: allowlist"]}' \
+            $ENDPOINT
@@ -0,0 +1,93 @@
+---
+name: RC for Major/Minor Releases
+
+on:
+  workflow_dispatch:
+    inputs:
+      commit_sha:
+        description: Commit SHA to create release branch from
+        required: true
+        type: string
+
+permissions:
+  contents: write
+  pull-requests: write
+
+
+# run concurrency group for the workflow
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  create-release-branch:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@af35edadc00be37caa72ed9f3e6d5f7801bfdf09  # v1.11.7
+        id: gh-app-token
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+
+      - name: Validate Commit SHA
+        run: |
+          if [[ ! "$INPUT_COMMIT_SHA" =~ ^[0-9a-f]{40}$ ]]; then
+            echo "Invalid commit SHA: $INPUT_COMMIT_SHA. Please provide the full 40-character SHA."
+            echo "Provided SHA: $INPUT_COMMIT_SHA"
+            echo "Length: ${#$INPUT_COMMIT_SHA}"
+            exit 1
+          fi
+          echo "Valid commit SHA: $INPUT_COMMIT_SHA"
+        env:
+          INPUT_COMMIT_SHA: ${{ github.event.inputs.commit_sha }}
+
+      - name: Checkout repository at commit SHA
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          ref: ${{ github.event.inputs.commit_sha }}
+          fetch-depth: 0
+          token: ${{ steps.gh-app-token.outputs.token }}
+
+      - name: Get version from Cargo.toml
+        id: get_version
+        run: |
+          # Extract the version from Cargo.toml
+          version=$(grep -A 5 "\[package\]" Cargo.toml | grep "^version" | cut -d'"' -f2)
+          if [ -z "$version" ]; then
+            echo "Version not found in Cargo.toml" >&2
+            exit 1
+          fi
+          echo "Version is $version"
+          echo "version=$version" >> $GITHUB_OUTPUT
+
+      - name: Set release branch name
+        id: set_branch
+        run: |
+          branch="release-v${{ steps.get_version.outputs.version }}"
+          echo "release_branch=$branch" >> $GITHUB_ENV
+          echo "Release branch will be: $branch"
+
+      - name: Check if release branch exists
+        id: check_branch
+        run: |
+          branch="release-v${{ steps.get_version.outputs.version }}"
+          if git ls-remote --exit-code --heads origin "$branch" > /dev/null 2>&1; then
+            echo "exists=true" >> $GITHUB_OUTPUT
+          else
+            echo "exists=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Create release branch
+        id: update_branch
+        shell: bash
+        run: |-
+          branch="release-v${{ steps.get_version.outputs.version }}"
+          commit_sha="${{ github.event.inputs.commit_sha }}"
+          if [ "${{ steps.check_branch.outputs.exists }}" == "true" ]; then
+            echo "Branch '$branch' already exists. Exiting with error."
+            exit 1
+          else
+            echo "Branch '$branch' does not exist. Creating new branch from commit $commit_sha."
+            git checkout -b $branch $commit_sha
+            git push -f origin $branch
+          fi