Merge branch 'develop' into BCI-3621/try-new-estimation-for-insuffici…

…ent-fund-error-instead-of-retry

.changeset/calm-laws-begin.md

@@ -0,0 +1,5 @@
+---
+"chainlink": minor
+---
+
+#added Implements rate limiter for capabilities dispatcher

.changeset/famous-plums-kiss.md

@@ -0,0 +1,5 @@
+---
+"chainlink": minor
+---
+
+#updated move latest capabilities code from ccip repo to chainlink repo [CCIP-2946]

.changeset/gorgeous-lobsters-argue.md

@@ -0,0 +1,5 @@
+---
+"chainlink": minor
+---
+
+#changed Connect to multiple feeds managers on app start instead of just one (default to first)

.changeset/kind-houses-smile.md

@@ -0,0 +1,5 @@
+---
+"chainlink": patch
+---
+
+#internal index don ID in ConfigSet event

.changeset/moody-turkeys-provide.md

@@ -0,0 +1,5 @@
+---
+"chainlink": minor
+---
+
+#changed Allow registration of more than 1 feeds manager on CreateFeedsManager

.changeset/sixty-fireants-return.md

@@ -0,0 +1,5 @@
+---
+"chainlink": patch
+---
+
+#internal gas limit default value

.changeset/tasty-dogs-arrive.md

@@ -0,0 +1,5 @@
+---
+"chainlink": minor
+---
+
+remove chainReader from the Relayer struct. #internal

.changeset/tiny-doors-brush.md

@@ -0,0 +1,5 @@
+---
+"chainlink": patch
+---
+
+moved deployments ccip tooling from ccip repo to chainlink repo #added

.changeset/tricky-eagles-knock.md

@@ -0,0 +1,5 @@
+---
+"chainlink": patch
+---
+
+skip checking isJobManaged if the proposal in fms has already been deleted #changed

.changeset/wise-snakes-protect.md

@@ -0,0 +1,5 @@
+---
+"chainlink": minor
+---
+
+Formalize trigger API #internal

.github/CODEOWNERS

@@ -13,6 +13,7 @@
 /core/services/directrequest @smartcontractkit/keepers
 /core/services/feeds @smartcontractkit/FMS
 /core/services/synchronization/telem @smartcontractkit/realtime
+/core/capabilities/ccip @smartcontractkit/ccip-offchain
 
 # To be deprecated in Chainlink V3
 /core/services/fluxmonitorv2 @smartcontractkit/foundations

.github/actions/build-sign-publish-chainlink/action.yml

@@ -51,23 +51,11 @@ inputs:
     description: When set to the string boolean value of "true", the resulting build image will be signed
     default: "false"
     required: false
-  cosign-private-key:
-    description: The private key to be used with cosign to sign the image
-    required: false
-  cosign-public-key:
-    description: The public key to be used with cosign for verification
-    required: false
-  cosign-password:
-    description: The password to decrypt the cosign private key needed to sign the image
-    required: false
-  sign-method:
-    description: Build image will be signed using keypair or keyless methods
-    default: "keypair"
-    required: true
   verify-signature:
     description: When set to the string boolean value of "true", the resulting build image signature will be verified
     default: "false"
     required: false
+
 outputs:
   docker-image-tag:
     description: The docker image tag that was built and pushed
@@ -84,6 +72,8 @@ runs:
       # See https://docs.github.com/en/actions/learn-github-actions/workflow-commands-for-github-actions#multiline-strings
       run: |
         SHARED_IMAGES=${{ inputs.ecr-hostname }}/${{ inputs.ecr-image-name }}
+        OIDC_ISSUER=https://token.actions.githubusercontent.com
+        OIDC_IDENTITY=https://github.com/smartcontractkit/chainlink/.github/workflows/build-publish.yml@${{ github.ref }}
 
         SHARED_TAG_LIST=$(cat << EOF
         type=ref,event=branch,suffix=${{ inputs.ecr-tag-suffix }}
@@ -101,6 +91,9 @@ runs:
         echo "$SHARED_IMAGES" >> $GITHUB_ENV
         echo "EOF" >> $GITHUB_ENV
 
+        echo "oidc-issuer=${OIDC_ISSUER}" >> $GITHUB_ENV
+        echo "oidc-identity=${OIDC_IDENTITY}" >> $GITHUB_ENV
+
         echo "shared-tag-list<<EOF" >> $GITHUB_ENV
         echo "$SHARED_TAG_LIST" >> $GITHUB_ENV
         echo "EOF" >> $GITHUB_ENV
@@ -171,7 +164,9 @@ runs:
       run: |
         IMAGES_NAME_RAW=${{ fromJSON(steps.buildpush-root.outputs.metadata)['image.name'] }}
         IMAGE_NAME=$(echo "$IMAGES_NAME_RAW" | cut -d"," -f1)
+        IMAGE_DIGEST=${{ fromJSON(steps.buildpush-root.outputs.metadata)['containerimage.digest'] }}
         echo "root_image_name=${IMAGE_NAME}" >> $GITHUB_ENV
+        echo "root_image_digest=${IMAGE_DIGEST}" >> $GITHUB_ENV
 
     - name: Generate docker metadata for non-root image
       id: meta-nonroot
@@ -217,6 +212,7 @@ runs:
         IMAGE_NAME=$(echo "$IMAGES_NAME_RAW" | cut -d"," -f1)
         IMAGE_TAG=$(echo "$IMAGES_NAME_RAW" | cut -d":" -f2)
         echo "nonroot_image_name=${IMAGE_NAME}" >> $GITHUB_ENV
+        echo "nonroot_image_digest=${IMAGE_DIGEST}" >> $GITHUB_ENV
         echo '### Docker Image' >> $GITHUB_STEP_SUMMARY
         echo "Image Name: ${IMAGE_NAME}"  >> $GITHUB_STEP_SUMMARY
         echo "Image Digest: ${IMAGE_DIGEST}"  >> $GITHUB_STEP_SUMMARY
@@ -239,74 +235,36 @@ runs:
 
     - if: inputs.sign-images == 'true'
       name: Install cosign
-      uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+      uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
       with:
-        cosign-release: "v1.6.0"
+        cosign-release: "v2.4.0"
 
-    - if: inputs.sign-images == 'true' && inputs.sign-method == 'keypair'
-      name: Sign the published root Docker image using keypair method
-      shell: sh
-      env:
-        COSIGN_PASSWORD: "${{ inputs.cosign-password }}"
-      run: |
-        echo "${{ inputs.cosign-private-key }}" > cosign.key
-        cosign sign --key cosign.key "${{ env.root_image_name }}"
-        rm -f cosign.key
-
-    - if: inputs.verify-signature == 'true' && inputs.sign-method == 'keypair'
-      name: Verify the signature of the published root Docker image using keypair
-      shell: sh
-      run: |
-        echo "${{ inputs.cosign-public-key }}" > cosign.key
-        cosign verify --key cosign.key "${{ env.root_image_name }}"
-        rm -f cosign.key
-
-    - if: inputs.sign-images == 'true' && inputs.sign-method == 'keyless'
+    # This automatically signs the image with the correct OIDC provider from Github
+    - if: inputs.sign-images == 'true'
       name: Sign the published root Docker image using keyless method
       shell: sh
-      env:
-        COSIGN_EXPERIMENTAL: 1
       run: |
-        cosign sign "${{ env.root_image_name }}"
+        cosign sign "${{ env.root_image_name }}" --yes
 
-    - if: inputs.verify-signature == 'true' && inputs.sign-method == 'keyless'
+    - if: inputs.verify-signature == 'true'
       name: Verify the signature of the published root Docker image using keyless
       shell: sh
-      env:
-        COSIGN_EXPERIMENTAL: 1
-      run: |
-        cosign verify "${{ env.root_image_name }}"
-
-    - if: inputs.sign-images == 'true' && inputs.sign-method == 'keypair'
-      name: Sign the published non-root Docker image using keypair method
-      shell: sh
-      env:
-        COSIGN_PASSWORD: "${{ inputs.cosign-password }}"
-      run: |
-        echo "${{ inputs.cosign-private-key }}" > cosign.key
-        cosign sign --key cosign.key "${{ env.nonroot_image_name }}"
-        rm -f cosign.key
-
-    - if: inputs.verify-signature == 'true' && inputs.sign-method == 'keypair'
-      name: Verify the signature of the published non-root Docker image using keypair
-      shell: sh
       run: |
-        echo "${{ inputs.cosign-public-key }}" > cosign.key
-        cosign verify --key cosign.key "${{ env.nonroot_image_name }}"
-        rm -f cosign.key
+        cosign verify "${{ env.root_image_name }}" \
+        --certificate-oidc-issuer ${{ env.oidc-issuer }} \
+        --certificate-identity "${{ env.oidc-identity }}"
 
-    - if: inputs.sign-images == 'true' && inputs.sign-method == 'keyless'
+    # This automatically signs the image with the correct OIDC provider from Github
+    - if: inputs.sign-images == 'true'
       name: Sign the published non-root Docker image using keyless method
       shell: sh
-      env:
-        COSIGN_EXPERIMENTAL: 1
       run: |
-        cosign sign "${{ env.nonroot_image_name }}"
+        cosign sign "${{ env.nonroot_image_name }}" --yes
 
-    - if: inputs.verify-signature == 'true' && inputs.sign-method == 'keyless'
+    - if: inputs.verify-signature == 'true'
       name: Verify the signature of the published non-root Docker image using keyless
       shell: sh
-      env:
-        COSIGN_EXPERIMENTAL: 1
       run: |
-        cosign verify "${{ env.nonroot_image_name }}"
+        cosign verify "${{ env.nonroot_image_name }}" \
+        --certificate-oidc-issuer ${{ env.oidc-issuer }} \
+        --certificate-identity "${{ env.oidc-identity }}"

.github/actions/goreleaser-build-sign-publish/action.yml

@@ -14,7 +14,7 @@ inputs:
     required: false
   cosign-version:
     description: The cosign version
-    default: v2.2.2
+    default: v2.4.0
     required: false
   macos-sdk-dir:
     description: The macos sdk directory
@@ -62,15 +62,6 @@ inputs:
     description: Enable signing of docker images
     default: "false"
     required: false
-  cosign-private-key:
-    description: The private key to be used with cosign to sign the image
-    required: false
-  cosign-public-key:
-    description: The public key to be used with cosign for verification
-    required: false
-  cosign-password:
-    description: The password to decrypt the cosign private key needed to sign the image
-    required: false
 runs:
   using: composite
   steps:
@@ -96,7 +87,7 @@ runs:
         version: ${{ inputs.zig-version }}
     - name: Setup cosign
       if: inputs.enable-cosign == 'true'
-      uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+      uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
       with:
         cosign-release: ${{ inputs.cosign-version }}
     - name: Login to docker registry
@@ -113,7 +104,6 @@ runs:
     - name: Run goreleaser release
       shell: bash
       env:
-        ENABLE_COSIGN: ${{ inputs.enable-cosign }}
         ENABLE_GORELEASER_SNAPSHOT: ${{ inputs.enable-goreleaser-snapshot }}
         ENABLE_GORELEASER_SPLIT: ${{ inputs.enable-goreleaser-split }}
         ENABLE_DOCKER_PUBLISH: ${{ inputs.enable-docker-publish }}
@@ -122,9 +112,8 @@ runs:
         IMAGE_TAG: ${{ inputs.docker-image-tag }}
         GORELEASER_EXEC: ${{ inputs.goreleaser-exec }}
         GORELEASER_CONFIG: ${{ inputs.goreleaser-config }}
-        COSIGN_PASSWORD: ${{ inputs.cosign-password }}
-        COSIGN_PUBLIC_KEY: ${{ inputs.cosign-public-key }}
-        COSIGN_PRIVATE_KEY: ${{ inputs.cosign-private-key }}
+        GORELEASER_KEY: ${{ inputs.goreleaser-key }}
+        GITHUB_TOKEN: ${{ github.token }}
         MACOS_SDK_DIR: ${{ inputs.macos-sdk-dir }}
       run: |
         # https://github.com/orgs/community/discussions/24950

.github/actions/goreleaser-build-sign-publish/action_utils

@@ -2,11 +2,9 @@
 set -x
 set -euo pipefail
 
-ENABLE_COSIGN=${ENABLE_COSIGN:-false}
 ENABLE_GORELEASER_SNAPSHOT=${ENABLE_GORELEASER_SNAPSHOT:-false}
 ENABLE_GORELEASER_SPLIT=${ENABLE_GORELEASER_SPLIT:-false}
 ENABLE_DOCKER_PUBLISH=${ENABLE_DOCKER_PUBLISH:-false}
-COSIGN_PASSWORD=${COSIGN_PASSWORD:-""}
 GORELEASER_EXEC=${GORELEASER_EXEC:-goreleaser}
 GORELEASER_CONFIG=${GORELEASER_CONFIG:-.goreleaser.yaml}
 IMAGE_PREFIX=${IMAGE_PREFIX:-"localhost:5001"}
@@ -69,26 +67,16 @@ goreleaser_release() {
   flags=$(printf "%s " "${goreleaser_flags[@]}")
   flags=$(echo "$flags" | sed 's/ *$//')
 
-  if [[ $ENABLE_COSIGN == "true" ]]; then
-    echo "$COSIGN_PUBLIC_KEY" > cosign.pub
-    echo "$COSIGN_PRIVATE_KEY" > cosign.key
-  fi
-
   if [[ -n $MACOS_SDK_DIR ]]; then
     MACOS_SDK_DIR=$(echo "$(cd "$(dirname "$MACOS_SDK_DIR")" || exit; pwd)/$(basename "$MACOS_SDK_DIR")")
   fi
 
   $GORELEASER_EXEC release ${flags} --config "$GORELEASER_CONFIG" "$@"
 
-  if [[ $ENABLE_DOCKER_PUBLISH == "true" ]]; then
+  if [[ $ENABLE_DOCKER_PUBLISH == "true" ]] && [[ $ENABLE_GORELEASER_SNAPSHOT == "true" ]]; then
       _publish_snapshot_images
       _publish_snapshot_manifests
   fi
-
-  if [[ $ENABLE_COSIGN == "true" ]]; then
-    rm -rf cosign.pub
-    rm -rf cosign.key
-  fi
 }
 
 "$@"