From 43ef7ccbd0e067c430da0701c842eedaeb582346 Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Wed, 11 Feb 2026 10:01:22 -0600 Subject: [PATCH 1/3] [StepSecurity] Apply security best practices (#966) Signed-off-by: StepSecurity Bot Co-authored-by: stepsecurity-app[bot] <188008098+stepsecurity-app[bot]@users.noreply.github.com> --- .github/workflows/stale.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 04bee16e0..f2cd59025 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -4,6 +4,9 @@ on: schedule: - cron: '30 0 * * *' workflow_dispatch: +permissions: + contents: read + jobs: stale: runs-on: ubuntu-latest @@ -12,6 +15,11 @@ jobs: issues: write pull-requests: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0 with: days-before-stale: 14 From 5d47f18690ea40cc6cbb0ddb6b2fb4f77e9daf6d Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 11 Feb 2026 10:01:41 -0600 Subject: [PATCH 2/3] chore: updated base, nethermind, op-geth, optimism, reth (#937) Co-authored-by: danyalprout <672580+danyalprout@users.noreply.github.com> --- versions.env | 20 ++++++++++---------- versions.json | 20 ++++++++++---------- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/versions.env b/versions.env index 535b158e7..7a1d118d9 100644 --- a/versions.env +++ b/versions.env @@ -1,15 +1,15 @@ -export BASE_RETH_NODE_COMMIT=bb1b4571bebb8a9cd8ff1ec8758001fdc32758e8 +export BASE_RETH_NODE_COMMIT=fa6d3444debd96977ae14ccae502b91cbbe3f463 export BASE_RETH_NODE_REPO=https://github.com/base/base.git -export BASE_RETH_NODE_TAG=v0.3.0 -export NETHERMIND_COMMIT=d9febbce240491e8f918d41a4ffd06385a746b6c +export BASE_RETH_NODE_TAG=v0.3.1 +export NETHERMIND_COMMIT=31cb81b7328026791cdfaccd9db230c82f1db02d export NETHERMIND_REPO=https://github.com/NethermindEth/nethermind.git -export NETHERMIND_TAG=1.35.3 -export OP_GETH_COMMIT=904a088c5cc1eeec21a1ffa47327dc20a809e642 +export NETHERMIND_TAG=1.36.0 +export OP_GETH_COMMIT=32cc3b8caf8647dbefbd29b2c3ed862132e53ad2 export OP_GETH_REPO=https://github.com/ethereum-optimism/op-geth.git -export OP_GETH_TAG=v1.101603.5 -export OP_NODE_COMMIT=1b8c541060f0d323a7023fbc68fbbc8daf674340 +export OP_GETH_TAG=v1.101608.0 +export OP_NODE_COMMIT=b66cc587b4185089e6f81bf6a4fc4233f2a7505d export OP_NODE_REPO=https://github.com/ethereum-optimism/optimism.git -export OP_NODE_TAG=op-node/v1.16.2 -export OP_RETH_COMMIT=27a8c0f5a6dfb27dea84c5751776ecabdd069646 +export OP_NODE_TAG=op-node/v1.16.6 +export OP_RETH_COMMIT=8e3b5e6a99439561b73c5dd31bd3eced2e994d60 export OP_RETH_REPO=https://github.com/paradigmxyz/reth.git -export OP_RETH_TAG=v1.9.3 \ No newline at end of file +export OP_RETH_TAG=v1.10.2 \ No newline at end of file diff --git a/versions.json b/versions.json index 82698cbfc..3b88fd5c2 100644 --- a/versions.json +++ b/versions.json @@ -1,36 +1,36 @@ { "base_reth_node": { - "tag": "v0.3.0", - "commit": "bb1b4571bebb8a9cd8ff1ec8758001fdc32758e8", + "tag": "v0.3.1", + "commit": "fa6d3444debd96977ae14ccae502b91cbbe3f463", "owner": "base", "repo": "base", "tracking": "release" }, "nethermind": { - "tag": "1.35.3", - "commit": "d9febbce240491e8f918d41a4ffd06385a746b6c", + "tag": "1.36.0", + "commit": "31cb81b7328026791cdfaccd9db230c82f1db02d", "owner": "NethermindEth", "repo": "nethermind", "tracking": "release" }, "op_geth": { - "tag": "v1.101603.5", - "commit": "904a088c5cc1eeec21a1ffa47327dc20a809e642", + "tag": "v1.101608.0", + "commit": "32cc3b8caf8647dbefbd29b2c3ed862132e53ad2", "owner": "ethereum-optimism", "repo": "op-geth", "tracking": "release" }, "op_node": { - "tag": "op-node/v1.16.2", - "commit": "1b8c541060f0d323a7023fbc68fbbc8daf674340", + "tag": "op-node/v1.16.6", + "commit": "b66cc587b4185089e6f81bf6a4fc4233f2a7505d", "tagPrefix": "op-node", "owner": "ethereum-optimism", "repo": "optimism", "tracking": "release" }, "op_reth": { - "tag": "v1.9.3", - "commit": "27a8c0f5a6dfb27dea84c5751776ecabdd069646", + "tag": "v1.10.2", + "commit": "8e3b5e6a99439561b73c5dd31bd3eced2e994d60", "owner": "paradigmxyz", "repo": "reth", "tracking": "release" From 5598217c5e5f6d44f909529a7c2e5a2568fa581c Mon Sep 17 00:00:00 2001 From: Danyal Prout Date: Wed, 11 Feb 2026 10:29:32 -0600 Subject: [PATCH 3/3] fix: update dotnet images to 10.0 for Nethermind 1.36.0 (#967) Nethermind 1.36.0 requires .NET SDK 10.0.100 (via global.json), but the Dockerfile was still using 9.0 images, causing the build to fail with exit code 145. --- nethermind/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nethermind/Dockerfile b/nethermind/Dockerfile index 729b9264c..f03032f76 100644 --- a/nethermind/Dockerfile +++ b/nethermind/Dockerfile @@ -13,7 +13,7 @@ RUN . /tmp/versions.env && git clone $OP_NODE_REPO --branch $OP_NODE_TAG --singl RUN . /tmp/versions.env && cd op-node && \ just VERSION=$OP_NODE_TAG op-node -FROM mcr.microsoft.com/dotnet/sdk:9.0-noble AS build +FROM mcr.microsoft.com/dotnet/sdk:10.0-noble AS build ARG BUILD_CONFIG=release ARG TARGETARCH @@ -31,7 +31,7 @@ RUN TARGETARCH=${TARGETARCH#linux/} && \ echo "Using architecture: $arch" && \ dotnet publish src/Nethermind/Nethermind.Runner -c $BUILD_CONFIG -a $arch -o /publish --sc false -FROM mcr.microsoft.com/dotnet/aspnet:9.0-noble +FROM mcr.microsoft.com/dotnet/aspnet:10.0-noble RUN apt-get update && \ apt-get install -y jq curl supervisor && \