diff --git a/.github/workflows/codeql-scanning.yml b/.github/workflows/codeql-scanning.yml new file mode 100644 index 00000000..6858fbf7 --- /dev/null +++ b/.github/workflows/codeql-scanning.yml @@ -0,0 +1,43 @@ +name: "codeql-scanning" + +on: + push: + branches: + - main + - 'release/*' + pull_request: + branches: + - main + - 'release/*' + schedule: + - cron: '0 9 * * *' + +jobs: + CodeQL-Scanning: + + runs-on: ubuntu-latest + + permissions: + contents: read + security-events: write + pull-requests: read + + steps: + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2 + with: + submodules: recursive + + - name: Install golang + uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # 5.3.0 + with: + go-version: '1.21.13' + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@dd746615b3b9d728a6a37ca2045b68ca76d4841a #3.28.8 + with: + languages: go + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@dd746615b3b9d728a6a37ca2045b68ca76d4841a #3.28.8 diff --git a/README.md b/README.md index 17aaa187..2f70ea64 100644 --- a/README.md +++ b/README.md @@ -33,6 +33,7 @@ In order to disperse to the EigenDA network in production, or at high throughput - [Deployment Guide](#deployment-guide) - [Hardware Requirements](#hardware-requirements) - [Ethereum Node Requirements](#ethereum-node-requirements) + - [SRS Points Requirements](#srs-points-requirements) - [Deployment Steps](#deployment-steps) - [Env File](#env-file) - [Running via Docker](#running-via-docker) @@ -75,6 +76,10 @@ A normal (non-archival) Ethereum node is sufficient for running the proxy with [ 1. immutable (eg: [securityThresholds](https://github.com/Layr-Labs/eigenda/blob/a6dd724acdf732af483fd2d9a86325febe7ebdcd/contracts/src/core/EigenDAThresholdRegistryStorage.sol#L30)), or 2. are upgradeable but have all the historical versions available in contract storage (eg: [versioninedBlobParams](https://github.com/Layr-Labs/eigenda/blob/a6dd724acdf732af483fd2d9a86325febe7ebdcd/contracts/src/core/EigenDAThresholdRegistryStorage.sol#L27)) +### SRS Points Requirements + +In order to compute (and in our current implementation also verify) KZG commitments, G1 SRS points of size equivalent to the blob size are needed. The points must be loaded into the binary by using the [--eigenda.g1-path](https://github.com/Layr-Labs/eigenda-proxy/blob/147783535bedc117097ddc1c8c1eb7688de29eb6/verify/cli.go#L55) flag. A 32MiB G1 SRS file is available under [./resources/g1.point](./resources/g1.point). This file is also copied inside our distributed [docker images](https://github.com/Layr-Labs/eigenda-proxy/pkgs/container/eigenda-proxy), at [\/resources/g1.point](https://github.com/Layr-Labs/eigenda-proxy/blob/147783535bedc117097ddc1c8c1eb7688de29eb6/Dockerfile#L30). The `--eigenda.g1-path` flag's default value is the relative path `resources/g1.point`, which will work when running the binary from the repo's root directory, as well as inside the container. + ### Deployment Steps ```bash @@ -280,7 +285,7 @@ To quickly set up monitoring dashboard, add eigenda-proxy metrics endpoint to a | `--metrics.enabled` | `false` | `$EIGENDA_PROXY_METRICS_ENABLED` | Enable the metrics server. | | `--metrics.port` | `7300` | `$EIGENDA_PROXY_METRICS_PORT` | Metrics listening port. | | `--port` | `3100` | `$EIGENDA_PROXY_PORT` | Server listening port. | -| `--s3.credential-type` | | `$EIGENDA_PROXY_S3_CREDENTIAL_TYPE` | Static or iam. | +| `--s3.credential-type` | | `$EIGENDA_PROXY_S3_CREDENTIAL_TYPE` | Static, iam or public. | | `--s3.access-key-id` | | `$EIGENDA_PROXY_S3_ACCESS_KEY_ID` | Access key id for S3 storage. | | `--s3.access-key-id` | | `$EIGENDA_PROXY_S3_ACCESS_KEY_ID` | Access key id for S3 storage. | | `--s3.access-key-secret` | | `$EIGENDA_PROXY_S3_ACCESS_KEY_SECRET` | Access key secret for S3 storage. | diff --git a/store/precomputed_key/s3/cli.go b/store/precomputed_key/s3/cli.go index 49a11241..37ef0789 100644 --- a/store/precomputed_key/s3/cli.go +++ b/store/precomputed_key/s3/cli.go @@ -42,7 +42,7 @@ func CLIFlags(envPrefix, category string) []cli.Flag { }, &cli.StringFlag{ Name: CredentialTypeFlagName, - Usage: "the way to authenticate to S3, options are [iam, static]", + Usage: "the way to authenticate to S3, options are [iam, static, public]", EnvVars: withEnvPrefix(envPrefix, "CREDENTIAL_TYPE"), Category: category, }, diff --git a/store/precomputed_key/s3/s3.go b/store/precomputed_key/s3/s3.go index fc468192..dc23517e 100644 --- a/store/precomputed_key/s3/s3.go +++ b/store/precomputed_key/s3/s3.go @@ -21,6 +21,7 @@ import ( const ( CredentialTypeStatic CredentialType = "static" CredentialTypeIAM CredentialType = "iam" + CredentialTypePublic CredentialType = "public" CredentialTypeUnknown CredentialType = "unknown" ) @@ -30,6 +31,8 @@ func StringToCredentialType(s string) CredentialType { return CredentialTypeStatic case "iam": return CredentialTypeIAM + case "public": + return CredentialTypePublic default: return CredentialTypeUnknown } @@ -138,5 +141,8 @@ func creds(cfg Config) *credentials.Credentials { if cfg.CredentialType == CredentialTypeIAM { return credentials.NewIAM("") } + if cfg.CredentialType == CredentialTypePublic { + return nil + } return credentials.NewStaticV4(cfg.AccessKeyID, cfg.AccessKeySecret, "") }