Merge branch 'zksync-yn' of ssh://github.com/smartcontractkit/ccip in…

…to zksync-yn

.changeset/four-kangaroos-appear.md

@@ -0,0 +1,5 @@
+---
+"chainlink": patch
+---
+
+Add config validation so it requires ws url when http polling disabled #bugfix

.changeset/moody-rules-agree.md

@@ -0,0 +1,8 @@
+---
+"chainlink": patch
+---
+
+- register polling subscription to avoid subscription leaking when rpc client gets closed.
+- add a temporary special treatment for SubscribeNewHead before we replace it with SubscribeToHeads. Add a goroutine that forwards new head from poller to caller channel.
+- fix a deadlock in poller, by using a new lock for subs slice in rpc client.
+#bugfix

.changeset/old-bees-kiss.md

@@ -0,0 +1,5 @@
+---
+"ccip": patch
+---
+
+Consolidated FinalityDepth setting #internal

.changeset/pretty-worms-smell.md

@@ -0,0 +1,5 @@
+---
+"chainlink": patch
+---
+
+Added a custom client error message for Mantle to capture NonceTooLow error. #added

.changeset/silly-lies-boil.md

@@ -0,0 +1,8 @@
+---
+"chainlink": minor
+---
+
+Make websocket URL `WSURL` for `EVM.Nodes` optional, and apply logic so that:
+* If WS URL was not provided, SubscribeFilterLogs should fail with an explicit error
+* If WS URL was not provided LogBroadcaster should be disabled 
+#nops

.changeset/tough-boats-shop.md

@@ -0,0 +1,5 @@
+---
+"chainlink": minor
+---
+
+start of next release

.changeset/tricky-candles-matter.md

@@ -0,0 +1,5 @@
+---
+"chainlink": patch
+---
+
+#bugfix Memory leak fix on promwrapper

.github/CODEOWNERS

@@ -11,8 +11,9 @@
 
 # Services
 /core/services/directrequest @smartcontractkit/keepers
-/core/services/feeds @smartcontractkit/FMS
+/core/services/feeds @smartcontractkit/op-core @eutopian @yevshev
 /core/services/synchronization/telem @smartcontractkit/realtime
+/core/capabilities/ccip @smartcontractkit/ccip-offchain
 
 # To be deprecated in Chainlink V3
 /core/services/fluxmonitorv2 @smartcontractkit/foundations
@@ -23,9 +24,9 @@
 /core/services/pg @smartcontractkit/foundations @samsondav
 /core/services/pipeline @smartcontractkit/foundations @smartcontractkit/bix-framework
 /core/services/telemetry @smartcontractkit/realtime
-/core/services/relay/evm/mercury @smartcontractkit/mercury-team
+/core/services/relay/evm/mercury @smartcontractkit/data-streams-engineers
 /core/services/webhook @smartcontractkit/foundations @smartcontractkit/bix-framework
-/core/services/llo @smartcontractkit/mercury-team
+/core/services/llo @smartcontractkit/data-streams-engineers
 
 # VRF-related services
 /core/services/vrf @smartcontractkit/vrf-team
@@ -67,17 +68,16 @@ core/scripts/gateway @smartcontractkit/functions
 
 /contracts/src/v0.8/functions @smartcontractkit/functions
 /contracts/**/*functions* @smartcontractkit/functions
-/contracts/**/*llo-feeds* @smartcontrackit/mercury-team
+/contracts/**/*llo-feeds* @smartcontractkit/data-streams-engineers
 /contracts/**/*vrf* @smartcontractkit/vrf-team
 /contracts/**/*l2ep* @smartcontractkit/bix-ship
-# TODO: replace with a team tag when ready
-/contracts/**/*keystone* @archseer @bolekk @patrick-dowell
+/contracts/**/*keystone* @smartcontractkit/keystone
 
 /contracts/src/v0.8/automation @smartcontractkit/keepers
 /contracts/src/v0.8/functions @smartcontractkit/functions
 # TODO: interfaces folder, folder should be removed and files moved to the correct folders
 /contracts/src/v0.8/l2ep @chris-de-leon-cll
-/contracts/src/v0.8/llo-feeds @smartcontractkit/mercury-team
+/contracts/src/v0.8/llo-feeds @smartcontractkit/data-streams-engineers
 # TODO: mocks folder, folder should be removed and files moved to the correct folders
 /contracts/src/v0.8/operatorforwarder @smartcontractkit/data-feeds-engineers
 /contracts/src/v0.8/shared @RensR @matYang @RayXpub @elatoskinas
@@ -93,11 +93,18 @@ core/scripts/gateway @smartcontractkit/functions
 
 
 # Tests
-/integration-tests/**/*ccip* @smartcontractkit/test-tooling-team @jasonmci @smartcontractkit/ccip
+/integration-tests/ @smartcontractkit/test-tooling-team
+/integration-tests/ccip-tests @smartcontractkit/ccip-offchain
 /integration-tests/**/*keeper* @smartcontractkit/keepers
 /integration-tests/**/*automation* @smartcontractkit/keepers
 /integration-tests/**/*lm_* @smartcontractkit/liquidity-manager
 
+# Deployment tooling
+# Initially the common structures owned by CCIP
+/integration-tests/deployment @smartcontractkit/ccip
+/integration-tests/deployment/ccip @smartcontractkit/ccip
+# TODO: As more products add their deployment logic here, add the team as an owner
+
 # CI/CD
 /.github/** @smartcontractkit/releng @smartcontractkit/test-tooling-team @jasonmci @smartcontractkit/ccip
 /.github/workflows/integration-tests.yml @smartcontractkit/test-tooling-team @jasonmci

.github/E2E_TESTS_ON_GITHUB_CI.md

@@ -0,0 +1,58 @@
+# E2E Tests on GitHub CI
+
+E2E tests are executed on GitHub CI using the [E2E Tests Reusable Workflow](#about-the-reusable-workflow) or dedicated workflows.
+
+## Automatic workflows
+
+These workflows are designed to run automatically at crucial stages of the software development process, such as on every commit in a PR, nightly or before release.
+
+### PR E2E Tests
+
+Run on every commit in a PR to ensure changes do not introduce regressions.
+
+[Link](https://github.com/smartcontractkit/chainlink/blob/develop/.github/workflows/integration-tests.yml)
+
+### Nightly E2E Tests
+
+Conducted nightly to catch issues that may develop over time or with accumulated changes.
+
+[Link](https://github.com/smartcontractkit/chainlink/blob/develop/.github/workflows/run-nightly-e2e-tests.yml)
+
+### Release E2E Tests
+
+This section contains automatic workflows triggering E2E tests at release.
+
+#### Client Compatibility Tests
+
+[Link](https://github.com/smartcontractkit/chainlink/actions/workflows/client-compatibility-tests.yml)
+
+## On-Demand Workflows
+
+Triggered manually by QA for specific testing needs.
+
+**Examples:**
+
+- [On-Demand Automation Tests](https://github.com/smartcontractkit/chainlink/actions/workflows/automation-ondemand-tests.yml)
+- [CCIP Chaos Tests](https://github.com/smartcontractkit/chainlink/actions/workflows/ccip-chaos-tests.yml)
+- [OCR Soak Tests](https://github.com/smartcontractkit/chainlink/actions/workflows/on-demand-ocr-soak-test.yml)
+- [VRFv2Plus Smoke Tests](https://github.com/smartcontractkit/chainlink/actions/workflows/on-demand-vrfv2plus-smoke-tests.yml)
+
+## Test Configs
+
+E2E tests utilize TOML files to define their parameters. Each test is equipped with a default TOML config, which can be overridden by specifying an alternative TOML config. This allows for running tests with varied parameters, such as on a non-default blockchain network. For tests executed on GitHub CI, both the default configs and any override configs must reside within the git repository. The `test_config_override_path` workflow input is used to provide a path to an override config.
+
+Config overrides should be stored in `testconfig/*/overrides/*.toml`. Placing files here will not trigger a rebuild of the test runner image.
+
+**Important Note:** The use of `base64Config` input is deprecated in favor of `test_config_override_path`. For more details, refer to [the decision log](https://smartcontract-it.atlassian.net/wiki/spaces/TT/pages/927596563/Storing+All+Test+Configs+In+Git).
+
+To learn more about test configs see [CTF Test Config](https://github.com/smartcontractkit/chainlink-testing-framework/blob/main/lib/config/README.md).
+
+## Test Secrets
+
+For security reasons, test secrets and sensitive information are not stored directly within the test config TOML files. Instead, these secrets are securely injected into tests using environment variables. For a detailed explanation on managing test secrets, refer to our [Test Secrets documentation](https://github.com/smartcontractkit/chainlink-testing-framework/blob/main/lib/config/README.md#test-secrets).
+
+If you need to run a GitHub workflow using custom secrets, please refer to the [guide on running GitHub workflows with your test secrets](https://github.com/smartcontractkit/chainlink-testing-framework/blob/main/lib/config/README.md#run-github-workflow-with-your-test-secrets).
+
+## About the E2E Test Reusable Workflow
+
+For information on the E2E Test Reusable Workflow, visit the documentation in the [smartcontractkit/.github repository](https://github.com/smartcontractkit/.github/blob/main/.github/workflows/README.md).

.github/actions/build-chainlink-image/action.yml

@@ -37,7 +37,7 @@ runs:
         AWS_ROLE_TO_ASSUME: ${{ inputs.AWS_ROLE_TO_ASSUME }}
     - name: Build Image
       if: steps.check-image.outputs.exists != 'true'
-      uses: smartcontractkit/chainlink-github-actions/chainlink-testing-framework/build-image@75a9005952a9e905649cfb5a6971fd9429436acd # v2.3.25
+      uses: smartcontractkit/.github/actions/ctf-build-image@1a26fe378d7ebdc34ab1fe31ec4a6d1c376199f8 # [email protected]
       with:
         cl_repo: smartcontractkit/ccip
         cl_ref: ${{ inputs.git_commit_sha }}
@@ -51,4 +51,4 @@ runs:
       shell: sh
       run: |
         echo "### Chainlink node image tag used for this test run :link:" >>$GITHUB_STEP_SUMMARY
-        echo "\`${GITHUB_SHA}\`" >>$GITHUB_STEP_SUMMARY
+        echo "\`${{inputs.git_commit_sha}}\`" >>$GITHUB_STEP_SUMMARY

.github/actions/build-sign-publish-chainlink/action.yml

@@ -51,23 +51,11 @@ inputs:
     description: When set to the string boolean value of "true", the resulting build image will be signed
     default: "false"
     required: false
-  cosign-private-key:
-    description: The private key to be used with cosign to sign the image
-    required: false
-  cosign-public-key:
-    description: The public key to be used with cosign for verification
-    required: false
-  cosign-password:
-    description: The password to decrypt the cosign private key needed to sign the image
-    required: false
-  sign-method:
-    description: Build image will be signed using keypair or keyless methods
-    default: "keypair"
-    required: true
   verify-signature:
     description: When set to the string boolean value of "true", the resulting build image signature will be verified
     default: "false"
     required: false
+
 outputs:
   docker-image-tag:
     description: The docker image tag that was built and pushed
@@ -84,6 +72,8 @@ runs:
       # See https://docs.github.com/en/actions/learn-github-actions/workflow-commands-for-github-actions#multiline-strings
       run: |
         SHARED_IMAGES=${{ inputs.ecr-hostname }}/${{ inputs.ecr-image-name }}
+        OIDC_ISSUER=https://token.actions.githubusercontent.com
+        OIDC_IDENTITY=https://github.com/smartcontractkit/chainlink/.github/workflows/build-publish.yml@${{ github.ref }}
 
         SHARED_TAG_LIST=$(cat << EOF
         type=ref,event=branch,suffix=${{ inputs.ecr-tag-suffix }}
@@ -101,6 +91,9 @@ runs:
         echo "$SHARED_IMAGES" >> $GITHUB_ENV
         echo "EOF" >> $GITHUB_ENV
 
+        echo "oidc-issuer=${OIDC_ISSUER}" >> $GITHUB_ENV
+        echo "oidc-identity=${OIDC_IDENTITY}" >> $GITHUB_ENV
+
         echo "shared-tag-list<<EOF" >> $GITHUB_ENV
         echo "$SHARED_TAG_LIST" >> $GITHUB_ENV
         echo "EOF" >> $GITHUB_ENV
@@ -171,7 +164,9 @@ runs:
       run: |
         IMAGES_NAME_RAW=${{ fromJSON(steps.buildpush-root.outputs.metadata)['image.name'] }}
         IMAGE_NAME=$(echo "$IMAGES_NAME_RAW" | cut -d"," -f1)
+        IMAGE_DIGEST=${{ fromJSON(steps.buildpush-root.outputs.metadata)['containerimage.digest'] }}
         echo "root_image_name=${IMAGE_NAME}" >> $GITHUB_ENV
+        echo "root_image_digest=${IMAGE_DIGEST}" >> $GITHUB_ENV
 
     - name: Generate docker metadata for non-root image
       id: meta-nonroot
@@ -217,6 +212,7 @@ runs:
         IMAGE_NAME=$(echo "$IMAGES_NAME_RAW" | cut -d"," -f1)
         IMAGE_TAG=$(echo "$IMAGES_NAME_RAW" | cut -d":" -f2)
         echo "nonroot_image_name=${IMAGE_NAME}" >> $GITHUB_ENV
+        echo "nonroot_image_digest=${IMAGE_DIGEST}" >> $GITHUB_ENV
         echo '### Docker Image' >> $GITHUB_STEP_SUMMARY
         echo "Image Name: ${IMAGE_NAME}"  >> $GITHUB_STEP_SUMMARY
         echo "Image Digest: ${IMAGE_DIGEST}"  >> $GITHUB_STEP_SUMMARY
@@ -239,74 +235,36 @@ runs:
 
     - if: inputs.sign-images == 'true'
       name: Install cosign
-      uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+      uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
       with:
-        cosign-release: "v1.6.0"
+        cosign-release: "v2.4.0"
 
-    - if: inputs.sign-images == 'true' && inputs.sign-method == 'keypair'
-      name: Sign the published root Docker image using keypair method
-      shell: sh
-      env:
-        COSIGN_PASSWORD: "${{ inputs.cosign-password }}"
-      run: |
-        echo "${{ inputs.cosign-private-key }}" > cosign.key
-        cosign sign --key cosign.key "${{ env.root_image_name }}"
-        rm -f cosign.key
-
-    - if: inputs.verify-signature == 'true' && inputs.sign-method == 'keypair'
-      name: Verify the signature of the published root Docker image using keypair
-      shell: sh
-      run: |
-        echo "${{ inputs.cosign-public-key }}" > cosign.key
-        cosign verify --key cosign.key "${{ env.root_image_name }}"
-        rm -f cosign.key
-
-    - if: inputs.sign-images == 'true' && inputs.sign-method == 'keyless'
+    # This automatically signs the image with the correct OIDC provider from Github
+    - if: inputs.sign-images == 'true'
       name: Sign the published root Docker image using keyless method
       shell: sh
-      env:
-        COSIGN_EXPERIMENTAL: 1
       run: |
-        cosign sign "${{ env.root_image_name }}"
+        cosign sign "${{ env.root_image_name }}" --yes
 
-    - if: inputs.verify-signature == 'true' && inputs.sign-method == 'keyless'
+    - if: inputs.verify-signature == 'true'
       name: Verify the signature of the published root Docker image using keyless
       shell: sh
-      env:
-        COSIGN_EXPERIMENTAL: 1
-      run: |
-        cosign verify "${{ env.root_image_name }}"
-
-    - if: inputs.sign-images == 'true' && inputs.sign-method == 'keypair'
-      name: Sign the published non-root Docker image using keypair method
-      shell: sh
-      env:
-        COSIGN_PASSWORD: "${{ inputs.cosign-password }}"
-      run: |
-        echo "${{ inputs.cosign-private-key }}" > cosign.key
-        cosign sign --key cosign.key "${{ env.nonroot_image_name }}"
-        rm -f cosign.key
-
-    - if: inputs.verify-signature == 'true' && inputs.sign-method == 'keypair'
-      name: Verify the signature of the published non-root Docker image using keypair
-      shell: sh
       run: |
-        echo "${{ inputs.cosign-public-key }}" > cosign.key
-        cosign verify --key cosign.key "${{ env.nonroot_image_name }}"
-        rm -f cosign.key
+        cosign verify "${{ env.root_image_name }}" \
+        --certificate-oidc-issuer ${{ env.oidc-issuer }} \
+        --certificate-identity "${{ env.oidc-identity }}"
 
-    - if: inputs.sign-images == 'true' && inputs.sign-method == 'keyless'
+    # This automatically signs the image with the correct OIDC provider from Github
+    - if: inputs.sign-images == 'true'
       name: Sign the published non-root Docker image using keyless method
       shell: sh
-      env:
-        COSIGN_EXPERIMENTAL: 1
       run: |
-        cosign sign "${{ env.nonroot_image_name }}"
+        cosign sign "${{ env.nonroot_image_name }}" --yes
 
-    - if: inputs.verify-signature == 'true' && inputs.sign-method == 'keyless'
+    - if: inputs.verify-signature == 'true'
       name: Verify the signature of the published non-root Docker image using keyless
       shell: sh
-      env:
-        COSIGN_EXPERIMENTAL: 1
       run: |
-        cosign verify "${{ env.nonroot_image_name }}"
+        cosign verify "${{ env.nonroot_image_name }}" \
+        --certificate-oidc-issuer ${{ env.oidc-issuer }} \
+        --certificate-identity "${{ env.oidc-identity }}"