valory-xyz · mohandast52 · May 11, 2026 · May 6, 2026 · May 6, 2026 · May 6, 2026
@@ -6,9 +6,7 @@
 # is advisory and only nudges GitHub's PR review-request UI.
 #
 # Owner is an individual until a security team exists; switch to a team
-# handle (e.g., @valory-xyz/<team>) once one is created. Path scope below
-# covers only files that exist today; the next supply-chain PR will add
-# lines for `.supply-chain/`, scripts/, and governance docs as they land.
+# handle (e.g., @valory-xyz/<team>) once one is created.
 
 # Default owner: any unowned path falls back here.
 *                                @Tanya-atatakai
@@ -20,8 +18,16 @@
 /package.json                    @Tanya-atatakai
 /yarn.lock                       @Tanya-atatakai
 
-# Disclosure policy.
+# Node-version pin enforced by Corepack in CI.
+/.nvmrc                          @Tanya-atatakai
+
+# Supply-chain controls: scripts that gate CI + allowlists they consult.
+/scripts/                        @Tanya-atatakai
+/.supply-chain/                  @Tanya-atatakai
+
+# Disclosure + threat-model docs.
 /SECURITY.md                     @Tanya-atatakai
+/SUPPLY-CHAIN-SECURITY.md        @Tanya-atatakai
 
 # AI / contributor onboarding context — changes here shape future agent behavior.
 /CLAUDE.md                       @Tanya-atatakai

@@ -143,12 +143,19 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
-          node-version: "24"
+          node-version-file: .nvmrc
           cache: "yarn"
 
+      - name: Activate pinned Yarn via Corepack
+        run: |
+          corepack enable
+          corepack prepare yarn@1.22.22 --activate
+          actual="$(yarn --version)"
+          [ "$actual" = "1.22.22" ] || { echo "::error::corepack activation failed (got $actual)"; exit 1; }
+
       - name: Install subgraph packages
         working-directory: subgraphs/${{ inputs.folder }}
-        run: yarn install
+        run: yarn install --frozen-lockfile
 
       - name: Authenticate
         working-directory: subgraphs/${{ inputs.folder }}

@@ -0,0 +1,68 @@
+name: Gitleaks
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: gitleaks-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5.0.1
+        with:
+          # Full history for `gitleaks detect --log-opts="--all"` on push to main.
+          # PR runs only need the diff range (resolved below).
+          fetch-depth: 0
+
+      - name: Install gitleaks (pinned + checksum-verified)
+        # GITLEAKS_SHA256 is the SHA-256 of gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz
+        # from the upstream gitleaks_${GITLEAKS_VERSION}_checksums.txt file. Without
+        # this, a poisoned GitHub release would silently install a backdoored gitleaks
+        # on every CI run. When bumping GITLEAKS_VERSION, fetch the upstream checksum
+        # in the same commit; reviewers should re-fetch and confirm.
+        env:
+          GITLEAKS_VERSION: '8.30.1'
+          GITLEAKS_SHA256: '551f6fc83ea457d62a0d98237cbad105af8d557003051f41f3e7ca7b3f2470eb'
+        run: |
+          set -euo pipefail
+          TARBALL=/tmp/gitleaks.tar.gz
+          curl -sSL -o "$TARBALL" \
+            "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
+          echo "${GITLEAKS_SHA256}  ${TARBALL}" | sha256sum -c -
+          tar -xz -C /tmp -f "$TARBALL" gitleaks
+          sudo install -m 0755 /tmp/gitleaks /usr/local/bin/gitleaks
+          gitleaks version
+
+      - name: Detect secrets
+        # --redact masks any matched secret in CI logs.
+        # PR: scan only the diff range to keep PR cycles fast.
+        # push to main: scan full history to catch any rewrites.
+        run: |
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            gitleaks detect \
+              --source=. \
+              --no-banner \
+              --redact \
+              --log-opts="origin/${{ github.base_ref }}..HEAD" \
+              --report-format json \
+              --report-path /tmp/leaks.json \
+              -v
+          else
+            gitleaks detect \
+              --source=. \
+              --no-banner \
+              --redact \
+              --log-opts="--all" \
+              --report-format json \
+              --report-path /tmp/leaks.json \
+              -v
+          fi
@@ -0,0 +1,116 @@
+name: Supply Chain
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: supply-chain-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  audit:
+    name: Dependency audit (root tree)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5.0.1
+
+      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444  # v5.0.0
+        with:
+          node-version-file: .nvmrc
+
+      - name: Activate pinned Yarn via Corepack
+        run: |
+          corepack enable
+          corepack prepare yarn@1.22.22 --activate
+          [ "$(yarn --version)" = "1.22.22" ] || { echo "::error::corepack activation failed"; exit 1; }
+
+      # `yarn audit` reads yarn.lock directly; no install needed.
+      - name: Run audit
+        run: yarn audit:prod
+
+  install-hooks:
+    name: Install-hook audit
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5.0.1
+
+      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444  # v5.0.0
+        with:
+          node-version-file: .nvmrc
+
+      - name: Activate pinned Yarn via Corepack
+        run: |
+          corepack enable
+          corepack prepare yarn@1.22.22 --activate
+          [ "$(yarn --version)" = "1.22.22" ] || { echo "::error::corepack activation failed"; exit 1; }
+
+      # `--ignore-scripts` so the hooks don't run while we're enumerating them.
+      - name: Install dependencies (no hooks)
+        run: yarn install --frozen-lockfile --ignore-scripts
+
+      - name: Run install-hook audit
+        run: yarn audit:install-hooks
+
+  lockfile-lint:
+    name: Lockfile validation
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        # 13 paths: root + 12 subgraphs. Mirrors test.yaml's matrix shape;
+        # every yarn.lock gets linted.
+        path:
+          - "."
+          - "subgraphs/liquidity"
+          - "subgraphs/liquidity-l2"
+          - "subgraphs/tokenomics-eth"
+          - "subgraphs/tokenomics-l2"
+          - "subgraphs/governance"
+          - "subgraphs/staking"
+          - "subgraphs/service-registry"
+          - "subgraphs/legacy-mech-fees"
+          - "subgraphs/new-mech-fees"
+          - "subgraphs/predict/predict-omen"
+          - "subgraphs/predict/predict-polymarket"
+          - "subgraphs/babydegen/babydegen-optimism"
+    steps:
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5.0.1
+
+      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444  # v5.0.0
+        with:
+          node-version-file: .nvmrc
+
+      # Catches non-registry deps (e.g. codeload.github.com), HTTP-only sources,
+      # and missing integrity hashes. See SUPPLY-CHAIN-SECURITY.md §6.
+      - name: Lint ${{ matrix.path }}/yarn.lock
+        working-directory: ${{ matrix.path }}
+        run: |
+          npx --yes lockfile-lint \
+            --path yarn.lock \
+            --type yarn \
+            --validate-https \
+            --allowed-hosts yarn npm \
+            --empty-hostname false
+
+  # Aggregator that fails iff any of the above fails. Promote this single
+  # check to required-status in branch protection (rather than each job
+  # individually) for a stable interface that survives matrix changes.
+  all-checks-passed:
+    name: All checks passed
+    needs: [audit, install-hooks, lockfile-lint]
+    if: always()
+    runs-on: ubuntu-latest
+    steps:
+      - run: |
+          if [[ "${{ contains(needs.*.result, 'failure') }}" == "true" ]] || \
+             [[ "${{ contains(needs.*.result, 'cancelled') }}" == "true" ]] || \
+             [[ "${{ contains(needs.*.result, 'skipped') }}" == "true" ]]; then
+            echo "::error::One or more required jobs did not succeed"
+            exit 1
+          fi
+          echo "All supply-chain checks passed."
@@ -62,7 +62,14 @@ jobs:
 
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
-          node-version: "24"
+          node-version-file: .nvmrc
+
+      - name: Activate pinned Yarn via Corepack
+        run: |
+          corepack enable
+          corepack prepare yarn@1.22.22 --activate
+          actual="$(yarn --version)"
+          [ "$actual" = "1.22.22" ] || { echo "::error::corepack activation failed (got $actual)"; exit 1; }
 
       - name: Install dependencies
         working-directory: ${{ matrix.path }}

@@ -0,0 +1,14 @@
+title = "autonolas-subgraph-studio gitleaks config"
+
+[extend]
+useDefault = true
+
+[allowlist]
+description = "Public on-chain EVM token contract addresses (40-hex) in babydegen mappers and example docs are not secrets"
+paths = [
+  '''shared/babydegen/mappers/.+\.ts''',
+  '''subgraphs/babydegen/.+\.ts''',
+  '''subgraphs/liquidity/README\.md''',
+]
+regexes = ['''0x[a-fA-F0-9]{40}''']
+regexTarget = "match"
@@ -0,0 +1 @@
+24