Merge branch 'main' into ph/mbt

.changelog/unreleased/bug-fixes/1460-msg-validation.md

@@ -0,0 +1,3 @@
+- Improve validation of IBC packet data and provider messages. Also,
+  enable the provider to validate consumer packets before handling them.
+  ([\#1460](https://github.com/cosmos/interchain-security/pull/1460))

.changelog/unreleased/state-breaking/1460-msg-validation.md

@@ -0,0 +1,3 @@
+- Improve validation of IBC packet data and provider messages. Also,
+  enable the provider to validate consumer packets before handling them.
+  ([\#1460](https://github.com/cosmos/interchain-security/pull/1460))

.changelog/v3.2.0/features/provider/1280-reward-denoms.md

@@ -0,0 +1,3 @@
+- Add a governance proposal for setting on the provider the denominations for
+  rewards from consumer chains. 
+  ([\#1280](https://github.com/cosmos/interchain-security/pull/1280))

.changelog/v3.2.0/state-breaking/provider/1280-reward-denoms.md

@@ -0,0 +1,3 @@
+- Add a governance proposal for setting on the provider the denominations for
+  rewards from consumer chains. 
+  ([\#1280](https://github.com/cosmos/interchain-security/pull/1280))

.changelog/v3.2.0/summary.md

@@ -0,0 +1 @@
+*November 24, 2023*

.github/PULL_REQUEST_TEMPLATE/production.md

@@ -23,7 +23,7 @@ I have...
 * [ ] Confirmed this PR does not introduce changes requiring state migrations, OR migration code has been added to consumer and/or provider modules
 * [ ] Targeted the correct branch (see [PR Targeting](https://github.com/cosmos/interchain-security/blob/main/CONTRIBUTING.md#pr-targeting))
 * [ ] Provided a link to the relevant issue or specification
-* [ ] Followed the guidelines for [building SDK modules](https://github.com/cosmos/cosmos-sdk/blob/main/docs/docs/building-modules)
+* [ ] Followed the guidelines for [building SDK modules](https://github.com/cosmos/cosmos-sdk/blob/main/docs/build/building-modules/00-intro.md)
 * [ ] Included the necessary unit and integration [tests](https://github.com/cosmos/interchain-security/blob/main/CONTRIBUTING.md#testing)
 * [ ] Added a changelog entry to `CHANGELOG.md`
 * [ ] Included comments for [documenting Go code](https://blog.golang.org/godoc)

.github/dependabot.yml

@@ -42,7 +42,7 @@ updates:
     directory: "/"
     schedule:
       interval: daily
-    target-branch: "release/v2.1.x-provider-lsm"
+    target-branch: "release/v2.4.x-lsm"
     # Only allow automated security-related dependency updates on release branches.
     open-pull-requests-limit: 0
     labels:
@@ -77,3 +77,13 @@ updates:
     open-pull-requests-limit: 0
     labels:
       - dependencies
+
+  - package-ecosystem: gomod
+    directory: "/"
+    schedule:
+      interval: daily
+    target-branch: "release/v3.3.x"
+    # Only allow automated security-related dependency updates on release branches.
+    open-pull-requests-limit: 0
+    labels:
+      - dependencies

.github/issue_labeler.yml

@@ -0,0 +1,2 @@
+needs-triage: # if no label is set then set triage
+  - ''

.github/pr_labeler.yml

@@ -1,29 +1,37 @@
 "C:x/consumer":
-  - x/ccv/consumer/**/*
+- changed-files:
+  - any-glob-to-any-file: x/ccv/consumer/**
 "C:x/democracy":
-  - x/ccv/democracy/**/*
+- changed-files:
+  - any-glob-to-any-file: x/ccv/democracy/**
 "C:x/provider":
-  - x/ccv/provider/**/*
+- changed-files:
+  - any-glob-to-any-file: x/ccv/provider/**
 "C:x/types":
-  - x/ccv/types/**/*
+- changed-files:
+  - any-glob-to-any-file: x/ccv/types/**
 "C:Docs":
-  - docs/docs/**/*
+- changed-files:
+  - any-glob-to-any-file: docs/docs/**
 "C:ADR":
-  - docs/docs/adrs/**/*
+- changed-files:
+  - any-glob-to-any-file: docs/docs/adrs/**
 "C:CI":
-  - .github/**/*.yml
-  - buf.work.yaml
-  - .mergify.yml
-  - .golangci.yml
-  - mlc_config.json
-  - sonar-project.properties
+- changed-files:
+  - any-glob-to-any-file: .github/**/*.yml
+  - any-glob-to-any-file: buf.work.yaml
+  - any-glob-to-any-file: .mergify.yml
+  - any-glob-to-any-file: .golangci.yml
+  - any-glob-to-any-file: mlc_config.json
+  - any-glob-to-any-file: sonar-project.properties
 "C:Build":
-  - Makefile
-  - Dockerfile
-  - scripts/*
+- changed-files:
+  - any-glob-to-any-file: Makefile
+  - any-glob-to-any-file: Dockerfile
+  - any-glob-to-any-file: scripts/**
 "C:Testing":
-  - app/**/*
-  - cmd/**/*
-  - legacy_ibc_testing/**/*
-  - tests/**/*
-  - testutil/**/*
+- changed-files:
+  - any-glob-to-any-file: app/**
+  - any-glob-to-any-file: cmd/**
+  - any-glob-to-any-file: tests/**
+  - any-glob-to-any-file: testutil/**

.github/workflows/codeql.yml → .github/workflows/codeql-analysis.yml

@@ -2,18 +2,15 @@ name: "CodeQL"
 
 on:
   push:
-    branches:
-      - main
-      - feat/*
-
-    paths-ignore:
-      - "legacy_ibc_testing"
+    paths:
+      - "**.go"
   pull_request:
     branches:
       - main
+      - release/*
       - feat/*
-    paths-ignore:
-      - "legacy_ibc_testing"
+    paths:
+      - "**.go"
   schedule:
     #        ┌───────────── minute (0 - 59)
     #        │  ┌───────────── hour (0 - 23)
@@ -27,28 +24,33 @@ on:
     - cron: "30 1 * * 0"
 
 jobs:
-  CodeQL-Build:
-    # CodeQL runs on ubuntu-latest, windows-latest, and macos-latest
+  analyze:
+    name: Analyze
     runs-on: ubuntu-latest
-
     permissions:
-      # required for all workflows
-      security-events: write
-
-      # only required for workflows in private repositories
       actions: read
       contents: read
+      security-events: write
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
-
+      - uses: actions/setup-go@v4
+        with:
+          go-version: "1.20"
+          check-latest: true
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v2
         # Override language selection by uncommenting this and choosing your languages
         with:
           languages: go
+          queries: +security-and-quality,github/codeql/go/ql/src/experimental/InconsistentCode/DeferInLoop.ql@main,github/codeql/go/ql/src/experimental/Unsafe/WrongUsageOfUnsafe.ql@main,github/codeql/go/ql/src/experimental/CWE-369/DivideByZero.ql@main
+          packs: +crypto-com/cosmos-sdk-codeql
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+          # queries: ./path/to/local/query, your-org/your-repo/queries@main
 
       # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below).

.github/workflows/golangci-lint.yml

@@ -1,47 +1,34 @@
-name: golangci-lint
+name: Lint
 on:
   push:
-    tags:
-      - v*
     branches:
-      - master
       - main
+      - release/**
       - feat/*
   pull_request:
+  merge_group:
 permissions:
   contents: read
-  # Optional: allow read access to pull request. Use with `only-new-issues` option.
-  # pull-requests: read
 jobs:
   golangci:
-    name: lint
+    name: golangci-lint
     runs-on: ubuntu-latest
     steps:
       - uses: actions/setup-go@v4
         with:
           go-version: '1.20'
-      - uses: actions/checkout@v4
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
+      - uses: technote-space/[email protected]
+        id: git_diff
         with:
-          # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
-          version: v1.54.1
-
-          # Optional: working directory, useful for monorepos
-          # working-directory: somedir
-
-          # Optional: golangci-lint command line arguments.
-          args: --config=.golangci.yml
-
-          # Optional: show only new issues if it's a pull request. The default value is `false`.
-          # only-new-issues: true
-
-          # Optional: if set to true then the all caching functionality will be complete disabled,
-          #           takes precedence over all other caching options.
-          # skip-cache: true
-
-          # Optional: if set to true then the action don't cache or restore ~/go/pkg.
-          # skip-pkg-cache: true
+          PATTERNS: |
+            **/*.go
+            go.mod
+            go.sum
+            **/go.mod
+            **/go.sum
+      - uses: actions/checkout@v4
+      - name: run linting
+        if: env.GIT_DIFF
+        run: |
+          make lint
 
-          # Optional: if set to true then the action don't cache or restore ~/.cache/go-build.
-          # skip-build-cache: true

.github/workflows/gosec.yml

@@ -1,13 +1,22 @@
-name: gosec
+name: Run Gosec
 on:
-  push:
+  pull_request:
+    paths:
+      - "**/*.go"
+      - "go.mod"
+      - "go.sum"
     branches:
       - main
       - feat/*
-  pull_request:
+  push:
     branches:
       - main
       - feat/*
+    paths:
+      - "**/*.go"
+      - "go.mod"
+      - "go.sum"
+
 jobs:
   Gosec:
     runs-on: ubuntu-latest

.github/workflows/issue_labeler.yml

@@ -0,0 +1,15 @@
+name: "Issue Labeler"
+on:
+  issues:
+    types: [opened]
+
+jobs:
+  triage:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: github/[email protected]
+        if: join(github.event.issue.labels) == ''
+        with:
+          repo-token: "${{ secrets.GITHUB_TOKEN }}"
+          configuration-path: .github/issue_labeler.yml
+          enable-versioned-regex: 0 

.github/workflows/lint-pr.yml

@@ -0,0 +1,47 @@
+name: "Lint PR"
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+permissions:
+  contents: read
+
+jobs:
+  main:
+    permissions:
+      pull-requests: read # for amannn/action-semantic-pull-request to analyze PRs
+      statuses: write # for amannn/action-semantic-pull-request to mark status of analyzed PR
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/[email protected]
+        id: lint_pr_title
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: marocchino/sticky-pull-request-comment@v2
+        # When the previous steps fails, the workflow would stop. By adding this
+        # condition you can continue the execution with the populated error message.
+        if: always() && (steps.lint_pr_title.outputs.error_message != null)
+        with:
+          header: pr-title-lint-error
+          message: |
+            Hey there and thank you for opening this pull request! 👋🏼
+
+            We require pull request titles to follow the [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/) and it looks like your proposed title needs to be adjusted.
+
+            Details:
+
+            ```
+            ${{ steps.lint_pr_title.outputs.error_message }}
+            ```
+
+      # Delete a previous comment when the issue has been resolved
+      - if: ${{ steps.lint_pr_title.outputs.error_message == null }}
+        uses: marocchino/sticky-pull-request-comment@v2
+        with:
+          header: pr-title-lint-error
+          delete: true

.github/workflows/md-link-checker.yml

@@ -0,0 +1,27 @@
+name: Check Markdown links
+on:
+  pull_request:
+    paths:
+      - "*.md"
+      - "docs/docs/**.md"
+jobs:
+  repo-root:
+    runs-on: ubuntu-latest
+    steps:
+      # Check out the latest version of the code
+      - uses: actions/checkout@v4
+      # Checks the status of hyperlinks in *.md files in the repo root
+      - uses: gaurav-nelson/[email protected]
+        with:
+          folder-path: '.'
+          max-depth: 1
+
+  docs:
+    runs-on: ubuntu-latest
+    steps:
+      # Check out the latest version of the code
+      - uses: actions/checkout@v4
+      # Checks the status of hyperlinks in *.md files in the docs/docs folder
+      - uses: gaurav-nelson/[email protected]
+        with:
+          folder-path: 'docs/docs'

.github/workflows/pr_labeler.yml

@@ -12,7 +12,7 @@ jobs:
       pull-requests: write  # for actions/labeler to add labels to PRs
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/labeler@main
+      - uses: actions/labeler@v5
         with:
           configuration-path: .github/pr_labeler.yml
           repo-token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/test.yml

@@ -2,6 +2,7 @@ name: Test
 on:
   workflow_call:
   pull_request:
+  merge_group:
   push:
     branches:
       - main