Merge branch 'PLEX-1920' into solana-logtrigger-e2e

Author: silaslenihan

.github/workflows/build-publish.yml

@@ -17,14 +17,17 @@ jobs:
       is-release: ${{ steps.release-tag-check.outputs.is-release }}
       is-pre-release: ${{ steps.release-tag-check.outputs.is-pre-release }}
       ccip-image-tag: ${{ steps.compute-ccip-tag.outputs.ccip-image-tag }}
+      prerelease-phase: ${{ steps.detect-prerelease-phase.outputs.prerelease-phase }}
+      is-hotfix: ${{ steps.detect-hotfix.outputs.is-hotfix }}
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
+      - uses: actions/checkout@v4
         with:
           persist-credentials: false
+
       - name: Check release tag
         id: release-tag-check
         uses: smartcontractkit/.github/actions/release-tag-check@c5c4a8186da4218cff6cac8184e47dd3dec69ba3 # release-tag-check@0.1.0
+
       - name: Compute CCIP image tag
         id: compute-ccip-tag
         shell: bash
@@ -38,6 +41,47 @@ jobs:
           tag_without_v="${GIT_TAG#v}"
           ccip_tag=$(echo "$tag_without_v" | sed -E 's/^([0-9]+\.[0-9]+\.[0-9]+)-(.*)$/\1-ccip-\2/')
           echo "ccip-image-tag=$ccip_tag" | tee -a "$GITHUB_OUTPUT"
+
+      - name: Detect prerelease phase
+        id: detect-prerelease-phase
+        if: ${{ steps.release-tag-check.outputs.is-pre-release == 'true' && (contains(github.ref_name, '-beta.') || contains(github.ref_name, '-rc.')) }}
+        shell: bash
+        env:
+          GIT_TAG: ${{ github.ref_name }}
+        run: |
+          phase=""
+
+          if [[ "$GIT_TAG" =~ -beta\.[0-9]+$ ]]; then
+            phase="beta"
+          elif [[ "$GIT_TAG" =~ -rc\.[0-9]+$ ]]; then
+            # Release candidates.
+            phase="rc"
+          else
+            echo "::error::Unable to determine prerelease phase from tag: $GIT_TAG"
+            exit 1
+          fi
+          echo "prerelease-phase=$phase" | tee -a "$GITHUB_OUTPUT"
+
+      - name: Detect hotfix release
+        id: detect-hotfix
+        shell: bash
+        env:
+          GIT_TAG: ${{ github.ref_name }}
+        run: |
+          # Extract patch version from tag (e.g., v2.33.1-beta.0 -> 1)
+          # Hotfix releases have non-zero patch versions
+          if [[ "$GIT_TAG" =~ ^v[0-9]+\.[0-9]+\.([0-9]+) ]]; then
+            patch_version="${BASH_REMATCH[1]}"
+            if [[ "$patch_version" -gt 0 ]]; then
+              echo "is-hotfix=true" | tee -a "$GITHUB_OUTPUT"
+            else
+              echo "is-hotfix=false" | tee -a "$GITHUB_OUTPUT"
+            fi
+          else
+            echo "is-hotfix=false" | tee -a "$GITHUB_OUTPUT"
+            echo "Unable to extract patch version, assuming not a hotfix"
+          fi
+
       - name: Check for VERSION file bump on tags
         if: ${{ github.repository == 'smartcontractkit/chainlink' }}
         uses: ./.github/actions/version-file-bump
@@ -66,6 +110,7 @@ jobs:
       docker-cache-behaviour: "disable"
       docker-manifest-sign: true
       docker-registry-url-override: public.ecr.aws/chainlink
+      github-runner-arm64: ${{ github.repository != 'smartcontractkit/chainlink' && 'ubuntu-24.04-4cores-16GB-ARM' || '' }}
       docker-image-tag-strip-prefix: v # strip out the "v" prefix from the git tag for the image tag.
       git-sha: ${{ github.sha }}
       github-event-name: ${{ github.event_name }}
@@ -103,6 +148,7 @@ jobs:
       docker-cache-behaviour: "disable"
       docker-manifest-sign: true
       docker-registry-url-override: public.ecr.aws/chainlink
+      github-runner-arm64: ${{ github.repository != 'smartcontractkit/chainlink' && 'ubuntu-24.04-4cores-16GB-ARM' || '' }}
       docker-image-tag-override: ${{ needs.checks.outputs.ccip-image-tag }}
       git-sha: ${{ github.sha }}
       github-event-name: ${{ github.event_name }}
@@ -115,6 +161,50 @@ jobs:
       AWS_ROLE_GATI_ARN: ${{ secrets.AWS_OIDC_CHAINLINK_READ_ONLY_TOKEN_ISSUER_ROLE_ARN }}
       AWS_LAMBDA_GATI_URL: ${{ secrets.AWS_INFRA_RELENG_TOKEN_ISSUER_LAMBDA_URL }}
 
+  deploy:
+    name: "Deploy"
+    needs: [checks, docker-ccip]
+    # We are only deploying CCIP pre-releases and skipping hotfix deployments for now.
+    if: needs.checks.outputs.is-pre-release == 'true' && needs.checks.outputs.is-hotfix == 'false'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      - name: Deploy CCIP Beta
+        if: needs.checks.outputs.prerelease-phase == 'beta'
+        uses: ./.github/actions/deploy-image
+        with:
+          aws-role-arn: ${{ secrets.AWS_RELENG_PROD_GATI_WORKFLOW_INVOKE_ARN }}
+          aws-lambda-url: ${{ secrets.AWS_INFRA_RELENG_TOKEN_ISSUER_LAMBDA_URL }}
+          aws-region: ${{ secrets.AWS_REGION }}
+          repo-destination: ${{ secrets.REPO_K8S_DEPLOY }}
+          oci-image-tag: ${{ needs.docker-ccip.outputs.docker-manifest-tag }}
+          oci-repository-url: public.ecr.aws/chainlink/ccip
+          pr-close-enabled: false
+          pr-labels: preview-stage,force-preview
+          products: |
+            ccip-prereleases-staging
+
+      - name: Deploy CCIP RC
+        if: needs.checks.outputs.prerelease-phase == 'rc'
+        uses: ./.github/actions/deploy-image
+        with:
+          aws-role-arn: ${{ secrets.AWS_RELENG_PROD_GATI_WORKFLOW_INVOKE_ARN }}
+          aws-lambda-url: ${{ secrets.AWS_INFRA_RELENG_TOKEN_ISSUER_LAMBDA_URL }}
+          aws-region: ${{ secrets.AWS_REGION }}
+          repo-destination: ${{ secrets.REPO_K8S_DEPLOY }}
+          oci-image-tag: ${{ needs.docker-ccip.outputs.docker-manifest-tag }}
+          oci-repository-url: public.ecr.aws/chainlink/ccip
+          pr-close-enabled: false
+          pr-labels: preview-stage,force-preview
+          products: |
+            ccip-prereleases-prod-testnet
+
   # Notify Slack channel for new git tags associated with pre-releases.
   # Final release notifications originate from the release coordinator repo.
   slack-notify-core:

core/capabilities/fakes/confidential_http_action.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"errors"
+	"fmt"
 	"io"
 	"net/http"
 	"strings"
@@ -50,110 +51,93 @@ func NewDirectConfidentialHTTPAction(lggr logger.Logger) *DirectConfidentialHTTP
 	return fc
 }
 
-func (fh *DirectConfidentialHTTPAction) SendRequests(ctx context.Context, metadata commonCap.RequestMetadata, input *confidentialhttp.EnclaveActionInput) (*commonCap.ResponseAndMetadata[*confidentialhttp.HTTPEnclaveResponseData], caperrors.Error) {
-	fh.eng.Infow("Confidential HTTP Action SendRequests Started", "input", input, "secretsCount", len(input.GetVaultDonSecrets()))
+func (fh *DirectConfidentialHTTPAction) SendRequest(ctx context.Context, metadata commonCap.RequestMetadata, input *confidentialhttp.ConfidentialHTTPRequest) (*commonCap.ResponseAndMetadata[*confidentialhttp.HTTPResponse], caperrors.Error) {
+	fh.eng.Infow("Confidential HTTP Action SendRequest Started", "input", input, "secretsCount", len(input.GetVaultDonSecrets()))
 
 	// Warn if secrets are provided - this fake does not handle secret resolution
 	if len(input.GetVaultDonSecrets()) > 0 {
 		fh.eng.Warnw("This fake does not handle secrets - VaultDonSecrets will be ignored. Template variables like {{.secretName}} will not be resolved.", "secretsCount", len(input.GetVaultDonSecrets()))
 	}
 
-	if input.GetInput() == nil {
-		return nil, caperrors.NewPublicUserError(errors.New("input cannot be nil"), caperrors.InvalidArgument)
+	req := input.GetRequest()
+	if req == nil {
+		return nil, caperrors.NewPublicUserError(errors.New("request cannot be nil"), caperrors.InvalidArgument)
 	}
 
-	requests := input.GetInput().GetRequests()
-	if len(requests) == 0 {
-		return nil, caperrors.NewPublicUserError(errors.New("no requests provided"), caperrors.InvalidArgument)
-	}
-
-	// Process each request
-	responses := make([]*confidentialhttp.ResponseTemplate, 0, len(requests))
-
-	for i, req := range requests {
-		fh.eng.Infow("Processing confidential HTTP request", "index", i, "url", req.GetUrl(), "method", req.GetMethod())
+	fh.eng.Infow("Processing confidential HTTP request", "url", req.GetUrl(), "method", req.GetMethod())
 
-		// Create HTTP client with timeout (default 30 seconds)
-		timeout := time.Duration(30) * time.Second
-		client := &http.Client{
-			Timeout: timeout,
-		}
+	// Create HTTP client with timeout (default 30 seconds)
+	timeout := time.Duration(30) * time.Second
+	client := &http.Client{
+		Timeout: timeout,
+	}
 
-		// Validate HTTP method
-		method := strings.TrimSpace(req.GetMethod())
-		if method == "" {
-			return nil, caperrors.NewPublicUserError(errors.New("http method cannot be empty"), caperrors.InvalidArgument)
-		}
-		method = strings.ToUpper(method)
+	// Validate HTTP method
+	method := strings.TrimSpace(req.GetMethod())
+	if method == "" {
+		return nil, caperrors.NewPublicUserError(errors.New("http method cannot be empty"), caperrors.InvalidArgument)
+	}
+	method = strings.ToUpper(method)
+
+	// Create request body
+	var body io.Reader
+	if bodyStr := req.GetBodyString(); bodyStr != "" {
+		body = bytes.NewReader([]byte(bodyStr))
+	} else if bodyBytes := req.GetBodyBytes(); len(bodyBytes) > 0 {
+		body = bytes.NewReader(bodyBytes)
+	}
 
-		// Create request body
-		var body io.Reader
-		if len(req.GetBody()) > 0 {
-			body = bytes.NewReader([]byte(req.GetBody()))
-		}
+	// Create the HTTP request
+	httpReq, err := http.NewRequestWithContext(ctx, method, req.GetUrl(), body)
+	if err != nil {
+		fh.eng.Errorw("Failed to create HTTP request", "error", err)
+		return nil, caperrors.NewPublicUserError(fmt.Errorf("failed to create HTTP request: %w", err), caperrors.InvalidArgument)
+	}
 
-		// Create the HTTP request
-		httpReq, err := http.NewRequestWithContext(ctx, method, req.GetUrl(), body)
-		if err != nil {
-			fh.eng.Errorw("Failed to create HTTP request", "error", err, "index", i)
-			responses = append(responses, &confidentialhttp.ResponseTemplate{
-				StatusCode: 0,
-				Body:       []byte(err.Error()),
-			})
-			continue
-		}
+	// Add headers
+	for name, value := range req.GetHeaders() {
+		httpReq.Header.Set(name, value)
+	}
 
-		// Add headers
-		for _, header := range req.GetHeaders() {
-			parts := strings.SplitN(header, ":", 2)
-			if len(parts) == 2 {
-				httpReq.Header.Set(strings.TrimSpace(parts[0]), strings.TrimSpace(parts[1]))
-			}
-		}
+	// Make the HTTP request
+	resp, err := client.Do(httpReq)
+	if err != nil {
+		fh.eng.Errorw("Failed to execute confidential HTTP request", "error", err)
+		return nil, caperrors.NewPublicUserError(fmt.Errorf("failed to execute HTTP request: %w", err), caperrors.InvalidArgument)
+	}
+	defer resp.Body.Close()
 
-		// Make the HTTP request
-		resp, err := client.Do(httpReq)
-		if err != nil {
-			fh.eng.Errorw("Failed to execute confidential HTTP request", "error", err, "index", i)
-			responses = append(responses, &confidentialhttp.ResponseTemplate{
-				StatusCode: 0,
-				Body:       []byte(err.Error()),
-			})
-			continue
-		}
+	// Read response body
+	respBody, err := io.ReadAll(resp.Body)
+	if err != nil {
+		fh.eng.Errorw("Failed to read response body", "error", err)
+		return nil, caperrors.NewPublicUserError(fmt.Errorf("failed to read response body: %w", err), caperrors.InvalidArgument)
+	}
 
-		// Read response body
-		respBody, err := io.ReadAll(resp.Body)
-		resp.Body.Close()
-		if err != nil {
-			fh.eng.Errorw("Failed to read response body", "error", err, "index", i)
-			responses = append(responses, &confidentialhttp.ResponseTemplate{
-				StatusCode: int64(resp.StatusCode),
-				Body:       []byte(err.Error()),
+	// Convert response headers to []*Header
+	var responseHeaders []*confidentialhttp.Header
+	for name, values := range resp.Header {
+		for _, value := range values {
+			responseHeaders = append(responseHeaders, &confidentialhttp.Header{
+				Name:  name,
+				Value: value,
 			})
-			continue
-		}
-
-		// Create response template
-		response := &confidentialhttp.ResponseTemplate{
-			StatusCode: int64(resp.StatusCode),
-			Body:       respBody,
 		}
-		responses = append(responses, response)
-		fh.eng.Infow("Confidential HTTP request finished", "index", i, "status", resp.StatusCode, "url", req.GetUrl())
 	}
 
-	// Create response data
-	responseData := &confidentialhttp.HTTPEnclaveResponseData{
-		Responses: responses,
+	// Create response
+	response := &confidentialhttp.HTTPResponse{
+		StatusCode: uint32(resp.StatusCode), //nolint:gosec // HTTP status codes are always positive (100-599)
+		Body:       respBody,
+		Headers:    responseHeaders,
 	}
 
-	responseAndMetadata := commonCap.ResponseAndMetadata[*confidentialhttp.HTTPEnclaveResponseData]{
-		Response:         responseData,
+	responseAndMetadata := commonCap.ResponseAndMetadata[*confidentialhttp.HTTPResponse]{
+		Response:         response,
 		ResponseMetadata: commonCap.ResponseMetadata{},
 	}
 
-	fh.eng.Infow("Confidential HTTP Action Finished", "requestCount", len(requests), "responseCount", len(responses))
+	fh.eng.Infow("Confidential HTTP Action Finished", "status", resp.StatusCode, "url", req.GetUrl())
 	return &responseAndMetadata, nil
 }
 

core/cmd/shell_local.go

@@ -38,6 +38,7 @@ import (
 
 	"github.com/smartcontractkit/chainlink/v2/core/build"
 	"github.com/smartcontractkit/chainlink/v2/core/logger"
+	beholderServices "github.com/smartcontractkit/chainlink/v2/core/services/beholder"
 	"github.com/smartcontractkit/chainlink/v2/core/services/keystore"
 	"github.com/smartcontractkit/chainlink/v2/core/services/keystore/chaintype"
 	"github.com/smartcontractkit/chainlink/v2/core/services/pg"
@@ -322,6 +323,12 @@ func (s *Shell) runNode(c *cli.Context) error {
 	lggr := logger.Sugared(s.Logger.Named("RunNode"))
 	lggr.Infow("configuration args", "config files", s.configFiles, "secret files", s.secretsFiles)
 
+	beholderConfigRecorder := beholderServices.NewConfigRecorder(lggr, 1*time.Hour)
+	if err := beholderConfigRecorder.Start(ctx); err != nil {
+		return fmt.Errorf("failed to start beholder config recorder service: %w", err)
+	}
+	defer beholderConfigRecorder.Close()
+
 	s.Config.LogConfiguration(lggr.Debugf, lggr.Warnf)
 
 	if err := s.Config.Validate(); err != nil {

core/scripts/cre/environment/README.md

@@ -167,9 +167,13 @@ Refer to [this document](https://docs.google.com/document/d/1HtVLv2ipx2jvU15WYOi
 Environment can be setup by running `go run . env setup` inside `core/scripts/cre/environment` folder. Its configuration is defined in [configs/setup.toml](configs/setup.toml) file. It will make sure that:
 - you have AWS CLI installed and configured
 - you have GH CLI installed and authenticated
-- you have required Job Distributor and Chip Ingress (Beholder) images
+- you have required Job Distributor, Chip Ingress, and Chip Config images
 - install and copy all capability binaries to expected location
 
+**Image Versioning:**
+
+Docker images for Beholder services (chip-ingress, chip-config) use commit-based tags instead of mutable tags like `local-cre`. This ensures you always know which version is running and prevents hard-to-debug issues from version mismatches. The exact versions are defined in [configs/setup.toml](configs/setup.toml).
+
 Capability installation is two fold. Private and local plugins are compiled locally and then copied to the running Docker container. Public plugins are installed, when the Docker image is built. The reason is that capability developers need a way to quickly test capabilities they are working on, without having to push the code to remote repository, so that it could be installed in the Docker image (and that's because local capability code is usually located outside Docker build context and thus unavailable).
 
 Private capabilities are defined in [plugins.private.yaml](../../../../plugins/plugins.private.yaml) file, public in [plugins.public.yaml](../../../../plugins/plugins.public.yaml). Local ones include:
@@ -238,12 +242,28 @@ Once up and running you will be able to access [CRE topic view](http://localhost
 #### Filtering out heartbeats
 Heartbeat messages spam the topic, so it's highly recommended that you add a JavaScript filter that will exclude them using the following code: `return value.msg !== 'heartbeat';`.
 
-If environment is aready running you can start just the Beholder stack (and register protos) with:
+If environment is already running you can start just the Beholder stack (and register protos) with:
 ```bash
 go run . env beholder start
 ```
 
-> This assumes you have `chip-ingress:bbac3c825b061546980fa9d7dc0f3e8c34347bcf` Docker image on your local machine. Without it Beholder won't be able to start. If you do not, close the [Atlas](https://github.com/smartcontractkit/atlas) repository, and then in `atlas/chip-ingress` run `docker build -t chip-ingress:bbac3c825b061546980fa9d7dc0f3e8c34347bcf .`
+**Image Requirements:**
+
+Beholder requires `chip-ingress` and `chip-config` Docker images with specific versions defined in [configs/setup.toml](configs/setup.toml). The image tags use commit hashes for version tracking (e.g., `chip-ingress:da84cb72d3a160e02896247d46ab4b9806ebee2f`).
+
+When starting Beholder, the system will:
+- **In CI (`CI=true`)**: Skip image checks (docker-compose will pull at runtime)
+- **Interactive terminal**: Auto-build missing images from sources. If build fails and `AWS_ECR` is set, you'll be offered to pull from ECR instead
+- **Non-interactive (tests, scripts)**: Auto-pull from ECR if `AWS_ECR` is set, otherwise fail with instructions
+
+To manually ensure images are available, run:
+```bash
+# Build from sources
+go run . env setup
+
+# Or pull from ECR (requires AWS SSO access)
+AWS_ECR=<account-id>.dkr.ecr.us-west-2.amazonaws.com go run . env setup
+```
 
 ### Storage