Fix bugs found in semgrep issue fixes

.github/workflows/codeql-analysis.yml

@@ -56,7 +56,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v3
+        uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v3
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -67,7 +67,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v3
+        uses: github/codeql-action/autobuild@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v3
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -81,4 +81,4 @@ jobs:
       #   make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v3
+        uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v3

.github/workflows/deploy_node.yml

@@ -4,13 +4,20 @@ on:
     inputs:
       network:
         required: true
-        type: string
+        type: choice
         description: "Waves network name (mainnet, testnet, stagenet)"
+        options:
+          - mainnet
+          - testnet
+          - stagenet
       arch:
         required: true
-        type: string
+        type: choice
         description: "Machine architecture (amd64, arm64)"
         default: "amd64"
+        options:
+          - amd64
+          - arm64
   workflow_call:
     inputs:
       network:

.github/workflows/deploy_nodes.yml

@@ -7,9 +7,12 @@ on:
     inputs:
       arch:
         required: true
-        type: string
+        type: choice
         description: "Machine architecture (amd64, arm64)"
         default: "amd64"
+        options:
+          - amd64
+          - arm64
 
 jobs:
   deploy:
@@ -19,7 +22,11 @@ jobs:
         network: [ stagenet, testnet, mainnet ]
         arch: [ "${{ inputs.arch }}" ]
     uses: "./.github/workflows/deploy_node.yml"
-    secrets: inherit
+    secrets:
+      SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+      DEPLOYMENT_SERVER: ${{ secrets.DEPLOYMENT_SERVER }}
+      DEPLOYMENT_PORT: ${{ secrets.DEPLOYMENT_PORT }}
+      DEPLOYMENT_USER: ${{ secrets.DEPLOYMENT_USER }}
     with:
       network: ${{ matrix.network }}
       arch: ${{ matrix.arch }}

.github/workflows/go.yml

@@ -73,7 +73,9 @@ jobs:
           cache: true
 
       - name: Set up GolangCI-Lint
-        run: curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $HOME/bin latest
+        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v8
+        with:
+          version: latest
 
       - name: Get dependencies
         run: go mod vendor

.github/workflows/security.yml

@@ -32,7 +32,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Run gosec security scanner
-        uses: securego/gosec@223e19b8856e00f02cc67804499a83f77e208f3c # v2.25.0
+        uses: securego/gosec@4a3bd8af174872c778439083ded7adbf3747e770 # v2.26.1
         with:
           # with '-no-fail' we let the report trigger content trigger a failure using the GitHub Security features.
           args: "-no-fail -fmt sarif -out gosec.sarif ./..."
@@ -50,7 +50,7 @@ jobs:
           jq empty gosec_fixed.sarif
           mv gosec_fixed.sarif gosec.sarif
       - name: Upload SARIF file for GitHub Advanced Security Dashboard
-        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v3
+        uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v3
         with:
           sarif_file: gosec.sarif
 
@@ -88,7 +88,7 @@ jobs:
               fi
           EOF
       - name: Upload SARIF file for GitHub Advanced Security Dashboard
-        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v3
+        uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v3
         with:
           sarif_file: semgrep.sarif
 

.golangci-strict.yml

@@ -25,7 +25,7 @@ linters:
     - gocyclo
     - godot
     - gomoddirectives
-    - gomodguard
+    - gomodguard_v2
     - goprintffuncname
     - gosec
     - govet
@@ -106,21 +106,20 @@ linters:
           paramsOnly: false
         underef:
           skipRecvDeref: false
-    gomodguard:
+    gomodguard_v2:
       blocked:
-        modules:
-          - github.com/golang/protobuf:
-              recommendations:
-                - google.golang.org/protobuf
-              reason: see https://developers.google.com/protocol-buffers/docs/reference/go/faq#modules
-          - github.com/satori/go.uuid:
-              recommendations:
-                - github.com/google/uuid
-              reason: satori's package is not maintained
-          - github.com/gofrs/uuid:
-              recommendations:
-                - github.com/google/uuid
-              reason: gofrs' package is not go module
+        - module: github.com/golang/protobuf
+          recommendations:
+            - google.golang.org/protobuf
+          reason: see https://developers.google.com/protocol-buffers/docs/reference/go/faq#modules
+        - module: github.com/satori/go.uuid
+          recommendations:
+            - github.com/google/uuid
+          reason: satori's package is not maintained
+        - module: github.com/gofrs/uuid
+          recommendations:
+            - github.com/google/uuid
+          reason: gofrs' package is not go module
     govet:
       disable:
         - fieldalignment

.golangci.yml

@@ -29,21 +29,20 @@ linters:
         - ^golang.org/x/tools/go/analysis.Analyzer$
         - ^google.golang.org/protobuf/.+Options$
         - ^gopkg.in/yaml.v3.Node$
-    gomodguard:
+    gomodguard_v2:
       blocked:
-        modules:
-          - github.com/golang/protobuf:
-              recommendations:
-                - google.golang.org/protobuf
-              reason: see https://developers.google.com/protocol-buffers/docs/reference/go/faq#modules
-          - github.com/satori/go.uuid:
-              recommendations:
-                - github.com/google/uuid
-              reason: satori's package is not maintained
-          - github.com/gofrs/uuid:
-              recommendations:
-                - github.com/google/uuid
-              reason: gofrs' package is not go module
+        - module: github.com/golang/protobuf
+          recommendations:
+            - google.golang.org/protobuf
+          reason: see https://developers.google.com/protocol-buffers/docs/reference/go/faq#modules
+        - module: github.com/satori/go.uuid
+          recommendations:
+            - github.com/google/uuid
+          reason: satori's package is not maintained
+        - module: github.com/gofrs/uuid
+          recommendations:
+            - github.com/google/uuid
+          reason: gofrs' package is not go module
     govet:
       disable:
         - fieldalignment

cmd/chaincmp/chaincmp.go

@@ -11,6 +11,7 @@ import (
 	"os/signal"
 	"slices"
 	"strings"
+	"syscall"
 	"time"
 
 	flag "github.com/spf13/pflag"
@@ -109,7 +110,7 @@ func run() error {
 	urls := append([]string{node}, other...)
 	slog.Debug("Requesting height from nodes", "count", len(urls))
 
-	ctx, done := signal.NotifyContext(context.Background(), os.Interrupt)
+	ctx, done := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
 	defer done()
 
 	clients := make([]*client.Client, len(urls))
@@ -224,6 +225,9 @@ func findLastCommonHeight(ctx context.Context, clients []*client.Client, start,
 				return 0, fmt.Errorf("failed to get blocks signatures at height %d: %w", middle, err)
 			}
 			if c >= 2 {
+				if middle == 0 {
+					return 0, errors.New("no common height found")
+				}
 				stop = middle - 1
 				r = stop
 			} else {

cmd/node/node.go

@@ -545,6 +545,7 @@ func blockchainSettings(nc *config) (_ *settings.BlockchainSettings, retErr erro
 		return nil, errors.Wrap(err, "failed to open configuration file")
 	}
 	defer func() {
+		// nosemgrep: semgrep.rules.if-incorrect-nil-err-return, semgrep.rules.if-inplace-func-incorrect-nil-err-return
 		if clErr := f.Close(); clErr != nil {
 			retErr = stderrs.Join(retErr, errors.Wrap(clErr, "failed to close configuration file"))
 		}