From 1dd3e7bd7fae7bb64ddf9845615efea91d45e740 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 10:19:05 -0500
Subject: [PATCH 01/11] give tests permission to write checks/status and put
 reports on pr

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .github/workflows/acceptance-tests.yml  | 4 ++++
 .github/workflows/integration-tests.yml | 4 ++++
 .github/workflows/reference-tests.yml   | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/.github/workflows/acceptance-tests.yml b/.github/workflows/acceptance-tests.yml
index b94218e6087..bfcc6c125b0 100644
--- a/.github/workflows/acceptance-tests.yml
+++ b/.github/workflows/acceptance-tests.yml
@@ -8,6 +8,10 @@ env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"
   total-runners: 16
 
+permissions:
+  statuses: write
+  checks: write
+
 jobs:
   shouldRun:
     name: checks to ensure we should run
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
index 68115ea40bf..cd4755b0424 100644
--- a/.github/workflows/integration-tests.yml
+++ b/.github/workflows/integration-tests.yml
@@ -8,6 +8,10 @@ on:
 env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"
 
+permissions:
+  statuses: write
+  checks: write
+
 jobs:
   shouldRun:
     name: checks to ensure we should run
diff --git a/.github/workflows/reference-tests.yml b/.github/workflows/reference-tests.yml
index 1f2cac7b159..4a49a4de088 100644
--- a/.github/workflows/reference-tests.yml
+++ b/.github/workflows/reference-tests.yml
@@ -9,6 +9,10 @@ env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"
   total-runners: 6
 
+permissions:
+  statuses: write
+  checks: write
+
 jobs:
   shouldRun:
     name: checks to ensure we should run

From 612653cd0b0abb2a2bec1483b3aefcecc06bff2e Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 10:45:12 -0500
Subject: [PATCH 02/11] moving perms to workflow level did not help

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .github/workflows/acceptance-tests.yml  | 4 ----
 .github/workflows/integration-tests.yml | 4 ----
 .github/workflows/reference-tests.yml   | 4 ----
 3 files changed, 12 deletions(-)

diff --git a/.github/workflows/acceptance-tests.yml b/.github/workflows/acceptance-tests.yml
index bfcc6c125b0..b94218e6087 100644
--- a/.github/workflows/acceptance-tests.yml
+++ b/.github/workflows/acceptance-tests.yml
@@ -8,10 +8,6 @@ env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"
   total-runners: 16
 
-permissions:
-  statuses: write
-  checks: write
-
 jobs:
   shouldRun:
     name: checks to ensure we should run
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
index cd4755b0424..68115ea40bf 100644
--- a/.github/workflows/integration-tests.yml
+++ b/.github/workflows/integration-tests.yml
@@ -8,10 +8,6 @@ on:
 env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"
 
-permissions:
-  statuses: write
-  checks: write
-
 jobs:
   shouldRun:
     name: checks to ensure we should run
diff --git a/.github/workflows/reference-tests.yml b/.github/workflows/reference-tests.yml
index 4a49a4de088..1f2cac7b159 100644
--- a/.github/workflows/reference-tests.yml
+++ b/.github/workflows/reference-tests.yml
@@ -9,10 +9,6 @@ env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"
   total-runners: 6
 
-permissions:
-  statuses: write
-  checks: write
-
 jobs:
   shouldRun:
     name: checks to ensure we should run

From c2e7a078319c414919b9ee0046db275e43c4cca3 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 11:25:36 -0500
Subject: [PATCH 03/11] intentional acceptance test failure

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .../condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
index efc02f73d44..eb1cfc0c33b 100644
--- a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
+++ b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
@@ -32,6 +32,6 @@ public ExpectSuccessfulEthGetTransactionReceipt(
 
   @Override
   public void verify(final Node node) {
-    WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isPresent());
+    WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isNotPresent());
   }
 }

From 9732c26e655fb68519142c2bac323cb491a67d9d Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 11:42:16 -0500
Subject: [PATCH 04/11] explicitly allow mikepenz/action-junit-report@v4
 actions

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .../condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java  | 1 +
 1 file changed, 1 insertion(+)

diff --git a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
index eb1cfc0c33b..e43d454a175 100644
--- a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
+++ b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
@@ -32,6 +32,7 @@ public ExpectSuccessfulEthGetTransactionReceipt(
 
   @Override
   public void verify(final Node node) {
+    //TODO: TEST INVERTED FOR INTENTIONAL BREAK PLS UNDO!!!
     WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isNotPresent());
   }
 }

From efd2132acee287939eaf4c9a7283398d06c120e1 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 11:49:30 -0500
Subject: [PATCH 05/11] pendantic spotless

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .../condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
index e43d454a175..fcbf5df9c7d 100644
--- a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
+++ b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
@@ -32,7 +32,7 @@ public ExpectSuccessfulEthGetTransactionReceipt(
 
   @Override
   public void verify(final Node node) {
-    //TODO: TEST INVERTED FOR INTENTIONAL BREAK PLS UNDO!!!
+    // TODO: TEST INVERTED FOR INTENTIONAL BREAK PLS UNDO!!!
     WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isNotPresent());
   }
 }

From 4d1084ed0c07b567cb51dc9be3d81ee2cb60f6be Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 12:40:21 -0500
Subject: [PATCH 06/11] updated actions allowed

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .../condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
index fcbf5df9c7d..212e852b80d 100644
--- a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
+++ b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
@@ -32,7 +32,7 @@ public ExpectSuccessfulEthGetTransactionReceipt(
 
   @Override
   public void verify(final Node node) {
-    // TODO: TEST INVERTED FOR INTENTIONAL BREAK PLS UNDO!!!
+    // TODO: TEST INVERTED FOR INTENTIONAL BREAK PLS UNDO ASAP!!!
     WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isNotPresent());
   }
 }

From 09b33bd5157e37a6e6b8d8b6fc10629cba2ce281 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 12:58:47 -0500
Subject: [PATCH 07/11] updated actions allowed

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .../condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
index 212e852b80d..fcbf5df9c7d 100644
--- a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
+++ b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
@@ -32,7 +32,7 @@ public ExpectSuccessfulEthGetTransactionReceipt(
 
   @Override
   public void verify(final Node node) {
-    // TODO: TEST INVERTED FOR INTENTIONAL BREAK PLS UNDO ASAP!!!
+    // TODO: TEST INVERTED FOR INTENTIONAL BREAK PLS UNDO!!!
     WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isNotPresent());
   }
 }

From e9ccd074b391c2056f366861adcd52795cb9f46c Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 13:11:29 -0500
Subject: [PATCH 08/11] undid intentional acc test fail

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .../eth/ExpectSuccessfulEthGetTransactionReceipt.java          | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
index fcbf5df9c7d..efc02f73d44 100644
--- a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
+++ b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
@@ -32,7 +32,6 @@ public ExpectSuccessfulEthGetTransactionReceipt(
 
   @Override
   public void verify(final Node node) {
-    // TODO: TEST INVERTED FOR INTENTIONAL BREAK PLS UNDO!!!
-    WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isNotPresent());
+    WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isPresent());
   }
 }

From 7a63ea0f54b66ff7f0cc3a2ec8e4640bf9e94899 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 13:33:18 -0500
Subject: [PATCH 09/11] intentional acceptance test failure

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .../condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
index efc02f73d44..eb1cfc0c33b 100644
--- a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
+++ b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
@@ -32,6 +32,6 @@ public ExpectSuccessfulEthGetTransactionReceipt(
 
   @Override
   public void verify(final Node node) {
-    WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isPresent());
+    WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isNotPresent());
   }
 }

From 61bbe369b0aa223d8cc65a930e2b3c14f5799ba0 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 15:58:35 -0500
Subject: [PATCH 10/11] uprev artifact download

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .github/workflows/acceptance-tests.yml | 2 +-
 .github/workflows/reference-tests.yml  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/acceptance-tests.yml b/.github/workflows/acceptance-tests.yml
index b94218e6087..f3efe853bc5 100644
--- a/.github/workflows/acceptance-tests.yml
+++ b/.github/workflows/acceptance-tests.yml
@@ -66,7 +66,7 @@ jobs:
           distribution: temurin
           java-version: 17
       - name: get acceptance test report
-        uses: dawidd6/action-download-artifact@v2
+        uses: dawidd6/action-download-artifact@v3
         with:
           branch: main
           name_is_regexp: true
diff --git a/.github/workflows/reference-tests.yml b/.github/workflows/reference-tests.yml
index 1f2cac7b159..55710028916 100644
--- a/.github/workflows/reference-tests.yml
+++ b/.github/workflows/reference-tests.yml
@@ -103,7 +103,7 @@ jobs:
           name: 'reference-tests'
           path: 'ethereum/referencetests/build/generated/sources/reference-test/'
       - name: get reference test report
-        uses: dawidd6/action-download-artifact@v2
+        uses: dawidd6/action-download-artifact@v3
         with:
           branch: main
           name_is_regexp: true

From 339ca7666cc337731a2b93456a041418d3adaa0d Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Thu, 1 Feb 2024 10:18:01 -0500
Subject: [PATCH 11/11] new permission approach

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .github/workflows/acceptance-tests.yml | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/acceptance-tests.yml b/.github/workflows/acceptance-tests.yml
index f3efe853bc5..80dd2415b9e 100644
--- a/.github/workflows/acceptance-tests.yml
+++ b/.github/workflows/acceptance-tests.yml
@@ -1,6 +1,8 @@
 name: acceptance-tests
 on:
-  pull_request:
+  pull_request_target:
+    branches:
+      - main
   pull_request_review:
     types: [submitted]
 
@@ -9,8 +11,17 @@ env:
   total-runners: 16
 
 jobs:
+  authorize:
+    environment:
+      ${{ github.event_name == 'pull_request_target' &&
+      github.event.pull_request.head.repo.full_name != github.repository &&
+      'external' || 'internal' }}
+    runs-on: ubuntu-latest
+    steps:
+      - run: true
   shouldRun:
     name: checks to ensure we should run
+    needs: authorize
     # necessary because there is no single PR approved event, need to check all comments/approvals/denials
     runs-on: ubuntu-22.04
     outputs:
@@ -60,6 +71,8 @@ jobs:
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4.1.1
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
       - name: Set up Java
         uses: actions/setup-java@v4.0.0
         with: