Bump chainlink-protos/cre/go for ConfidentialWorkflow proto restructure#2080
Merged
Conversation
Bumps github.com/smartcontractkit/chainlink-protos/cre/go pseudo-version from v0.0.0-20260514104516-a827acdffe43 to v0.0.0-20260520181035-b5bb732eb9d7 (chainlink-protos cap-dev tip after #365 merged). The proto restructure (chainlink-protos#365): - binary_url moved from WorkflowExecution to ConfidentialWorkflowRequest (sibling of execution, outside ComputeRequest.PublicData hash envelope). - SecretIdentifier message and vault_don_secrets field removed; enclave fetches secrets dynamically at runtime and the host-side adapter already returns nil for vault_don_secrets. - WorkflowExecution fields renumbered cleanly with no reserved gap; org_id moves from field 7 to field 6. Regenerated pkg/capabilities/v2/actions/confidentialworkflow/client.pb.go. Also bumped the indirect pin in keystore/go.mod for consistency. No chainlink-common code consumers reference WorkflowExecution.BinaryUrl or VaultDonSecrets, so no other source changes needed. See PRIV-389.
|
👋 nadahalli, thanks for creating this pull request! To help reviewers, please consider creating future PRs as drafts first. This allows you to self-review and make any final changes before notifying the team. Once you're ready, you can mark it as "Ready for review" to request feedback. Thanks! |
|
📊 API Diff Results
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates github.com/smartcontractkit/chainlink-protos/cre/go to pick up the ConfidentialWorkflow proto restructure, and refreshes the generated Go bindings in chainlink-common accordingly. This aligns the client types with the upstream change that moves per-node binary_url out of the hashed WorkflowExecution envelope and removes the no-longer-used VaultDON secret identifier plumbing.
Changes:
- Bump
chainlink-protos/cre/gopseudo-version in the root module andkeystoresubmodule. - Regenerate
pkg/capabilities/v2/actions/confidentialworkflow/client.pb.goto reflect the upstream proto changes (movebinary_url, removevault_don_secrets/SecretIdentifier, renumberWorkflowExecutionfields).
Reviewed changes
Copilot reviewed 2 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/capabilities/v2/actions/confidentialworkflow/client.pb.go | Regenerated protobuf bindings reflecting the ConfidentialWorkflow request/execution schema changes. |
| go.mod | Updates chainlink-protos/cre/go to the newer pseudo-version. |
| go.sum | Updates sums for the new chainlink-protos/cre/go version. |
| keystore/go.mod | Updates the keystore submodule’s indirect chainlink-protos/cre/go requirement. |
| keystore/go.sum | Adds sums for the new chainlink-protos/cre/go version in the keystore submodule. |
Files not reviewed (1)
- pkg/capabilities/v2/actions/confidentialworkflow/client.pb.go: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
The keystore submodule was bumped via 'go get' but go.sum still carried the orphan old-pin entries (v0.0.0-20260420204255-a3f3bdd56877) for the chainlink-protos/cre/go indirect dependency. Running 'go mod tidy' from inside the keystore module removes them. Fixes check-tidy CI failure on this branch.
mchain0
approved these changes
May 22, 2026
pavel-raykov
approved these changes
May 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Breaking Changes
Are ok, because confidential-workflows is not in production yet. We are still working on it.
What
Bumps
github.com/smartcontractkit/chainlink-protos/cre/go:v0.0.0-20260514104516-a827acdffe43(prior cap-dev tip)v0.0.0-20260520181035-b5bb732eb9d7(cap-dev tip after Restructure ConfidentialWorkflow proto: move binary_url out of hash chainlink-protos#365)Picks up the ConfidentialWorkflow proto restructure:
binary_urlmoved fromWorkflowExecutiontoConfidentialWorkflowRequest(sibling ofexecution, outsideComputeRequest.PublicDatahash envelope). A per-node value cannot live inside that envelope without breaking F+1 quorum at the enclave.SecretIdentifiermessage andvault_don_secretsfield removed. Enclave fetches secrets dynamically at runtime; the host-side adapter already returns nil for this field.WorkflowExecutionfields renumbered cleanly with no reserved gap.org_idmoves from field 7 to field 6.The new
binary_urlfield onConfidentialWorkflowRequestcarries a load-bearing comment in the upstream proto explaining the design constraint and the hash-envelope invariant. Read that for full context.Scope
go.mod+go.sum: bumpedcre/gopseudo-version.keystore/go.mod+keystore/go.sum: same indirect bump.pkg/capabilities/v2/actions/confidentialworkflow/client.pb.go: regenerated.No source consumers in chainlink-common reference
WorkflowExecution.BinaryUrlorVaultDonSecrets, so no other code changes needed. Root and keystore builds pass.Follow-up PRs
confidential-compute: add per-node-data passthrough onSignedComputeRequest, framework executor seam, updateenclave/apps/confidential-workflows/app/app.goto read URL from per-node-data, updatecapability/action.goadapter, removevault_don_secretsvalidation, update tests and E2E.chainlink:core/services/workflows/v2/confidential_module.go:130populates newbinary_urlonConfidentialWorkflowRequestinstead ofWorkflowExecution.BinaryUrl.See PRIV-389 for background.