Merge pull request #35 from piplabs/hans/port-private-to-public

feat(release): port private fork changes

Author: 0xHansLee

.github/workflows/changelog-reminder.yml

@@ -4,16 +4,22 @@ on:
   pull_request:
     types: [opened, synchronize, reopened, ready_for_review]
     paths: ["**/*.go"]
+
 permissions:
   pull-requests: write
+
 jobs:
   remind:
     name: Changelog Reminder
     runs-on: ubuntu-latest
     # Skip draft PRs and PRs starting with: revert, test, chore, ci, docs, style, build, refactor
     if: "!github.event.pull_request.draft && !contains(github.event.pull_request.title, 'revert') && !contains(github.event.pull_request.title, 'test') && !contains(github.event.pull_request.title, 'chore') && !contains(github.event.pull_request.title, 'ci') && !contains(github.event.pull_request.title, 'docs') && !contains(github.event.pull_request.title, 'style') && !contains(github.event.pull_request.title, 'build') && !contains(github.event.pull_request.title, 'refactor')"
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 1
+
       - uses: mskelton/changelog-reminder-action@v3
         with:
           message: "@${{ github.actor }} your pull request is missing a changelog!"

README.md

@@ -2,7 +2,7 @@
   <h1> Cosmos SDK </h1>
 </div>
 
-![banner](docs/static/img/banner.jpg)
+![banner](https://github.com/cosmos/cosmos-sdk-docs/blob/main/static/img/banner.jpg)
 
 <div align="center">
   <a href="https://github.com/cosmos/cosmos-sdk/blob/main/LICENSE">
@@ -22,25 +22,25 @@
   </a>
 </div>
 <div align="center">
-  <a href="https://discord.gg/AzefAFd">
+  <a href="https://discord.gg/interchain">
     <img alt="Discord" src="https://img.shields.io/discord/669268347736686612.svg" />
   </a>
   <a href="https://sourcegraph.com/github.com/cosmos/cosmos-sdk?badge">
     <img alt="Imported by" src="https://sourcegraph.com/github.com/cosmos/cosmos-sdk/-/badge.svg" />
   </a>
     <img alt="Sims" src="https://github.com/cosmos/cosmos-sdk/workflows/Sims/badge.svg" />
-    <img alt="Lint Satus" src="https://github.com/cosmos/cosmos-sdk/workflows/Lint/badge.svg" />
+    <img alt="Lint Status" src="https://github.com/cosmos/cosmos-sdk/workflows/Lint/badge.svg" />
 </div>
 
 The Cosmos SDK is a framework for building blockchain applications. [CometBFT (BFT Consensus)](https://github.com/cometbft/cometbft) and the Cosmos SDK are written in the Go programming language. Cosmos SDK is used to build [Gaia](https://github.com/cosmos/gaia), the implementation of the Cosmos Hub.
 
 **WARNING**: The Cosmos SDK has mostly stabilized, but we are still making some breaking changes.
 
-**Note**: We advise to always use the latest maintained [Go](https://go.dev/dl) version for building Cosmos SDK applications.
+**Note**: Always use the latest maintained [Go](https://go.dev/dl) version for building Cosmos SDK applications.
 
 ## Quick Start
 
-To learn how the Cosmos SDK works from a high-level perspective, see the Cosmos SDK [High-Level Intro](https://docs.cosmos.network/main/intro/overview.html).
+To learn how the Cosmos SDK works from a high-level perspective, see the Cosmos SDK [High-Level Intro](https://docs.cosmos.network/v0.50/learn/intro/overview).
 
 If you want to get started quickly and learn how to build on top of Cosmos SDK, visit [Cosmos SDK Tutorials](https://tutorials.cosmos.network). You can also fork the tutorial's repository to get started building your own Cosmos SDK application.
 
@@ -49,21 +49,63 @@ For more information, see the [Cosmos SDK Documentation](https://docs.cosmos.net
 ## Contributing
 
 See [CONTRIBUTING.md](./CONTRIBUTING.md) for details on how to contribute and participate in our [dev calls](./CONTRIBUTING.md#teams-dev-calls).
-If you want to follow the updates or learn more about the latest design then join our [Discord](https://discord.com/invite/cosmosnetwork).
+If you want to follow the updates or learn more about the latest design then join our [Discord](https://discord.gg/interchain).
 
 ## Tools and Frameworks
 
 The Cosmos ecosystem is vast.
 [Awesome Cosmos](https://github.com/cosmos/awesome-cosmos) is a community-curated list of notable frameworks, modules and tools.
 
-### Cosmos Hub Mainnet
-
-The Cosmos Hub application, `gaia`, has its own [cosmos/gaia repository](https://github.com/cosmos/gaia). Go there to join the Cosmos Hub mainnet and more.
-
 ### Inter-Blockchain Communication (IBC)
 
 The IBC module for the Cosmos SDK has its own [cosmos/ibc-go repository](https://github.com/cosmos/ibc-go). Go there to build and integrate with the IBC module.
 
+### Version Matrix
+
+The version matrix below shows which versions of the Cosmos SDK, modules and libraries are compatible with each other.
+
+#### Core Dependencies
+
+Core dependencies are the core libraries that an application may depend on.
+Core dependencies not mentioned here as compatible across all maintained SDK versions.
+
+| Cosmos SDK | cosmossdk.io/core | cosmossdk.io/api | cosmossdk.io/x/tx |
+| ---------- | ----------------- | ---------------- | ----------------- |
+| 0.52.z     | 1.y.z             | 0.8.z            | 0.14.z            |
+| 0.50.z     | 0.11.z            | 0.7.z            | 0.13.z            |
+| 0.47.z     | 0.5.z             | 0.3.z            | N/A               |
+
+#### Module Dependencies
+
+Module Dependencies are the modules that an application may depend on and which version of the Cosmos SDK they are compatible with.
+
+> Note: The version table only goes back to 0.50.x, as modules started to become modular with 0.50.z.
+> X signals that the module was not spun out into its own go.mod file.
+> N/A signals that the module was not available in the Cosmos SDK at that time.
+
+| Cosmos SDK                  | 0.50.z | 0.52.z |
+| --------------------------- | ------ | ------ |
+| cosmossdk.io/x/accounts     | N/A    | 0.2.z  |
+| cosmossdk.io/x/bank         | X      | 0.2.z  |
+| cosmossdk.io/x/circuit      | 0.1.z  | 0.2.z  |
+| cosmossdk.io/x/consensus    | X      | 0.2.z  |
+| cosmossdk.io/x/distribution | X      | 0.2.z  |
+| cosmossdk.io/x/epochs       | N/A    | 0.2.z  |
+| cosmossdk.io/x/evidence     | 0.1.z  | 0.2.z  |
+| cosmossdk.io/x/feegrant     | 0.1.z  | 0.2.z  |
+| cosmossdk.io/x/gov          | X      | 0.2.z  |
+| cosmossdk.io/x/group        | X      | 0.2.z  |
+| cosmossdk.io/x/mint         | X      | 0.2.z  |
+| cosmossdk.io/x/nft          | 0.1.z  | 0.2.z  |
+| cosmossdk.io/x/protocolpool | N/A    | 0.2.z  |
+| cosmossdk.io/x/slashing     | X      | 0.2.z  |
+| cosmossdk.io/x/staking      | X      | 0.2.z  |
+| cosmossdk.io/x/upgrade      | 0.1.z  | 0.2.z  |
+
 ## Disambiguation
 
-This Cosmos SDK project is not related to the [React-Cosmos](https://github.com/react-cosmos/react-cosmos) project (yet). Many thanks to Evan Coury and Ovidiu (@skidding) for this Github organization name. As per our agreement, this disambiguation notice will stay here.
+This Cosmos SDK project is not related to the [React-Cosmos](https://github.com/react-cosmos/react-cosmos) project (yet). Many thanks to Evan Coury and Ovidiu [(@skidding)](https://github.com/skidding) for this Github organization name. As per our agreement, this disambiguation notice will stay here.
+
+## Security
+
+We welcome responsible disclosure of vulnerabilities. Please see our [security policy](SECURITY.md) for more information.

SECURITY.md

@@ -1,79 +1,37 @@
-# Coordinated Vulnerability Disclosure Policy
+# Security Policy
 
-The Cosmos ecosystem believes that strong security is a blend of highly
-technical security researchers who care about security and the forward
-progression of the ecosystem and the attentiveness and openness of Cosmos core
-contributors to help continually secure our operations.
+The security of Story is critical. If you discover any security vulnerabilities, we appreciate your help in responsibly disclosing them to us.
 
-> **IMPORTANT**: *DO NOT* open public issues on this repository for security
-> vulnerabilities.
+## Reporting a Vulnerability
 
-## Scope
+**Please do not file a public ticket** mentioning the vulnerability.
 
-| Scope                 |
-|-----------------------|
-| last release (tagged) |
-| main branch           |
+We are in the process of setting up a bug bounty program. This document will be updated when ready, and the program will be announced on our channels.
 
-The latest **release tag** of this repository is supported for security updates
-as well as the **main** branch. Security vulnerabilities should be reported if
-the vulnerability can be reproduced on either one of those.
+We recommend to wait for the program to be ready for reporting, but if you find a vulnerability that will put the network at risk, please send an email to **[email protected]**. We kindly request that you provide us with the following details:
 
-## Reporting a Vulnerability
+- A clear description of the vulnerability and its potential impact.
+- Steps to reproduce the vulnerability.
+- Any additional information or proof of concept that can help us understand and address the issue.
+
+If applicable, rewards will be provided through the bug bounty program when ready.
+
+## Audit Reports, Known Issues and Ongoing Auditing Contest
+
+There is a series of known issues reported by our our multiple auditors. Please [review our audit reports](./audits/) to make sure you are not reporting a duplicate.
+
+Folders:
+
+- geth: audits of the original geth codebase
+- story: Story network audits (scope includes Story Geth, Story Consensus Client and Cosmos fork, please refer to the relevant issues for this repository)
+
+Story has undergone a public [audit competition by Cantina](https://cantina.xyz/competitions/0561defa-eeb2-4a74-8884-5d7a873afa58). We will publish the report as soon as the judging period is over.
+Please be advised that there is a high chance that your reported vulnerability can be a duplicate if you do it before we publish the report.
+
+## Responsible Disclosure
+
+We believe in responsible disclosure and request that you refrain from publicly disclosing any vulnerabilities until we have had sufficient time to investigate and address them. We appreciate your cooperation in helping us maintain the security and integrity of our blockchain network.
+
+## Disclaimer
 
-| Reporting methods                                             |
-|---------------------------------------------------------------|
-| [GitHub Private Vulnerability Reporting][gh-private-advisory] |
-| [HackerOne bug bounty program][h1]                            |
-
-All security vulnerabilities can be reported under GitHub's [Private
-vulnerability reporting][gh-private-advisory] system. This will open a private
-issue for the developers. Try to fill in as much of the questions as possible.
-If you are not familiar with the CVSS system for assessing vulnerabilities, just
-use the Low/High/Critical severity ratings. A partially filled in report for a
-critical vulnerability is still better than no report at all.
-
-Vulnerabilities associated with the **Go, Rust or Protobuf code** of the
-repository may be eligible for a [bug bounty][h1]. Please see the bug bounty
-page for more details on submissions and rewards. If you think the vulnerability
-is eligible for a payout, **report on HackerOne first**.
-
-Vulnerabilities in services and their source codes (JavaScript, web page, Google
-Workspace) are not in scope for the bug bounty program, but they are welcome to
-be reported in GitHub.
-
-### Guidelines
-
-We require that all researchers:
-
-* Abide by this policy to disclose vulnerabilities, and avoid posting
-  vulnerability information in public places, including GitHub, Discord,
-  Telegram, and Twitter.
-* Make every effort to avoid privacy violations, degradation of user experience,
-  disruption to production systems (including but not limited to the Cosmos
-  Hub), and destruction of data.
-* Keep any information about vulnerabilities that you’ve discovered confidential
-  between yourself and the Cosmos engineering team until the issue has been
-  resolved and disclosed.
-* Avoid posting personally identifiable information, privately or publicly.
-
-If you follow these guidelines when reporting an issue to us, we commit to:
-
-* Not pursue or support any legal action related to your research on this
-  vulnerability
-* Work with you to understand, resolve and ultimately disclose the issue in a
-  timely fashion
-
-### More information
-
-* See [TIMELINE.md] for an example timeline of a disclosure.
-* See [DISCLOSURE.md] to see more into the inner workings of the disclosure
-  process.
-* See [EXAMPLES.md] for some of the examples that we are interested in for the
-  bug bounty program.
-
-[gh-private-advisory]: /../../security/advisories/new
-[h1]: https://hackerone.com/cosmos
-[TIMELINE.md]: https://github.com/cosmos/security/blob/main/TIMELINE.md
-[DISCLOSURE.md]: https://github.com/cosmos/security/blob/main/DISCLOSURE.md
-[EXAMPLES.md]: https://github.com/cosmos/security/blob/main/EXAMPLES.md
+Please note that this document is subject to change and may be updated as our security practices evolve. We encourage you to check back regularly for any updates or changes.