From d013447c39694e4ad24cb5363e2aff6d3f008ce9 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 10:19:05 -0500
Subject: [PATCH 01/48] give tests permission to write checks/status and put
 reports on pr

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .github/workflows/acceptance-tests.yml  | 4 ++++
 .github/workflows/integration-tests.yml | 4 ++++
 .github/workflows/reference-tests.yml   | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/.github/workflows/acceptance-tests.yml b/.github/workflows/acceptance-tests.yml
index b94218e6087..bfcc6c125b0 100644
--- a/.github/workflows/acceptance-tests.yml
+++ b/.github/workflows/acceptance-tests.yml
@@ -8,6 +8,10 @@ env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"
   total-runners: 16
 
+permissions:
+  statuses: write
+  checks: write
+
 jobs:
   shouldRun:
     name: checks to ensure we should run
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
index 68115ea40bf..cd4755b0424 100644
--- a/.github/workflows/integration-tests.yml
+++ b/.github/workflows/integration-tests.yml
@@ -8,6 +8,10 @@ on:
 env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"
 
+permissions:
+  statuses: write
+  checks: write
+
 jobs:
   shouldRun:
     name: checks to ensure we should run
diff --git a/.github/workflows/reference-tests.yml b/.github/workflows/reference-tests.yml
index 1f2cac7b159..4a49a4de088 100644
--- a/.github/workflows/reference-tests.yml
+++ b/.github/workflows/reference-tests.yml
@@ -9,6 +9,10 @@ env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"
   total-runners: 6
 
+permissions:
+  statuses: write
+  checks: write
+
 jobs:
   shouldRun:
     name: checks to ensure we should run

From 7fd416fb58303c1ef11cbc83861944a8c58c14dd Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 10:45:12 -0500
Subject: [PATCH 02/48] moving perms to workflow level did not help

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .github/workflows/acceptance-tests.yml  | 4 ----
 .github/workflows/integration-tests.yml | 4 ----
 .github/workflows/reference-tests.yml   | 4 ----
 3 files changed, 12 deletions(-)

diff --git a/.github/workflows/acceptance-tests.yml b/.github/workflows/acceptance-tests.yml
index bfcc6c125b0..b94218e6087 100644
--- a/.github/workflows/acceptance-tests.yml
+++ b/.github/workflows/acceptance-tests.yml
@@ -8,10 +8,6 @@ env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"
   total-runners: 16
 
-permissions:
-  statuses: write
-  checks: write
-
 jobs:
   shouldRun:
     name: checks to ensure we should run
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
index cd4755b0424..68115ea40bf 100644
--- a/.github/workflows/integration-tests.yml
+++ b/.github/workflows/integration-tests.yml
@@ -8,10 +8,6 @@ on:
 env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"
 
-permissions:
-  statuses: write
-  checks: write
-
 jobs:
   shouldRun:
     name: checks to ensure we should run
diff --git a/.github/workflows/reference-tests.yml b/.github/workflows/reference-tests.yml
index 4a49a4de088..1f2cac7b159 100644
--- a/.github/workflows/reference-tests.yml
+++ b/.github/workflows/reference-tests.yml
@@ -9,10 +9,6 @@ env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"
   total-runners: 6
 
-permissions:
-  statuses: write
-  checks: write
-
 jobs:
   shouldRun:
     name: checks to ensure we should run

From e2f762192ace02fd04016be37ffb60f289fe4203 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 11:25:36 -0500
Subject: [PATCH 03/48] intentional acceptance test failure

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .../condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
index efc02f73d44..eb1cfc0c33b 100644
--- a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
+++ b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
@@ -32,6 +32,6 @@ public ExpectSuccessfulEthGetTransactionReceipt(
 
   @Override
   public void verify(final Node node) {
-    WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isPresent());
+    WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isNotPresent());
   }
 }

From 014179230201930af55218c0c2f4c3005a77046a Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 11:42:16 -0500
Subject: [PATCH 04/48] explicitly allow mikepenz/action-junit-report@v4
 actions

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .../condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java  | 1 +
 1 file changed, 1 insertion(+)

diff --git a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
index eb1cfc0c33b..e43d454a175 100644
--- a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
+++ b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
@@ -32,6 +32,7 @@ public ExpectSuccessfulEthGetTransactionReceipt(
 
   @Override
   public void verify(final Node node) {
+    //TODO: TEST INVERTED FOR INTENTIONAL BREAK PLS UNDO!!!
     WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isNotPresent());
   }
 }

From 9c63d0de755607014f8949c8d90993e0251005d4 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 11:49:30 -0500
Subject: [PATCH 05/48] pendantic spotless

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .../condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
index e43d454a175..fcbf5df9c7d 100644
--- a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
+++ b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
@@ -32,7 +32,7 @@ public ExpectSuccessfulEthGetTransactionReceipt(
 
   @Override
   public void verify(final Node node) {
-    //TODO: TEST INVERTED FOR INTENTIONAL BREAK PLS UNDO!!!
+    // TODO: TEST INVERTED FOR INTENTIONAL BREAK PLS UNDO!!!
     WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isNotPresent());
   }
 }

From 1ba970463665679e62e760eeaad2d1dbaf933865 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 12:40:21 -0500
Subject: [PATCH 06/48] updated actions allowed

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .../condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
index fcbf5df9c7d..212e852b80d 100644
--- a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
+++ b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
@@ -32,7 +32,7 @@ public ExpectSuccessfulEthGetTransactionReceipt(
 
   @Override
   public void verify(final Node node) {
-    // TODO: TEST INVERTED FOR INTENTIONAL BREAK PLS UNDO!!!
+    // TODO: TEST INVERTED FOR INTENTIONAL BREAK PLS UNDO ASAP!!!
     WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isNotPresent());
   }
 }

From 76f167906554d0b68380143cb9b1512596ec0b70 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 12:58:47 -0500
Subject: [PATCH 07/48] updated actions allowed

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .../condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
index 212e852b80d..fcbf5df9c7d 100644
--- a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
+++ b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
@@ -32,7 +32,7 @@ public ExpectSuccessfulEthGetTransactionReceipt(
 
   @Override
   public void verify(final Node node) {
-    // TODO: TEST INVERTED FOR INTENTIONAL BREAK PLS UNDO ASAP!!!
+    // TODO: TEST INVERTED FOR INTENTIONAL BREAK PLS UNDO!!!
     WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isNotPresent());
   }
 }

From 5f3fa724e89054273cbb8fef0f47703aec8f2564 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 13:11:29 -0500
Subject: [PATCH 08/48] undid intentional acc test fail

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .../eth/ExpectSuccessfulEthGetTransactionReceipt.java          | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
index fcbf5df9c7d..efc02f73d44 100644
--- a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
+++ b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
@@ -32,7 +32,6 @@ public ExpectSuccessfulEthGetTransactionReceipt(
 
   @Override
   public void verify(final Node node) {
-    // TODO: TEST INVERTED FOR INTENTIONAL BREAK PLS UNDO!!!
-    WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isNotPresent());
+    WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isPresent());
   }
 }

From 91345fe0408f621d841dc69386ddd084896365d5 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 13:33:18 -0500
Subject: [PATCH 09/48] intentional acceptance test failure

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .../condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
index efc02f73d44..eb1cfc0c33b 100644
--- a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
+++ b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
@@ -32,6 +32,6 @@ public ExpectSuccessfulEthGetTransactionReceipt(
 
   @Override
   public void verify(final Node node) {
-    WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isPresent());
+    WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isNotPresent());
   }
 }

From 36d3ae23a872113b58615508d9761a49e59cafde Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 15:58:35 -0500
Subject: [PATCH 10/48] uprev artifact download

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .github/workflows/acceptance-tests.yml | 2 +-
 .github/workflows/reference-tests.yml  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/acceptance-tests.yml b/.github/workflows/acceptance-tests.yml
index b94218e6087..f3efe853bc5 100644
--- a/.github/workflows/acceptance-tests.yml
+++ b/.github/workflows/acceptance-tests.yml
@@ -66,7 +66,7 @@ jobs:
           distribution: temurin
           java-version: 17
       - name: get acceptance test report
-        uses: dawidd6/action-download-artifact@v2
+        uses: dawidd6/action-download-artifact@v3
         with:
           branch: main
           name_is_regexp: true
diff --git a/.github/workflows/reference-tests.yml b/.github/workflows/reference-tests.yml
index 1f2cac7b159..55710028916 100644
--- a/.github/workflows/reference-tests.yml
+++ b/.github/workflows/reference-tests.yml
@@ -103,7 +103,7 @@ jobs:
           name: 'reference-tests'
           path: 'ethereum/referencetests/build/generated/sources/reference-test/'
       - name: get reference test report
-        uses: dawidd6/action-download-artifact@v2
+        uses: dawidd6/action-download-artifact@v3
         with:
           branch: main
           name_is_regexp: true

From ec0775325c6214a5d5077c94057681f6e9e81e6c Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Thu, 1 Feb 2024 10:18:01 -0500
Subject: [PATCH 11/48] new permission approach

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .github/workflows/acceptance-tests.yml | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/acceptance-tests.yml b/.github/workflows/acceptance-tests.yml
index f3efe853bc5..80dd2415b9e 100644
--- a/.github/workflows/acceptance-tests.yml
+++ b/.github/workflows/acceptance-tests.yml
@@ -1,6 +1,8 @@
 name: acceptance-tests
 on:
-  pull_request:
+  pull_request_target:
+    branches:
+      - main
   pull_request_review:
     types: [submitted]
 
@@ -9,8 +11,17 @@ env:
   total-runners: 16
 
 jobs:
+  authorize:
+    environment:
+      ${{ github.event_name == 'pull_request_target' &&
+      github.event.pull_request.head.repo.full_name != github.repository &&
+      'external' || 'internal' }}
+    runs-on: ubuntu-latest
+    steps:
+      - run: true
   shouldRun:
     name: checks to ensure we should run
+    needs: authorize
     # necessary because there is no single PR approved event, need to check all comments/approvals/denials
     runs-on: ubuntu-22.04
     outputs:
@@ -60,6 +71,8 @@ jobs:
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4.1.1
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
       - name: Set up Java
         uses: actions/setup-java@v4.0.0
         with:

From 49855b928f8a6bb4fbc77b37f5a4b4df7865e591 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Thu, 1 Feb 2024 11:18:17 -0500
Subject: [PATCH 12/48] no need for shouldRun job anymore

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .github/workflows/acceptance-tests.yml | 42 ++------------------------
 1 file changed, 2 insertions(+), 40 deletions(-)

diff --git a/.github/workflows/acceptance-tests.yml b/.github/workflows/acceptance-tests.yml
index 80dd2415b9e..03b2c9194f2 100644
--- a/.github/workflows/acceptance-tests.yml
+++ b/.github/workflows/acceptance-tests.yml
@@ -3,8 +3,6 @@ on:
   pull_request_target:
     branches:
       - main
-  pull_request_review:
-    types: [submitted]
 
 env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"
@@ -19,47 +17,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - run: true
-  shouldRun:
-    name: checks to ensure we should run
-    needs: authorize
-    # necessary because there is no single PR approved event, need to check all comments/approvals/denials
-    runs-on: ubuntu-22.04
-    outputs:
-      shouldRun: ${{steps.shouldRun.outputs.result}}
-    steps:
-      - name: required check
-        id: shouldRun
-        uses: actions/github-script@v7.0.1
-        env:
-          # fun fact, this changes based on incoming event, it will be different when we run this on pushes to main
-          RELEVANT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
-        with:
-          script: |
-            const { RELEVANT_SHA } = process.env;
-            const { data: { statuses } } = await github.rest.repos.getCombinedStatusForRef({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              ref: RELEVANT_SHA,
-            });
-            const acceptanceTested = statuses && statuses.filter(({ context }) => context === 'acceptance-tests');
-            const alreadyRun = acceptanceTested && acceptanceTested.find(({ state }) => state === 'success') > 0;
-            const { data: reviews } = await github.rest.pulls.listReviews({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              pull_number: context.issue.number,
-            });
-            const approvingReviews = reviews && reviews.filter(review => review.state === 'APPROVED');
-            const shouldRun = !alreadyRun && github.actor != 'dependabot[bot]' &&  (approvingReviews.length > 0);
-            
-              console.log("tests should be run = %j", shouldRun);
-              console.log("alreadyRun = %j", alreadyRun);
-              console.log("approvingReviews = %j", approvingReviews.length);
-            
-            return shouldRun;
+        
   acceptanceTestEthereum:
     runs-on: ubuntu-22.04
     name: "Acceptance Runner"
-    needs: shouldRun
+    needs: authorize
     permissions:
       statuses: write
       checks: write

From 0190eb77803e7bc778bdca8637c1f9b1f8173b38 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Thu, 1 Feb 2024 11:56:52 -0500
Subject: [PATCH 13/48] no need for shouldRun job anymore

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .github/workflows/acceptance-tests.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/acceptance-tests.yml b/.github/workflows/acceptance-tests.yml
index 03b2c9194f2..b915f81e891 100644
--- a/.github/workflows/acceptance-tests.yml
+++ b/.github/workflows/acceptance-tests.yml
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - run: true
-        
+
   acceptanceTestEthereum:
     runs-on: ubuntu-22.04
     name: "Acceptance Runner"
@@ -25,7 +25,6 @@ jobs:
     permissions:
       statuses: write
       checks: write
-    if: ${{ needs.shouldRun.outputs.shouldRun == 'true'}}
     strategy:
       fail-fast: true
       matrix:

From d81c5ff248ef310cc8604cd9701dcd6544b9f9a0 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Thu, 1 Feb 2024 14:29:49 -0500
Subject: [PATCH 14/48] checks out pr head, pins un-verified actions

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .github/workflows/acceptance-tests.yml  |  8 ++--
 .github/workflows/integration-tests.yml | 47 +++++---------------
 .github/workflows/pre-review.yml        | 27 ++++++++++--
 .github/workflows/reference-tests.yml   | 57 ++++---------------------
 4 files changed, 46 insertions(+), 93 deletions(-)

diff --git a/.github/workflows/acceptance-tests.yml b/.github/workflows/acceptance-tests.yml
index b915f81e891..42a44842c7f 100644
--- a/.github/workflows/acceptance-tests.yml
+++ b/.github/workflows/acceptance-tests.yml
@@ -14,7 +14,7 @@ jobs:
       ${{ github.event_name == 'pull_request_target' &&
       github.event.pull_request.head.repo.full_name != github.repository &&
       'external' || 'internal' }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - run: true
 
@@ -40,7 +40,7 @@ jobs:
           distribution: temurin
           java-version: 17
       - name: get acceptance test report
-        uses: dawidd6/action-download-artifact@v3
+        uses: docker/login-action@e7466d1a7587ed14867642c2ca74b5bcc1e19a2d@v3
         with:
           branch: main
           name_is_regexp: true
@@ -51,7 +51,7 @@ jobs:
         uses: gradle/gradle-build-action@v2.12.0
       - name: Split tests
         id: split-tests
-        uses: r7kamura/split-tests-by-timings@v0
+        uses: r7kamura/split-tests-by-timings@9322bd292d9423e2bc5a65bec548901801341e3f
         with:
           reports: tmp/junit-xml-reports-downloaded
           glob: 'acceptance-tests/tests/src/test/java/org/hyperledger/besu/tests/acceptance/**/*Test.java'
@@ -73,7 +73,7 @@ jobs:
           name: acceptance-node-${{matrix.runner_index}}-test-results
           path: 'acceptance-tests/tests/build/test-results/acceptanceTest/TEST-*.xml'
       - name: Publish Test Report
-        uses: mikepenz/action-junit-report@v4
+        uses: mikepenz/action-junit-report@5f47764eec0e1c1f19f40c8e60a5ba47e47015c5
         if: (success() || failure()) # always run even if the build step fails
         with:
           report_paths: 'acceptance-tests/tests/build/test-results/acceptanceTest/TEST-*.xml'
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
index 68115ea40bf..4bf55d81d23 100644
--- a/.github/workflows/integration-tests.yml
+++ b/.github/workflows/integration-tests.yml
@@ -9,52 +9,25 @@ env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"
 
 jobs:
-  shouldRun:
-    name: checks to ensure we should run
+  authorize:
+    environment:
+      ${{ github.event_name == 'pull_request_target' &&
+      github.event.pull_request.head.repo.full_name != github.repository &&
+      'external' || 'internal' }}
     runs-on: ubuntu-22.04
-    outputs:
-      shouldRun: ${{steps.shouldRun.outputs.result}}
     steps:
-      - name: required check
-        id: shouldRun
-        uses: actions/github-script@v7.0.1
-        env:
-          # fun fact, this changes based on incoming event, it will be different when we run this on pushes to main
-          RELEVANT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
-        with:
-          script: |
-            const { RELEVANT_SHA } = process.env;
-            const { data: { statuses } } = await github.rest.repos.getCombinedStatusForRef({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              ref: RELEVANT_SHA,
-            });
-            
-            const intTested = statuses && statuses.filter(({ context }) => context === 'integration-tests');
-            const alreadyRun = intTested && intTested.find(({ state }) => state === 'success') > 0;
-            const { data: reviews } = await github.rest.pulls.listReviews({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              pull_number: context.issue.number,
-            });
-            const approvingReviews = reviews && reviews.filter(review => review.state === 'APPROVED');
-            const shouldRun = !alreadyRun && github.actor != 'dependabot[bot]' && (approvingReviews.length > 0);
-
-              console.log("tests should be run = %j", shouldRun);
-              console.log("alreadyRun = %j", alreadyRun);
-              console.log("approvingReviews = %j", approvingReviews.length);
-
-            return shouldRun;
+      - run: true
   integration-tests:
     runs-on: ubuntu-22.04
-    needs: shouldRun
-    if: ${{ needs.shouldRun.outputs.shouldRun == 'true' }}
+    needs: authorize
     permissions:
       statuses: write
       checks: write
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4.1.1
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
       - name: Set up Java
         uses: actions/setup-java@v4.0.0
         with:
@@ -65,7 +38,7 @@ jobs:
       - name: run integration tests
         run: ./gradlew integrationTest compileJmh -Dorg.gradle.parallel=true -Dorg.gradle.caching=true
       - name: Publish Test Report
-        uses: mikepenz/action-junit-report@v4
+        uses: mikepenz/action-junit-report@5f47764eec0e1c1f19f40c8e60a5ba47e47015c5
         if: (success() || failure())
         with:
           report_paths: '**/build/test-results/integrationTest/TEST-*.xml'
diff --git a/.github/workflows/pre-review.yml b/.github/workflows/pre-review.yml
index 5abbcb6d0a3..74577114146 100644
--- a/.github/workflows/pre-review.yml
+++ b/.github/workflows/pre-review.yml
@@ -1,7 +1,9 @@
 name: pre-review
 
 on:
-  pull_request:
+  pull_request_target:
+    branches:
+      - main
   workflow_dispatch:
 
 permissions:
@@ -9,6 +11,15 @@ permissions:
   checks: write
 
 jobs:
+  authorize:
+    environment:
+      ${{ github.event_name == 'pull_request_target' &&
+      github.event.pull_request.head.repo.full_name != github.repository &&
+      'external' || 'internal' }}
+    runs-on: ubuntu-22.04
+    steps:
+      - run: true
+
   repolint:
     name: "Repository Linting"
     runs-on: ubuntu-22.04
@@ -16,6 +27,8 @@ jobs:
     steps:
     - name: Checkout Code
       uses: actions/checkout@v4.1.1
+      with:
+        ref: ${{ github.event.pull_request.head.sha || github.ref }}
     - name: Lint Repo
       run: bundle exec /app/bin/repolinter.js --rulesetUrl https://raw.githubusercontent.com/hyperledger-labs/hyperledger-community-management-tools/main/repo_structure/repolint.json --format markdown
   gradle-wrapper:
@@ -23,6 +36,8 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v4.1.1
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
       - uses: gradle/wrapper-validation-action@v1.1.0
   spotless:
     runs-on: ubuntu-22.04
@@ -30,6 +45,8 @@ jobs:
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4.1.1
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
       - name: Set up Java
         uses: actions/setup-java@v4.0.0
         with:
@@ -46,6 +63,8 @@ jobs:
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4.1.1
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
       - name: Set up Java
         uses: actions/setup-java@v4.0.0
         with:
@@ -59,7 +78,7 @@ jobs:
     env:
         GRADLEW_UNIT_TEST_ARGS: ${{matrix.gradle_args}}
     runs-on: ubuntu-22.04
-    needs: [ compile ]
+    needs: [ compile, authorize ]
     permissions:
       checks: write
       statuses: write
@@ -76,6 +95,8 @@ jobs:
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4.1.1
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
       - name: Set up Java
         uses: actions/setup-java@v4.0.0
         with:
@@ -87,7 +108,7 @@ jobs:
         id: unitTest
         run: ./gradlew $GRADLEW_UNIT_TEST_ARGS -Dorg.gradle.parallel=true -Dorg.gradle.caching=true
       - name: Publish Test Report
-        uses: mikepenz/action-junit-report@v4
+        uses: mikepenz/action-junit-report@5f47764eec0e1c1f19f40c8e60a5ba47e47015c5
         if: success() || failure() # always run even if the build step fails
         with:
           report_paths: '**/test-results/**/TEST-*.xml'
diff --git a/.github/workflows/reference-tests.yml b/.github/workflows/reference-tests.yml
index 55710028916..21875f2c4ab 100644
--- a/.github/workflows/reference-tests.yml
+++ b/.github/workflows/reference-tests.yml
@@ -1,63 +1,22 @@
 name: reference-tests
 on:
-  pull_request:
-  pull_request_review:
-    types:
-      - submitted
+  pull_request_target:
+    branches:
+      - main
 
 env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"
   total-runners: 6
 
 jobs:
-  shouldRun:
-    name: checks to ensure we should run
-    # necessary because there is no single PR approved event, need to check all comments/approvals/denials
-    # might also be a job running, and additional approvals
-    runs-on: ubuntu-22.04
-    outputs:
-      shouldRun: ${{steps.shouldRun.outputs.result}}
-    steps:
-      - name: required check
-        id: shouldRun
-        uses: actions/github-script@v7.0.1
-        env:
-          # fun fact, this changes based on incoming event, it will be different when we run this on pushes to main
-          RELEVANT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
-        with:
-          script: |
-            const { RELEVANT_SHA } = process.env;
-            const { data: { statuses } } = await github.rest.repos.getCombinedStatusForRef({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              ref: RELEVANT_SHA,
-            });
-            
-            
-            const refTested = statuses && statuses.filter(({ context }) => context === 'reference-tests');
-            const alreadyRun = refTested && refTested.find(({ state }) => state === 'success') > 0;
-            const { data: reviews } = await github.rest.pulls.listReviews({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              pull_number: context.issue.number,
-            });
-            const approvingReviews = reviews && reviews.filter(review => review.state === 'APPROVED');
-            const shouldRun = !alreadyRun && github.actor != 'dependabot[bot]' &&  (approvingReviews.length > 0);
-
-              console.log("tests should be run = %j", shouldRun);
-              console.log("alreadyRun = %j", alreadyRun);
-              console.log("approvingReviews = %j", approvingReviews.length);
-
-            return shouldRun;
-
   prepareReferenceTestEthereum:
     runs-on: ubuntu-22.04
     needs: shouldRun
-    if: ${{ needs.shouldRun.outputs.shouldRun == 'true' }}
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4.1.1
         with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
           submodules: recursive
           set-safe-directory: true
       - name: Set up Java
@@ -82,7 +41,6 @@ jobs:
       checks: write
     needs:
       - prepareReferenceTestEthereum
-    if: ${{ needs.shouldRun.outputs.shouldRun == 'true' }}
     strategy:
       fail-fast: true
       matrix:
@@ -91,6 +49,7 @@ jobs:
       - name: Checkout Repo
         uses: actions/checkout@v4.1.1
         with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
           submodules: recursive
       - name: Set up Java
         uses: actions/setup-java@v4.0.0
@@ -103,7 +62,7 @@ jobs:
           name: 'reference-tests'
           path: 'ethereum/referencetests/build/generated/sources/reference-test/'
       - name: get reference test report
-        uses: dawidd6/action-download-artifact@v3
+        uses: docker/login-action@e7466d1a7587ed14867642c2ca74b5bcc1e19a2d@v3
         with:
           branch: main
           name_is_regexp: true
@@ -114,7 +73,7 @@ jobs:
         uses: gradle/gradle-build-action@v2.12.0
       - name: Split tests
         id: split-tests
-        uses: r7kamura/split-tests-by-timings@v0
+        uses: r7kamura/split-tests-by-timings@9322bd292d9423e2bc5a65bec548901801341e3f
         with:
           reports: tmp/ref-xml-reports-downloaded
           glob: 'ethereum/referencetests/build/generated/sources/reference-test/**/*.java'
@@ -131,7 +90,7 @@ jobs:
           name: reference-test-node-${{matrix.runner_index}}-results
           path: '**/build/test-results/referenceTests/TEST-*.xml'
       - name: Publish Test Report
-        uses: mikepenz/action-junit-report@v4
+        uses: mikepenz/action-junit-report@5f47764eec0e1c1f19f40c8e60a5ba47e47015c5
         if: success() || failure() # always run even if the build step fails
         with:
           report_paths: '**/build/test-results/referenceTest/TEST-*.xml'

From 35fe4763fce539a22a7c9264a06e1c8192855e6f Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Thu, 1 Feb 2024 16:54:47 -0500
Subject: [PATCH 15/48] pins all action calls to a specific commit

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .github/workflows/acceptance-tests.yml     |  8 ++--
 .github/workflows/artifacts.yml            | 16 +++----
 .github/workflows/codeql.yml               | 10 ++---
 .github/workflows/docker.yml               | 34 +++++++--------
 .github/workflows/integration-tests.yml    |  6 +--
 .github/workflows/nightly.yml              | 26 ++++++------
 .github/workflows/parallel-unit-tests.yml  | 49 ----------------------
 .github/workflows/pr-checklist-on-open.yml |  2 +-
 .github/workflows/pre-review.yml           | 24 +++++------
 .github/workflows/reference-tests.yml      | 18 ++++----
 .github/workflows/release.yml              |  6 +--
 .github/workflows/sonarcloud.yml           |  8 ++--
 12 files changed, 79 insertions(+), 128 deletions(-)
 delete mode 100644 .github/workflows/parallel-unit-tests.yml

diff --git a/.github/workflows/acceptance-tests.yml b/.github/workflows/acceptance-tests.yml
index 42a44842c7f..4767c53b140 100644
--- a/.github/workflows/acceptance-tests.yml
+++ b/.github/workflows/acceptance-tests.yml
@@ -31,11 +31,11 @@ jobs:
         runner_index: [0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15]
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
         with:
           ref: ${{ github.event.pull_request.head.sha || github.ref }}
       - name: Set up Java
-        uses: actions/setup-java@v4.0.0
+        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93
         with:
           distribution: temurin
           java-version: 17
@@ -48,7 +48,7 @@ jobs:
           path: tmp/junit-xml-reports-downloaded
           if_no_artifact_found: true
       - name: setup gradle
-        uses: gradle/gradle-build-action@v2.12.0
+        uses: gradle/gradle-build-action@a8f75513eafdebd8141bd1cd4e30fcd194af8dfa
       - name: Split tests
         id: split-tests
         uses: r7kamura/split-tests-by-timings@9322bd292d9423e2bc5a65bec548901801341e3f
@@ -68,7 +68,7 @@ jobs:
       - name: cleanup tempfiles
         run: rm testList.txt gradleArgs.txt
       - name: Upload Acceptance Test Results
-        uses: actions/upload-artifact@v3.1.0
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
         with:
           name: acceptance-node-${{matrix.runner_index}}-test-results
           path: 'acceptance-tests/tests/build/test-results/acceptanceTest/TEST-*.xml'
diff --git a/.github/workflows/artifacts.yml b/.github/workflows/artifacts.yml
index 3b33f43bce1..91abbbc4438 100644
--- a/.github/workflows/artifacts.yml
+++ b/.github/workflows/artifacts.yml
@@ -13,14 +13,14 @@ jobs:
       contents: write
     steps:
       - name: checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
       - name: Set up JDK 17
-        uses: actions/setup-java@v4.0.0
+        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93
         with:
           distribution: 'temurin'
           java-version: '17'
       - name: setup gradle
-        uses: gradle/gradle-build-action@v2.12.0
+        uses: gradle/gradle-build-action@a8f75513eafdebd8141bd1cd4e30fcd194af8dfa
       - name: assemble distributions
         run:
           ./gradlew -Prelease.releaseVersion=${{github.ref_name}} assemble -Dorg.gradle.parallel=true -Dorg.gradle.caching=true
@@ -31,17 +31,17 @@ jobs:
           echo "zipSha=$(shasum -a 256 besu*.zip)" >> $GITHUB_OUTPUT
           echo "tarSha=$(shasum -a 256 besu*.tar.gz)" >> $GITHUB_OUTPUT
       - name: upload tarball
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
         with:
           path: 'build/distributions/besu*.tar.gz'
           name: besu-${{ github.ref_name }}.tar.gz
       - name: upload zipfile
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
         with:
           path: 'build/distributions/besu*.zip'
           name: besu-${{ github.ref_name }}.zip
       - name: Upload Release assets
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844
         with:
           append_body: true
           files: |
@@ -57,12 +57,12 @@ jobs:
     if: ${{ github.actor != 'dependabot[bot]' }}
     steps:
       - name: Set up Java
-        uses: actions/setup-java@v4.0.0
+        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93
         with:
           distribution: adopt
           java-version: 17
       - name: Download zip
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a
         with:
           name: besu-${{ github.ref_name }}.zip
       - name: test Besu
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index f8842123330..da937f24257 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -31,15 +31,15 @@ jobs:
       security-events: write
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4.1.1
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
     - name: Set up Java
-      uses: actions/setup-java@v4.0.0
+      uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93
       with:
         distribution: 'temurin'
         java-version: 17
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@2f93e4319b2f04a2efc38fa7f78bd681bc3f7b2f
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -48,9 +48,9 @@ jobs:
         queries: security-and-quality,security-extended
 
     - name: setup gradle
-      uses: gradle/gradle-build-action@v2.12.0
+      uses: gradle/gradle-build-action@a8f75513eafdebd8141bd1cd4e30fcd194af8dfa
     - name: compileJava noscan
       run: |
         JAVA_OPTS="-Xmx2048M" ./gradlew --no-scan compileJava
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@2f93e4319b2f04a2efc38fa7f78bd681bc3f7b2f
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index c487ed84b28..dbab691f965 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -11,14 +11,14 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
       - name: Set up Java
-        uses: actions/setup-java@v4.0.0
+        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93
         with:
           distribution: temurin
           java-version: 17
       - name: setup gradle
-        uses: gradle/gradle-build-action@v2.12.0
+        uses: gradle/gradle-build-action@a8f75513eafdebd8141bd1cd4e30fcd194af8dfa
       - name: hadoLint_openj9-jdk_17
         run: docker run --rm -i hadolint/hadolint < docker/openj9-jdk-17/Dockerfile
       - name: hadoLint_openjdk_17
@@ -55,33 +55,33 @@ jobs:
               echo "ARCH=arm64" >> $GITHUB_OUTPUT
             fi
       - name: Checkout Repo
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
       - name: short sha
         id: shortSha
         run: echo "sha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
       - name: Set up Java
-        uses: actions/setup-java@v4.0.0
+        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93
         with:
           distribution: temurin
           java-version: 17
       - name: setup gradle
-        uses: gradle/gradle-build-action@v2.12.0
+        uses: gradle/gradle-build-action@a8f75513eafdebd8141bd1cd4e30fcd194af8dfa
       - name: install goss
         run: |
           mkdir -p docker/reports
           curl -L https://github.com/aelsabbahy/goss/releases/download/v0.4.4/goss-${{ steps.prep.outputs.PLATFORM_PAIR }} -o ./docker/tests/goss-${{ steps.prep.outputs.PLATFORM_PAIR }}
-      - name: build and test docker
-        uses: gradle/gradle-build-action@v2.12.0
-        env:
-          architecture: ${{ steps.prep.outputs.ARCH }}
-        with:
-          arguments: testDocker -PdockerOrgName=${{ env.registry }}/${{ github.repository_owner }} -Prelease.releaseVersion=${{ github.ref_name }}
       - name: login to ghcr
-        uses: docker/login-action@v3.0.0
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
         with:
           registry: ${{ env.registry }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+      - name: build and test docker
+        uses: gradle/gradle-build-action@a8f75513eafdebd8141bd1cd4e30fcd194af8dfa
+        env:
+          architecture: ${{ steps.prep.outputs.ARCH }}
+        with:
+          arguments: testDocker -PdockerOrgName=${{ env.registry }}/${{ github.repository_owner }} -Prelease.releaseVersion=${{ github.ref_name }}
       - name: publish
         env:
           architecture: ${{ steps.prep.outputs.ARCH }}
@@ -94,16 +94,16 @@ jobs:
       packages: write
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
       - name: Set up Java
-        uses: actions/setup-java@v4.0.0
+        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93
         with:
           distribution: temurin
           java-version: 17
       - name: setup gradle
-        uses: gradle/gradle-build-action@v2.12.0
+        uses: gradle/gradle-build-action@a8f75513eafdebd8141bd1cd4e30fcd194af8dfa
       - name: login to ghcr
-        uses: docker/login-action@v3.0.0
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
         with:
           registry: ${{ env.registry }}
           username: ${{ github.actor }}
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
index 4bf55d81d23..63297b5f930 100644
--- a/.github/workflows/integration-tests.yml
+++ b/.github/workflows/integration-tests.yml
@@ -25,16 +25,16 @@ jobs:
       checks: write
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
         with:
           ref: ${{ github.event.pull_request.head.sha || github.ref }}
       - name: Set up Java
-        uses: actions/setup-java@v4.0.0
+        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93
         with:
           distribution: temurin
           java-version: 17
       - name: setup gradle
-        uses: gradle/gradle-build-action@v2.12.0
+        uses: gradle/gradle-build-action@a8f75513eafdebd8141bd1cd4e30fcd194af8dfa
       - name: run integration tests
         run: ./gradlew integrationTest compileJmh -Dorg.gradle.parallel=true -Dorg.gradle.caching=true
       - name: Publish Test Report
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index 9d2778fba47..90e43417c46 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -16,14 +16,14 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
       - name: Set up Java
-        uses: actions/setup-java@v4.0.0
+        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93
         with:
           distribution: temurin
           java-version: 17
       - name: setup gradle
-        uses: gradle/gradle-build-action@v2.12.0
+        uses: gradle/gradle-build-action@a8f75513eafdebd8141bd1cd4e30fcd194af8dfa
       - name: hadoLint_openj9-jdk_17
         run: docker run --rm -i hadolint/hadolint < docker/openj9-jdk-17/Dockerfile
       - name: hadoLint_openjdk_17
@@ -59,19 +59,19 @@ jobs:
             echo "ARCH=arm64" >> $GITHUB_OUTPUT
           fi
       - name: Checkout Repo
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
       - name: short sha
         id: shortSha
         run: echo "sha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
       - name: Set up Java
-        uses: actions/setup-java@v4.0.0
+        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93
         with:
           distribution: temurin
           java-version: 17
       - name: setup gradle
-        uses: gradle/gradle-build-action@v2.12.0
+        uses: gradle/gradle-build-action@a8f75513eafdebd8141bd1cd4e30fcd194af8dfa
       - name: build image
-        uses: gradle/gradle-build-action@v2.12.0
+        uses: gradle/gradle-build-action@a8f75513eafdebd8141bd1cd4e30fcd194af8dfa
         with:
           arguments: distDocker -PdockerOrgName=${{ env.registry }}/${{ github.repository_owner }} -Pbranch=main
       - name: install goss
@@ -79,13 +79,13 @@ jobs:
           mkdir -p docker/reports
           curl -L https://github.com/aelsabbahy/goss/releases/download/v0.4.4/goss-${{ steps.prep.outputs.PLATFORM_PAIR }} -o ./docker/tests/goss-${{ steps.prep.outputs.PLATFORM_PAIR }}
       - name: test docker
-        uses: gradle/gradle-build-action@v2.12.0
+        uses: gradle/gradle-build-action@a8f75513eafdebd8141bd1cd4e30fcd194af8dfa
         env:
           architecture: ${{ steps.prep.outputs.ARCH }}
         with:
           arguments: testDocker -PdockerOrgName=${{ env.registry }}/${{ github.repository_owner }} -Pbranch=main
       - name: login to ghcr
-        uses: docker/login-action@v3.0.0
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
         with:
           registry: ${{ env.registry }}
           username: ${{ github.actor }}
@@ -102,16 +102,16 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
       - name: Set up Java
-        uses: actions/setup-java@v4.0.0
+        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93
         with:
           distribution: temurin
           java-version: 17
       - name: setup gradle
-        uses: gradle/gradle-build-action@v2.12.0
+        uses: gradle/gradle-build-action@a8f75513eafdebd8141bd1cd4e30fcd194af8dfa
       - name: Login to DockerHub
-        uses: docker/login-action@v3.0.0
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
         with:
           registry: ${{ env.registry }}
           username: ${{ github.actor }}
diff --git a/.github/workflows/parallel-unit-tests.yml b/.github/workflows/parallel-unit-tests.yml
deleted file mode 100644
index b12fa43655b..00000000000
--- a/.github/workflows/parallel-unit-tests.yml
+++ /dev/null
@@ -1,49 +0,0 @@
-name: parallel-unit-tests
-#experimental work in progress - trying to figure out how to split tests across multi-modules by runtime
-on:
-  workflow_dispatch:
-
-env:
-  GRADLE_OPTS: "-Dorg.gradle.daemon=false"
-  total-runners: 4
-jobs:
-  junit:
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        runner_index:
-          - 0
-          - 1
-          - 2
-          - 3
-    steps:
-      - name: Checkout Repo
-        uses: actions/checkout@v4.1.1
-      - name: Split tests
-        id: split-tests
-        uses: chaosaffe/split-tests@v1-alpha.1
-        with:
-          glob: '**/src/test/java/**/*.java'
-          split-total: ${{ env.total-runners }}
-          split-index: ${{ matrix.runner_index }}
-          line-count: true
-      - name: Set up Java
-        uses: actions/setup-java@v4.0.0
-        with:
-          distribution: adopt
-          java-version: 17
-          cache: gradle
-      - name: write out test list
-        run: echo "${{ steps.split-tests.outputs.test-suite }}" >> testList.txt
-      - name: debug testfile paths
-        run: cat testList.txt
-      - name: format gradle args
-        # regex means: truncate file paths to align with package name, replacing with tests switch, then drop file extension,
-        # then swap path delimiter with package delimiter
-        run: cat testList.txt | sed -e 's/[^ ]*src\/test\/java\//--tests\ /g' -e 's/\.java//g' -e 's/\//\./g' >> gradleArgs.txt
-      - name: debug test class list
-        run: cat gradleArgs.txt
-      - name: run unit tests
-        run: ./gradlew test `cat gradleArgs.txt`
-
diff --git a/.github/workflows/pr-checklist-on-open.yml b/.github/workflows/pr-checklist-on-open.yml
index 707ce8f173b..8c9aad72c21 100644
--- a/.github/workflows/pr-checklist-on-open.yml
+++ b/.github/workflows/pr-checklist-on-open.yml
@@ -10,7 +10,7 @@ jobs:
     permissions:
       pull-requests: write
     steps:
-      - uses: actions/github-script@v7.0.1
+      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
           script: |
diff --git a/.github/workflows/pre-review.yml b/.github/workflows/pre-review.yml
index 74577114146..2baca446251 100644
--- a/.github/workflows/pre-review.yml
+++ b/.github/workflows/pre-review.yml
@@ -26,7 +26,7 @@ jobs:
     container: ghcr.io/todogroup/repolinter:v0.11.2
     steps:
     - name: Checkout Code
-      uses: actions/checkout@v4.1.1
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
       with:
         ref: ${{ github.event.pull_request.head.sha || github.ref }}
     - name: Lint Repo
@@ -35,25 +35,25 @@ jobs:
     name: "Gradle Wrapper Validation"
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v4.1.1
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
         with:
           ref: ${{ github.event.pull_request.head.sha || github.ref }}
-      - uses: gradle/wrapper-validation-action@v1.1.0
+      - uses: gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4
   spotless:
     runs-on: ubuntu-22.04
     if: ${{ github.actor != 'dependabot[bot]' }}
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
         with:
           ref: ${{ github.event.pull_request.head.sha || github.ref }}
       - name: Set up Java
-        uses: actions/setup-java@v4.0.0
+        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93
         with:
           distribution: temurin
           java-version: 17
       - name: Setup Gradle
-        uses: gradle/gradle-build-action@v2.12.0
+        uses: gradle/gradle-build-action@a8f75513eafdebd8141bd1cd4e30fcd194af8dfa
       - name: run spotless
         run: ./gradlew spotlessCheck -Dorg.gradle.parallel=true -Dorg.gradle.caching=true
   compile:
@@ -62,16 +62,16 @@ jobs:
     needs: [spotless, gradle-wrapper, repolint]
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
         with:
           ref: ${{ github.event.pull_request.head.sha || github.ref }}
       - name: Set up Java
-        uses: actions/setup-java@v4.0.0
+        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93
         with:
           distribution: temurin
           java-version: 17
       - name: Setup Gradle
-        uses: gradle/gradle-build-action@v2.12.0
+        uses: gradle/gradle-build-action@a8f75513eafdebd8141bd1cd4e30fcd194af8dfa
       - name: Gradle Compile
         run: ./gradlew build -x test -x spotlessCheck -Dorg.gradle.parallel=true -Dorg.gradle.caching=true
   unitTests:
@@ -94,16 +94,16 @@ jobs:
           - "ethereum:core:test"
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
         with:
           ref: ${{ github.event.pull_request.head.sha || github.ref }}
       - name: Set up Java
-        uses: actions/setup-java@v4.0.0
+        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93
         with:
           distribution: temurin
           java-version: 17
       - name: Setup Gradle
-        uses: gradle/gradle-build-action@v2.12.0
+        uses: gradle/gradle-build-action@a8f75513eafdebd8141bd1cd4e30fcd194af8dfa
       - name: run unit tests
         id: unitTest
         run: ./gradlew $GRADLEW_UNIT_TEST_ARGS -Dorg.gradle.parallel=true -Dorg.gradle.caching=true
diff --git a/.github/workflows/reference-tests.yml b/.github/workflows/reference-tests.yml
index 21875f2c4ab..e690b68a635 100644
--- a/.github/workflows/reference-tests.yml
+++ b/.github/workflows/reference-tests.yml
@@ -14,22 +14,22 @@ jobs:
     needs: shouldRun
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
         with:
           ref: ${{ github.event.pull_request.head.sha || github.ref }}
           submodules: recursive
           set-safe-directory: true
       - name: Set up Java
-        uses: actions/setup-java@v4.0.0
+        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93
         with:
           distribution: temurin
           java-version: 17
       - name: setup gradle
-        uses: gradle/gradle-build-action@v2.12.0
+        uses: gradle/gradle-build-action@a8f75513eafdebd8141bd1cd4e30fcd194af8dfa
       - name: execute generate reference tests
         run: ./gradlew ethereum:referencetests:blockchainReferenceTests ethereum:referencetests:generalstateReferenceTests ethereum:referencetests:generalstateRegressionReferenceTests -Dorg.gradle.parallel=true -Dorg.gradle.caching=true
       - name: store generated tests
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
         with:
           name: 'reference-tests'
           path: 'ethereum/referencetests/build/generated/sources/reference-test/**/*.java'
@@ -47,17 +47,17 @@ jobs:
         runner_index: [0,1,2,3,4,5]
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
         with:
           ref: ${{ github.event.pull_request.head.sha || github.ref }}
           submodules: recursive
       - name: Set up Java
-        uses: actions/setup-java@v4.0.0
+        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93
         with:
           distribution: adopt-openj9
           java-version: 17
       - name: retrieve generated tests
-        uses: actions/download-artifact@v3.0.2
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a
         with:
           name: 'reference-tests'
           path: 'ethereum/referencetests/build/generated/sources/reference-test/'
@@ -70,7 +70,7 @@ jobs:
           path: tmp/ref-xml-reports-downloaded
           if_no_artifact_found: true
       - name: setup gradle
-        uses: gradle/gradle-build-action@v2.12.0
+        uses: gradle/gradle-build-action@a8f75513eafdebd8141bd1cd4e30fcd194af8dfa
       - name: Split tests
         id: split-tests
         uses: r7kamura/split-tests-by-timings@9322bd292d9423e2bc5a65bec548901801341e3f
@@ -84,7 +84,7 @@ jobs:
       - name: run reference tests
         run: ./gradlew ethereum:referenceTests:referenceTests `cat refTestArgs.txt` -Dorg.gradle.parallel=true -Dorg.gradle.caching=true
       - name: Upload Test Report
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
         if: always() # always run even if the previous step fails
         with:
           name: reference-test-node-${{matrix.runner_index}}-results
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e0c4f0bb298..54c28bea64a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,8 +7,8 @@ jobs:
   dockerPromoteX64:
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v4.1.1
-      - uses: actions/setup-java@v4.0.0
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+      - uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93
         with:
           distribution: 'temurin' # See 'Supported distributions' for available options
           java-version: '17'
@@ -16,7 +16,7 @@ jobs:
       - name: Login to DockerHub
         run: echo '${{ secrets.DOCKER_PASSWORD_RW }}' | docker login -u '${{ secrets.DOCKER_USER_RW }}' --password-stdin
       - name: Setup Gradle
-        uses: gradle/gradle-build-action@v2.12.0
+        uses: gradle/gradle-build-action@a8f75513eafdebd8141bd1cd4e30fcd194af8dfa
       - name: Docker upload
         run: ./gradlew "-Prelease.releaseVersion=${{ github.ref_name }}" "-PdockerOrgName=${{ secrets.DOCKER_ORG }}" dockerUploadRelease
       - name: Docker manifest
diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml
index 7c4acee7e40..04bb0405b87 100644
--- a/.github/workflows/sonarcloud.yml
+++ b/.github/workflows/sonarcloud.yml
@@ -16,20 +16,20 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
       - name: Set up JDK 17
-        uses: actions/setup-java@v4.0.0
+        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93
         with:
           distribution: 'temurin'
           java-version: '17'
       - name: Cache SonarCloud packages
-        uses: actions/cache@v3
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c
         with:
           path: ~/.sonar/cache
           key: ${{ runner.os }}-sonar
           restore-keys: ${{ runner.os }}-sonar
       - name: setup gradle
-        uses: gradle/gradle-build-action@v2.12.0
+        uses: gradle/gradle-build-action@a8f75513eafdebd8141bd1cd4e30fcd194af8dfa
       - name: Build and analyze
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any

From 0a1beec30463e2b26bd2fa87d0757fefd903a038 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Thu, 1 Feb 2024 17:06:20 -0500
Subject: [PATCH 16/48] correct invalid test

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .../condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
index eb1cfc0c33b..efc02f73d44 100644
--- a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
+++ b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
@@ -32,6 +32,6 @@ public ExpectSuccessfulEthGetTransactionReceipt(
 
   @Override
   public void verify(final Node node) {
-    WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isNotPresent());
+    WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isPresent());
   }
 }

From d2e9abb34e9ef670a00b5ffc4a5d028df0574f70 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 10:19:05 -0500
Subject: [PATCH 17/48] give tests permission to write checks/status and put
 reports on pr

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .github/workflows/acceptance-tests.yml  | 4 ++++
 .github/workflows/integration-tests.yml | 4 ++++
 .github/workflows/reference-tests.yml   | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/.github/workflows/acceptance-tests.yml b/.github/workflows/acceptance-tests.yml
index 4767c53b140..8676c8f2c8c 100644
--- a/.github/workflows/acceptance-tests.yml
+++ b/.github/workflows/acceptance-tests.yml
@@ -8,6 +8,10 @@ env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"
   total-runners: 16
 
+permissions:
+  statuses: write
+  checks: write
+
 jobs:
   authorize:
     environment:
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
index 63297b5f930..fb947157e37 100644
--- a/.github/workflows/integration-tests.yml
+++ b/.github/workflows/integration-tests.yml
@@ -8,6 +8,10 @@ on:
 env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"
 
+permissions:
+  statuses: write
+  checks: write
+
 jobs:
   authorize:
     environment:
diff --git a/.github/workflows/reference-tests.yml b/.github/workflows/reference-tests.yml
index e690b68a635..b3b220bd9f1 100644
--- a/.github/workflows/reference-tests.yml
+++ b/.github/workflows/reference-tests.yml
@@ -8,6 +8,10 @@ env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"
   total-runners: 6
 
+permissions:
+  statuses: write
+  checks: write
+
 jobs:
   prepareReferenceTestEthereum:
     runs-on: ubuntu-22.04

From a249bd5d3b2ebffd3503ff824a1d72e7454e11d5 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 10:45:12 -0500
Subject: [PATCH 18/48] moving perms to workflow level did not help

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .github/workflows/acceptance-tests.yml  | 4 ----
 .github/workflows/integration-tests.yml | 4 ----
 .github/workflows/reference-tests.yml   | 4 ----
 3 files changed, 12 deletions(-)

diff --git a/.github/workflows/acceptance-tests.yml b/.github/workflows/acceptance-tests.yml
index 8676c8f2c8c..4767c53b140 100644
--- a/.github/workflows/acceptance-tests.yml
+++ b/.github/workflows/acceptance-tests.yml
@@ -8,10 +8,6 @@ env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"
   total-runners: 16
 
-permissions:
-  statuses: write
-  checks: write
-
 jobs:
   authorize:
     environment:
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
index fb947157e37..63297b5f930 100644
--- a/.github/workflows/integration-tests.yml
+++ b/.github/workflows/integration-tests.yml
@@ -8,10 +8,6 @@ on:
 env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"
 
-permissions:
-  statuses: write
-  checks: write
-
 jobs:
   authorize:
     environment:
diff --git a/.github/workflows/reference-tests.yml b/.github/workflows/reference-tests.yml
index b3b220bd9f1..e690b68a635 100644
--- a/.github/workflows/reference-tests.yml
+++ b/.github/workflows/reference-tests.yml
@@ -8,10 +8,6 @@ env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"
   total-runners: 6
 
-permissions:
-  statuses: write
-  checks: write
-
 jobs:
   prepareReferenceTestEthereum:
     runs-on: ubuntu-22.04

From e00471fbcf19f3deaff8bc23f51b7604e46877ce Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 11:25:36 -0500
Subject: [PATCH 19/48] intentional acceptance test failure

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .../condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
index efc02f73d44..eb1cfc0c33b 100644
--- a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
+++ b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
@@ -32,6 +32,6 @@ public ExpectSuccessfulEthGetTransactionReceipt(
 
   @Override
   public void verify(final Node node) {
-    WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isPresent());
+    WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isNotPresent());
   }
 }

From 9ffea26c0ed592793d293a8ed417eac135b11782 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 11:42:16 -0500
Subject: [PATCH 20/48] explicitly allow mikepenz/action-junit-report@v4
 actions

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .../condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java  | 1 +
 1 file changed, 1 insertion(+)

diff --git a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
index eb1cfc0c33b..e43d454a175 100644
--- a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
+++ b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
@@ -32,6 +32,7 @@ public ExpectSuccessfulEthGetTransactionReceipt(
 
   @Override
   public void verify(final Node node) {
+    //TODO: TEST INVERTED FOR INTENTIONAL BREAK PLS UNDO!!!
     WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isNotPresent());
   }
 }

From f3d2d6b8f448946c457afc9afcf123a68a49cf47 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 11:49:30 -0500
Subject: [PATCH 21/48] pendantic spotless

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .../condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
index e43d454a175..fcbf5df9c7d 100644
--- a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
+++ b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
@@ -32,7 +32,7 @@ public ExpectSuccessfulEthGetTransactionReceipt(
 
   @Override
   public void verify(final Node node) {
-    //TODO: TEST INVERTED FOR INTENTIONAL BREAK PLS UNDO!!!
+    // TODO: TEST INVERTED FOR INTENTIONAL BREAK PLS UNDO!!!
     WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isNotPresent());
   }
 }

From bd7be2eaf32c0efe080a3bf4ad3fe0b0b69c4672 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 12:40:21 -0500
Subject: [PATCH 22/48] updated actions allowed

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .../condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
index fcbf5df9c7d..212e852b80d 100644
--- a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
+++ b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
@@ -32,7 +32,7 @@ public ExpectSuccessfulEthGetTransactionReceipt(
 
   @Override
   public void verify(final Node node) {
-    // TODO: TEST INVERTED FOR INTENTIONAL BREAK PLS UNDO!!!
+    // TODO: TEST INVERTED FOR INTENTIONAL BREAK PLS UNDO ASAP!!!
     WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isNotPresent());
   }
 }

From 96118b79ef27d8e7bae72e7e4474d9d576fd77ef Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 12:58:47 -0500
Subject: [PATCH 23/48] updated actions allowed

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .../condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
index 212e852b80d..fcbf5df9c7d 100644
--- a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
+++ b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
@@ -32,7 +32,7 @@ public ExpectSuccessfulEthGetTransactionReceipt(
 
   @Override
   public void verify(final Node node) {
-    // TODO: TEST INVERTED FOR INTENTIONAL BREAK PLS UNDO ASAP!!!
+    // TODO: TEST INVERTED FOR INTENTIONAL BREAK PLS UNDO!!!
     WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isNotPresent());
   }
 }

From f05bf11398ad7ba81332c42e5ef5cea3f18757bb Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 13:11:29 -0500
Subject: [PATCH 24/48] undid intentional acc test fail

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .../eth/ExpectSuccessfulEthGetTransactionReceipt.java          | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
index fcbf5df9c7d..efc02f73d44 100644
--- a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
+++ b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
@@ -32,7 +32,6 @@ public ExpectSuccessfulEthGetTransactionReceipt(
 
   @Override
   public void verify(final Node node) {
-    // TODO: TEST INVERTED FOR INTENTIONAL BREAK PLS UNDO!!!
-    WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isNotPresent());
+    WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isPresent());
   }
 }

From 37ef21e45df56b03c1f6ca90905fac500c9e7c09 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 13:33:18 -0500
Subject: [PATCH 25/48] intentional acceptance test failure

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .../condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
index efc02f73d44..eb1cfc0c33b 100644
--- a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
+++ b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
@@ -32,6 +32,6 @@ public ExpectSuccessfulEthGetTransactionReceipt(
 
   @Override
   public void verify(final Node node) {
-    WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isPresent());
+    WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isNotPresent());
   }
 }

From d1302812d06140204d20ae012d4f33bee738aa65 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 15:58:35 -0500
Subject: [PATCH 26/48] uprev artifact download

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .github/workflows/acceptance-tests.yml | 2 +-
 .github/workflows/reference-tests.yml  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/acceptance-tests.yml b/.github/workflows/acceptance-tests.yml
index 4767c53b140..c87e8b66fcb 100644
--- a/.github/workflows/acceptance-tests.yml
+++ b/.github/workflows/acceptance-tests.yml
@@ -40,7 +40,7 @@ jobs:
           distribution: temurin
           java-version: 17
       - name: get acceptance test report
-        uses: docker/login-action@e7466d1a7587ed14867642c2ca74b5bcc1e19a2d@v3
+        uses: dawidd6/action-download-artifact@v2
         with:
           branch: main
           name_is_regexp: true
diff --git a/.github/workflows/reference-tests.yml b/.github/workflows/reference-tests.yml
index e690b68a635..17a5477c668 100644
--- a/.github/workflows/reference-tests.yml
+++ b/.github/workflows/reference-tests.yml
@@ -62,7 +62,7 @@ jobs:
           name: 'reference-tests'
           path: 'ethereum/referencetests/build/generated/sources/reference-test/'
       - name: get reference test report
-        uses: docker/login-action@e7466d1a7587ed14867642c2ca74b5bcc1e19a2d@v3
+        uses: dawidd6/action-download-artifact@v2
         with:
           branch: main
           name_is_regexp: true

From 81feba7290086e3eb03648fc7b0bf0326e3354d9 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Thu, 1 Feb 2024 10:18:01 -0500
Subject: [PATCH 27/48] new permission approach

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .github/workflows/acceptance-tests.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/acceptance-tests.yml b/.github/workflows/acceptance-tests.yml
index c87e8b66fcb..2c6e1790328 100644
--- a/.github/workflows/acceptance-tests.yml
+++ b/.github/workflows/acceptance-tests.yml
@@ -40,7 +40,7 @@ jobs:
           distribution: temurin
           java-version: 17
       - name: get acceptance test report
-        uses: dawidd6/action-download-artifact@v2
+        uses: dawidd6/action-download-artifact@v3
         with:
           branch: main
           name_is_regexp: true

From a8fcea0fb3f90d78ecd3926c02859125083ffc00 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Fri, 2 Feb 2024 08:35:50 -0500
Subject: [PATCH 28/48] wrong action

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .github/workflows/acceptance-tests.yml  | 2 +-
 .github/workflows/integration-tests.yml | 5 +----
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/acceptance-tests.yml b/.github/workflows/acceptance-tests.yml
index 2c6e1790328..69d782f9c47 100644
--- a/.github/workflows/acceptance-tests.yml
+++ b/.github/workflows/acceptance-tests.yml
@@ -40,7 +40,7 @@ jobs:
           distribution: temurin
           java-version: 17
       - name: get acceptance test report
-        uses: dawidd6/action-download-artifact@v3
+        uses: dawidd6/action-download-artifact@e7466d1a7587ed14867642c2ca74b5bcc1e19a2d
         with:
           branch: main
           name_is_regexp: true
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
index 63297b5f930..2edb04875d7 100644
--- a/.github/workflows/integration-tests.yml
+++ b/.github/workflows/integration-tests.yml
@@ -1,9 +1,6 @@
 name: integration-tests
 on:
-  pull_request:
-  pull_request_review:
-    types:
-      - submitted
+  pull_request_target:
 
 env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"

From 9cbcd4dfb60f2726b41a2f028c88bdf145241cbf Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Fri, 2 Feb 2024 10:54:34 -0500
Subject: [PATCH 29/48] adds release branches, test actor membership action

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .github/workflows/acceptance-tests.yml  |  1 +
 .github/workflows/integration-tests.yml |  3 +++
 .github/workflows/pre-review.yml        | 14 +++++++++++++-
 .github/workflows/reference-tests.yml   | 11 ++++++++++-
 4 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/acceptance-tests.yml b/.github/workflows/acceptance-tests.yml
index 69d782f9c47..1cefd9a7ead 100644
--- a/.github/workflows/acceptance-tests.yml
+++ b/.github/workflows/acceptance-tests.yml
@@ -3,6 +3,7 @@ on:
   pull_request_target:
     branches:
       - main
+      - release-*
 
 env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
index 2edb04875d7..12082d17353 100644
--- a/.github/workflows/integration-tests.yml
+++ b/.github/workflows/integration-tests.yml
@@ -1,6 +1,9 @@
 name: integration-tests
 on:
   pull_request_target:
+    branches:
+      - main
+      - release-*
 
 env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"
diff --git a/.github/workflows/pre-review.yml b/.github/workflows/pre-review.yml
index 2baca446251..e7410798c40 100644
--- a/.github/workflows/pre-review.yml
+++ b/.github/workflows/pre-review.yml
@@ -18,8 +18,20 @@ jobs:
       'external' || 'internal' }}
     runs-on: ubuntu-22.04
     steps:
-      - run: true
+    - id: get-members
+      uses: GuillaumeFalourd/github-team-members@v1
+      with:
+        org_slug: org-slug
+        team_slug: team-slug
+        token: ${{ secrets.GITHUB_TOKEN }}
+
+    - if: steps.get-members.outputs.actor-belongs-team == 'true'
+      run: echo "${{ github.actor }} belongs to Team"
+      shell: bash
 
+    - if: steps.get-members.outputs.actor-belongs-team == 'false'
+      run: echo "${{ github.actor }} doesn't belong to Team"
+      shell: bash
   repolint:
     name: "Repository Linting"
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/reference-tests.yml b/.github/workflows/reference-tests.yml
index 17a5477c668..997b2c2162b 100644
--- a/.github/workflows/reference-tests.yml
+++ b/.github/workflows/reference-tests.yml
@@ -3,15 +3,24 @@ on:
   pull_request_target:
     branches:
       - main
+      - release-*
 
 env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"
   total-runners: 6
 
 jobs:
+  authorize:
+    environment:
+      ${{ github.event_name == 'pull_request_target' &&
+      github.event.pull_request.head.repo.full_name != github.repository &&
+      'external' || 'internal' }}
+    runs-on: ubuntu-22.04
+    steps:
+      - run: true
   prepareReferenceTestEthereum:
     runs-on: ubuntu-22.04
-    needs: shouldRun
+    needs: authorize
     steps:
       - name: Checkout Repo
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11

From ea3842dd60e329ad6cb17b8fa4ad36b12e99118f Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Fri, 2 Feb 2024 12:22:33 -0500
Subject: [PATCH 30/48] adds release branches, test actor membership action

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .github/workflows/pre-review.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pre-review.yml b/.github/workflows/pre-review.yml
index e7410798c40..40d969290b9 100644
--- a/.github/workflows/pre-review.yml
+++ b/.github/workflows/pre-review.yml
@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - id: get-members
-      uses: GuillaumeFalourd/github-team-members@v1
+      uses: GuillaumeFalourd/github-team-members@2c201b9c885619191c705b947322e1c37cb53b00
       with:
         org_slug: org-slug
         team_slug: team-slug

From 618432e2bd95bacddd3acb40177336a6ea910cc4 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 10:19:05 -0500
Subject: [PATCH 31/48] give tests permission to write checks/status and put
 reports on pr

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .github/workflows/acceptance-tests.yml  | 4 ++++
 .github/workflows/integration-tests.yml | 4 ++++
 .github/workflows/reference-tests.yml   | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/.github/workflows/acceptance-tests.yml b/.github/workflows/acceptance-tests.yml
index 1cefd9a7ead..14178f612d9 100644
--- a/.github/workflows/acceptance-tests.yml
+++ b/.github/workflows/acceptance-tests.yml
@@ -9,6 +9,10 @@ env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"
   total-runners: 16
 
+permissions:
+  statuses: write
+  checks: write
+
 jobs:
   authorize:
     environment:
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
index 12082d17353..2254dba5bb5 100644
--- a/.github/workflows/integration-tests.yml
+++ b/.github/workflows/integration-tests.yml
@@ -8,6 +8,10 @@ on:
 env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"
 
+permissions:
+  statuses: write
+  checks: write
+
 jobs:
   authorize:
     environment:
diff --git a/.github/workflows/reference-tests.yml b/.github/workflows/reference-tests.yml
index 997b2c2162b..4dcc65fe988 100644
--- a/.github/workflows/reference-tests.yml
+++ b/.github/workflows/reference-tests.yml
@@ -9,6 +9,10 @@ env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"
   total-runners: 6
 
+permissions:
+  statuses: write
+  checks: write
+
 jobs:
   authorize:
     environment:

From 2a1e71293fdaff825c6ea62ed884c1f321a253e5 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 10:45:12 -0500
Subject: [PATCH 32/48] moving perms to workflow level did not help

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .github/workflows/acceptance-tests.yml  | 4 ----
 .github/workflows/integration-tests.yml | 4 ----
 .github/workflows/reference-tests.yml   | 4 ----
 3 files changed, 12 deletions(-)

diff --git a/.github/workflows/acceptance-tests.yml b/.github/workflows/acceptance-tests.yml
index 14178f612d9..1cefd9a7ead 100644
--- a/.github/workflows/acceptance-tests.yml
+++ b/.github/workflows/acceptance-tests.yml
@@ -9,10 +9,6 @@ env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"
   total-runners: 16
 
-permissions:
-  statuses: write
-  checks: write
-
 jobs:
   authorize:
     environment:
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
index 2254dba5bb5..12082d17353 100644
--- a/.github/workflows/integration-tests.yml
+++ b/.github/workflows/integration-tests.yml
@@ -8,10 +8,6 @@ on:
 env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"
 
-permissions:
-  statuses: write
-  checks: write
-
 jobs:
   authorize:
     environment:
diff --git a/.github/workflows/reference-tests.yml b/.github/workflows/reference-tests.yml
index 4dcc65fe988..997b2c2162b 100644
--- a/.github/workflows/reference-tests.yml
+++ b/.github/workflows/reference-tests.yml
@@ -9,10 +9,6 @@ env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"
   total-runners: 6
 
-permissions:
-  statuses: write
-  checks: write
-
 jobs:
   authorize:
     environment:

From 24d2de3b9b3399f78db02f81b4fd5dcf7de821e7 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 11:42:16 -0500
Subject: [PATCH 33/48] explicitly allow mikepenz/action-junit-report@v4
 actions

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .../condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java  | 1 +
 1 file changed, 1 insertion(+)

diff --git a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
index eb1cfc0c33b..e43d454a175 100644
--- a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
+++ b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
@@ -32,6 +32,7 @@ public ExpectSuccessfulEthGetTransactionReceipt(
 
   @Override
   public void verify(final Node node) {
+    //TODO: TEST INVERTED FOR INTENTIONAL BREAK PLS UNDO!!!
     WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isNotPresent());
   }
 }

From 70e2830163dea87c1f1cf1726c3320458cb400ad Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 11:49:30 -0500
Subject: [PATCH 34/48] pendantic spotless

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .../condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
index e43d454a175..fcbf5df9c7d 100644
--- a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
+++ b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
@@ -32,7 +32,7 @@ public ExpectSuccessfulEthGetTransactionReceipt(
 
   @Override
   public void verify(final Node node) {
-    //TODO: TEST INVERTED FOR INTENTIONAL BREAK PLS UNDO!!!
+    // TODO: TEST INVERTED FOR INTENTIONAL BREAK PLS UNDO!!!
     WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isNotPresent());
   }
 }

From 4dd3e09146681d3439cc30cfb0ecc8e65eccc813 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 12:40:21 -0500
Subject: [PATCH 35/48] updated actions allowed

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .../condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
index fcbf5df9c7d..212e852b80d 100644
--- a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
+++ b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
@@ -32,7 +32,7 @@ public ExpectSuccessfulEthGetTransactionReceipt(
 
   @Override
   public void verify(final Node node) {
-    // TODO: TEST INVERTED FOR INTENTIONAL BREAK PLS UNDO!!!
+    // TODO: TEST INVERTED FOR INTENTIONAL BREAK PLS UNDO ASAP!!!
     WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isNotPresent());
   }
 }

From bd059aec68a4fd54a43d43b11826fb8fff49a91a Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 12:58:47 -0500
Subject: [PATCH 36/48] updated actions allowed

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .../condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
index 212e852b80d..fcbf5df9c7d 100644
--- a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
+++ b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
@@ -32,7 +32,7 @@ public ExpectSuccessfulEthGetTransactionReceipt(
 
   @Override
   public void verify(final Node node) {
-    // TODO: TEST INVERTED FOR INTENTIONAL BREAK PLS UNDO ASAP!!!
+    // TODO: TEST INVERTED FOR INTENTIONAL BREAK PLS UNDO!!!
     WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isNotPresent());
   }
 }

From 5797d64c312de42bb431966b8748ff76e9cbb58b Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 13:11:29 -0500
Subject: [PATCH 37/48] undid intentional acc test fail

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .../eth/ExpectSuccessfulEthGetTransactionReceipt.java          | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
index fcbf5df9c7d..efc02f73d44 100644
--- a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
+++ b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
@@ -32,7 +32,6 @@ public ExpectSuccessfulEthGetTransactionReceipt(
 
   @Override
   public void verify(final Node node) {
-    // TODO: TEST INVERTED FOR INTENTIONAL BREAK PLS UNDO!!!
-    WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isNotPresent());
+    WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isPresent());
   }
 }

From 8fb6dcd60abee9c5d1f5f47f8f0fc5a11c0f8f72 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 13:33:18 -0500
Subject: [PATCH 38/48] intentional acceptance test failure

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .../condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
index efc02f73d44..eb1cfc0c33b 100644
--- a/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
+++ b/acceptance-tests/dsl/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/condition/eth/ExpectSuccessfulEthGetTransactionReceipt.java
@@ -32,6 +32,6 @@ public ExpectSuccessfulEthGetTransactionReceipt(
 
   @Override
   public void verify(final Node node) {
-    WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isPresent());
+    WaitUtils.waitFor(60, () -> assertThat(node.execute(transaction)).isNotPresent());
   }
 }

From d6d1034e9b503cfd8bfcd534948b5810d5e78c1d Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Wed, 31 Jan 2024 15:58:35 -0500
Subject: [PATCH 39/48] uprev artifact download

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .github/workflows/acceptance-tests.yml | 42 +++++++++++++++++++++-----
 .github/workflows/reference-tests.yml  |  2 +-
 2 files changed, 36 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/acceptance-tests.yml b/.github/workflows/acceptance-tests.yml
index 1cefd9a7ead..d38fb2e9645 100644
--- a/.github/workflows/acceptance-tests.yml
+++ b/.github/workflows/acceptance-tests.yml
@@ -10,15 +10,42 @@ env:
   total-runners: 16
 
 jobs:
-  authorize:
-    environment:
-      ${{ github.event_name == 'pull_request_target' &&
-      github.event.pull_request.head.repo.full_name != github.repository &&
-      'external' || 'internal' }}
+  shouldRun:
+    name: checks to ensure we should run
+    # necessary because there is no single PR approved event, need to check all comments/approvals/denials
     runs-on: ubuntu-22.04
+    outputs:
+      shouldRun: ${{steps.shouldRun.outputs.result}}
     steps:
-      - run: true
-
+      - name: required check
+        id: shouldRun
+        uses: actions/github-script@v7.0.1
+        env:
+          # fun fact, this changes based on incoming event, it will be different when we run this on pushes to main
+          RELEVANT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
+        with:
+          script: |
+            const { RELEVANT_SHA } = process.env;
+            const { data: { statuses } } = await github.rest.repos.getCombinedStatusForRef({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              ref: RELEVANT_SHA,
+            });
+            const acceptanceTested = statuses && statuses.filter(({ context }) => context === 'acceptance-tests');
+            const alreadyRun = acceptanceTested && acceptanceTested.find(({ state }) => state === 'success') > 0;
+            const { data: reviews } = await github.rest.pulls.listReviews({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.issue.number,
+            });
+            const approvingReviews = reviews && reviews.filter(review => review.state === 'APPROVED');
+            const shouldRun = !alreadyRun && github.actor != 'dependabot[bot]' &&  (approvingReviews.length > 0);
+            
+              console.log("tests should be run = %j", shouldRun);
+              console.log("alreadyRun = %j", alreadyRun);
+              console.log("approvingReviews = %j", approvingReviews.length);
+            
+            return shouldRun;
   acceptanceTestEthereum:
     runs-on: ubuntu-22.04
     name: "Acceptance Runner"
@@ -26,6 +53,7 @@ jobs:
     permissions:
       statuses: write
       checks: write
+    if: ${{ needs.shouldRun.outputs.shouldRun == 'true'}}
     strategy:
       fail-fast: true
       matrix:
diff --git a/.github/workflows/reference-tests.yml b/.github/workflows/reference-tests.yml
index 997b2c2162b..e68b3637ae6 100644
--- a/.github/workflows/reference-tests.yml
+++ b/.github/workflows/reference-tests.yml
@@ -71,7 +71,7 @@ jobs:
           name: 'reference-tests'
           path: 'ethereum/referencetests/build/generated/sources/reference-test/'
       - name: get reference test report
-        uses: dawidd6/action-download-artifact@v2
+        uses: dawidd6/action-download-artifact@v3
         with:
           branch: main
           name_is_regexp: true

From bd72084b75f2f6a853a3d5dff27b22748d20285a Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Thu, 1 Feb 2024 10:18:01 -0500
Subject: [PATCH 40/48] new permission approach

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .github/workflows/acceptance-tests.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/acceptance-tests.yml b/.github/workflows/acceptance-tests.yml
index d38fb2e9645..fbe9c1ed1fd 100644
--- a/.github/workflows/acceptance-tests.yml
+++ b/.github/workflows/acceptance-tests.yml
@@ -4,6 +4,8 @@ on:
     branches:
       - main
       - release-*
+  pull_request_review:
+    types: [submitted]
 
 env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"
@@ -49,7 +51,7 @@ jobs:
   acceptanceTestEthereum:
     runs-on: ubuntu-22.04
     name: "Acceptance Runner"
-    needs: authorize
+    needs: shouldRun
     permissions:
       statuses: write
       checks: write

From 0cfcf125421af42a4dfca373aa7dd756ab3b8d08 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Fri, 2 Feb 2024 08:35:50 -0500
Subject: [PATCH 41/48] wrong action

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .github/workflows/integration-tests.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
index 12082d17353..250b9c45d81 100644
--- a/.github/workflows/integration-tests.yml
+++ b/.github/workflows/integration-tests.yml
@@ -4,6 +4,9 @@ on:
     branches:
       - main
       - release-*
+  pull_request_review:
+    types:
+      - submitted
 
 env:
   GRADLE_OPTS: "-Xmx6g -Dorg.gradle.daemon=false"

From 48c01f5e13a77308b180a78bf3f1681d9316ee8c Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Fri, 2 Feb 2024 10:54:34 -0500
Subject: [PATCH 42/48] adds release branches, test actor membership action

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .github/workflows/pre-review.yml | 14 +-------------
 1 file changed, 1 insertion(+), 13 deletions(-)

diff --git a/.github/workflows/pre-review.yml b/.github/workflows/pre-review.yml
index 40d969290b9..2baca446251 100644
--- a/.github/workflows/pre-review.yml
+++ b/.github/workflows/pre-review.yml
@@ -18,20 +18,8 @@ jobs:
       'external' || 'internal' }}
     runs-on: ubuntu-22.04
     steps:
-    - id: get-members
-      uses: GuillaumeFalourd/github-team-members@2c201b9c885619191c705b947322e1c37cb53b00
-      with:
-        org_slug: org-slug
-        team_slug: team-slug
-        token: ${{ secrets.GITHUB_TOKEN }}
-
-    - if: steps.get-members.outputs.actor-belongs-team == 'true'
-      run: echo "${{ github.actor }} belongs to Team"
-      shell: bash
+      - run: true
 
-    - if: steps.get-members.outputs.actor-belongs-team == 'false'
-      run: echo "${{ github.actor }} doesn't belong to Team"
-      shell: bash
   repolint:
     name: "Repository Linting"
     runs-on: ubuntu-22.04

From 99637096b217b39a3c8294734e858537d77a1123 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Fri, 2 Feb 2024 12:40:49 -0500
Subject: [PATCH 43/48] missed one

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .github/workflows/reference-tests.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/reference-tests.yml b/.github/workflows/reference-tests.yml
index e68b3637ae6..300d48474c7 100644
--- a/.github/workflows/reference-tests.yml
+++ b/.github/workflows/reference-tests.yml
@@ -71,7 +71,7 @@ jobs:
           name: 'reference-tests'
           path: 'ethereum/referencetests/build/generated/sources/reference-test/'
       - name: get reference test report
-        uses: dawidd6/action-download-artifact@v3
+        uses: dawidd6/action-download-artifact@e7466d1a7587ed14867642c2ca74b5bcc1e19a2d
         with:
           branch: main
           name_is_regexp: true

From 7b4557480b86eb3c31c82950496a47f3fcfca910 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Fri, 2 Feb 2024 13:24:17 -0500
Subject: [PATCH 44/48] can env depend on later steps?

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .github/workflows/pre-review.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/pre-review.yml b/.github/workflows/pre-review.yml
index 2baca446251..255c77ecad6 100644
--- a/.github/workflows/pre-review.yml
+++ b/.github/workflows/pre-review.yml
@@ -13,9 +13,8 @@ permissions:
 jobs:
   authorize:
     environment:
-      ${{ github.event_name == 'pull_request_target' &&
-      github.event.pull_request.head.repo.full_name != github.repository &&
-      'external' || 'internal' }}
+      ${{ steps.get-members.outputs.actor-belongs-team == 'true' &&
+      'internal' || 'external' }}
     runs-on: ubuntu-22.04
     steps:
       - run: true

From 2653286994caf76d145c158f7c239af3415a14af Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Tue, 6 Feb 2024 09:12:47 -0500
Subject: [PATCH 45/48] reverts test gating strategy and adds failing test

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .github/workflows/acceptance-tests.yml                      | 2 +-
 .github/workflows/artifacts.yml                             | 6 ++++--
 .github/workflows/pre-review.yml                            | 4 ++--
 .github/workflows/reference-tests.yml                       | 4 ++--
 .../test/java/org/hyperledger/besu/cli/BesuCommandTest.java | 2 +-
 5 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/acceptance-tests.yml b/.github/workflows/acceptance-tests.yml
index fbe9c1ed1fd..a563b205411 100644
--- a/.github/workflows/acceptance-tests.yml
+++ b/.github/workflows/acceptance-tests.yml
@@ -99,7 +99,7 @@ jobs:
       - name: cleanup tempfiles
         run: rm testList.txt gradleArgs.txt
       - name: Upload Acceptance Test Results
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
         with:
           name: acceptance-node-${{matrix.runner_index}}-test-results
           path: 'acceptance-tests/tests/build/test-results/acceptanceTest/TEST-*.xml'
diff --git a/.github/workflows/artifacts.yml b/.github/workflows/artifacts.yml
index 91abbbc4438..5075a6c4f6e 100644
--- a/.github/workflows/artifacts.yml
+++ b/.github/workflows/artifacts.yml
@@ -31,15 +31,17 @@ jobs:
           echo "zipSha=$(shasum -a 256 besu*.zip)" >> $GITHUB_OUTPUT
           echo "tarSha=$(shasum -a 256 besu*.tar.gz)" >> $GITHUB_OUTPUT
       - name: upload tarball
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
         with:
           path: 'build/distributions/besu*.tar.gz'
           name: besu-${{ github.ref_name }}.tar.gz
+          compression-level: 0
       - name: upload zipfile
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
         with:
           path: 'build/distributions/besu*.zip'
           name: besu-${{ github.ref_name }}.zip
+          compression-level: 0
       - name: Upload Release assets
         uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844
         with:
diff --git a/.github/workflows/pre-review.yml b/.github/workflows/pre-review.yml
index 255c77ecad6..17d96627e53 100644
--- a/.github/workflows/pre-review.yml
+++ b/.github/workflows/pre-review.yml
@@ -4,7 +4,7 @@ on:
   pull_request_target:
     branches:
       - main
-  workflow_dispatch:
+      - release-*
 
 permissions:
   statuses: write
@@ -77,7 +77,7 @@ jobs:
     env:
         GRADLEW_UNIT_TEST_ARGS: ${{matrix.gradle_args}}
     runs-on: ubuntu-22.04
-    needs: [ compile, authorize ]
+    needs: [ compile ]
     permissions:
       checks: write
       statuses: write
diff --git a/.github/workflows/reference-tests.yml b/.github/workflows/reference-tests.yml
index 300d48474c7..fab7dbf681c 100644
--- a/.github/workflows/reference-tests.yml
+++ b/.github/workflows/reference-tests.yml
@@ -38,7 +38,7 @@ jobs:
       - name: execute generate reference tests
         run: ./gradlew ethereum:referencetests:blockchainReferenceTests ethereum:referencetests:generalstateReferenceTests ethereum:referencetests:generalstateRegressionReferenceTests -Dorg.gradle.parallel=true -Dorg.gradle.caching=true
       - name: store generated tests
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
         with:
           name: 'reference-tests'
           path: 'ethereum/referencetests/build/generated/sources/reference-test/**/*.java'
@@ -93,7 +93,7 @@ jobs:
       - name: run reference tests
         run: ./gradlew ethereum:referenceTests:referenceTests `cat refTestArgs.txt` -Dorg.gradle.parallel=true -Dorg.gradle.caching=true
       - name: Upload Test Report
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
         if: always() # always run even if the previous step fails
         with:
           name: reference-test-node-${{matrix.runner_index}}-results
diff --git a/besu/src/test/java/org/hyperledger/besu/cli/BesuCommandTest.java b/besu/src/test/java/org/hyperledger/besu/cli/BesuCommandTest.java
index 9584c199c8d..ed29c182475 100644
--- a/besu/src/test/java/org/hyperledger/besu/cli/BesuCommandTest.java
+++ b/besu/src/test/java/org/hyperledger/besu/cli/BesuCommandTest.java
@@ -197,7 +197,7 @@ public void callingHelpSubCommandMustDisplayUsage() {
     parseCommand("--help");
     final String expectedOutputStart = String.format("Usage:%n%nbesu [OPTIONS] [COMMAND]");
     assertThat(commandOutput.toString(UTF_8)).startsWith(expectedOutputStart);
-    assertThat(commandErrorOutput.toString(UTF_8)).isEmpty();
+    assertThat(commandErrorOutput.toString(UTF_8)).isNotEmpty();
   }
 
   @Test

From 302b677e5ef18021f720bb23aef692fd24890846 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Tue, 6 Feb 2024 09:13:15 -0500
Subject: [PATCH 46/48] wait, not ready to fail yet

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .../src/test/java/org/hyperledger/besu/cli/BesuCommandTest.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/besu/src/test/java/org/hyperledger/besu/cli/BesuCommandTest.java b/besu/src/test/java/org/hyperledger/besu/cli/BesuCommandTest.java
index ed29c182475..9584c199c8d 100644
--- a/besu/src/test/java/org/hyperledger/besu/cli/BesuCommandTest.java
+++ b/besu/src/test/java/org/hyperledger/besu/cli/BesuCommandTest.java
@@ -197,7 +197,7 @@ public void callingHelpSubCommandMustDisplayUsage() {
     parseCommand("--help");
     final String expectedOutputStart = String.format("Usage:%n%nbesu [OPTIONS] [COMMAND]");
     assertThat(commandOutput.toString(UTF_8)).startsWith(expectedOutputStart);
-    assertThat(commandErrorOutput.toString(UTF_8)).isNotEmpty();
+    assertThat(commandErrorOutput.toString(UTF_8)).isEmpty();
   }
 
   @Test

From c6172f00e26981755a5793f11bb8278ee5bf4f3f Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Tue, 6 Feb 2024 10:33:59 -0500
Subject: [PATCH 47/48] constrain new script action by sha

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .github/workflows/acceptance-tests.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/acceptance-tests.yml b/.github/workflows/acceptance-tests.yml
index a563b205411..2ac595b63ba 100644
--- a/.github/workflows/acceptance-tests.yml
+++ b/.github/workflows/acceptance-tests.yml
@@ -21,7 +21,7 @@ jobs:
     steps:
       - name: required check
         id: shouldRun
-        uses: actions/github-script@v7.0.1
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
         env:
           # fun fact, this changes based on incoming event, it will be different when we run this on pushes to main
           RELEVANT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}

From 236fb1f1c0a561beaf8d2245ed5fff8717239498 Mon Sep 17 00:00:00 2001
From: Justin Florentine <justin+github@florentine.us>
Date: Tue, 6 Feb 2024 11:47:27 -0500
Subject: [PATCH 48/48] removes env auth and narrows perms from flow to job

Signed-off-by: Justin Florentine <justin+github@florentine.us>
---
 .github/workflows/pre-review.yml | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/.github/workflows/pre-review.yml b/.github/workflows/pre-review.yml
index 17d96627e53..5be0295daba 100644
--- a/.github/workflows/pre-review.yml
+++ b/.github/workflows/pre-review.yml
@@ -6,19 +6,7 @@ on:
       - main
       - release-*
 
-permissions:
-  statuses: write
-  checks: write
-
 jobs:
-  authorize:
-    environment:
-      ${{ steps.get-members.outputs.actor-belongs-team == 'true' &&
-      'internal' || 'external' }}
-    runs-on: ubuntu-22.04
-    steps:
-      - run: true
-
   repolint:
     name: "Repository Linting"
     runs-on: ubuntu-22.04