feat: add gosec workflow, refine document, change license

.github/workflows/gosec.yml

@@ -0,0 +1,51 @@
+name: gosec
+
+on:
+  push:
+    branches:
+      - main
+      - develop
+  pull_request:
+    branches:
+      - master
+      - develop
+jobs:
+  gosec:
+    name: gosec
+    strategy:
+      matrix:
+        go-version: [1.18.x]
+        os: [ubuntu-latest]
+    runs-on: ${{ matrix.os }}
+    env:
+      GOPRIVATE: github.com/bnb-chain
+      GH_ACCESS_TOKEN: ${{ secrets.GH_ACCESS_SECRET }}
+    steps:
+      - uses: actions/setup-go@v3
+        with:
+          go-version: ${{ matrix.go-version }}
+      - uses: actions/checkout@v3
+      - name: Setup GitHub Token
+        run: git config --global url.https://$GH_ACCESS_TOKEN@github.com/.insteadOf https://github.com/
+      - uses: actions/cache@v3
+        with:
+          # In order:
+          # * Module download cache
+          # * Build cache (Linux)
+          # * Build cache (Mac)
+          # * Build cache (Windows)
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+            ~/Library/Caches/go-build
+            %LocalAppData%\go-build
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - run: |
+          go mod tidy
+          go mod download
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@master
+        with:
+          args: -quiet -confidence high -severity high ./...

README.md

@@ -1,21 +1,7 @@
-# Tendermint
-
-![banner](docs/tendermint-core-image.jpg)
-
-[Byzantine-Fault Tolerant][bft] [State Machine Replication][smr]. Or
-[Blockchain], for short.
-
-[![Version][version-badge]][version-url]
-[![API Reference][api-badge]][api-url]
-[![Go version][go-badge]][go-url]
-[![Discord chat][discord-badge]][discord-url]
-[![License][license-badge]][license-url]
-[![Sourcegraph][sg-badge]][sg-url]
-
-| Branch | Tests                              | Linting                         |
-|--------|------------------------------------|---------------------------------|
-| main   | [![Tests][tests-badge]][tests-url] | [![Lint][lint-badge]][lint-url] |
+# Greenfield Tendermint
 
+Greenfield Tendermint, forked from [tendermint](https://github.com/tendermint/tendermint),
+is the consensus layer of Greenfield blockchain.
 Tendermint Core is a Byzantine Fault Tolerant (BFT) middleware that takes a
 state transition machine - written in any programming language - and securely
 replicates it on many machines.
@@ -26,36 +12,20 @@ For detailed analysis of the consensus protocol, including safety and liveness
 proofs, read our paper, "[The latest gossip on BFT
 consensus](https://arxiv.org/abs/1807.04938)".
 
-## Documentation
-
-Complete documentation can be found on the
-[website](https://docs.tendermint.com/).
-
-## Releases
-
-Please do not depend on `main` as your production branch. Use
-[releases](https://github.com/tendermint/tendermint/releases) instead.
-
-Tendermint has been in the production of private and public environments, most
-notably the blockchains of the Cosmos Network. we haven't released v1.0 yet
-since we are making breaking changes to the protocol and the APIs. See below for
-more details about [versioning](#versioning).
-
-In any case, if you intend to run Tendermint in production, we're happy to help.
-You can contact us [over email](mailto:hello@interchain.io) or [join the
-chat](https://discord.gg/cosmosnetwork).
-
-More on how releases are conducted can be found [here](./RELEASES.md).
+## Disclaimer
+**The software and related documentation are under active development, all subject to potential future change without
+notification and not ready for production use. The code and security audit have not been fully completed and not ready
+for any bug bounty. We advise you to be careful and experiment on the network at your own risk. Stay safe out there.**
 
-## Security
+## Key features
 
-To report a security vulnerability, see our [bug bounty
-program](https://hackerone.com/cosmos). For examples of the kinds of bugs we're
-looking for, see [our security policy](SECURITY.md).
+We implement several key features based on the Tendermint fork:
 
-We also maintain a dedicated mailing list for security updates. We will only
-ever use this mailing list to notify you of vulnerabilities and fixes in
-Tendermint Core. You can subscribe [here](http://eepurl.com/gZ5hQD).
+* Vote Pool. Vote pool is used to collect votes from different validators for off-chain consensus.
+Currently, it is mainly used for cross chain and data availability challenge in Greenfield blockchain.
+* RANDAO. RANDAO is introduced for on-chain randomness. Overall, the idea is very similar to the RANDAO
+in Ethereum beacon chain, you can refer to [here](https://eth2book.info/altair/part2/building_blocks/randomness)
+for more information. It has some limitations, please use it with caution.
 
 ## Minimum requirements
 
@@ -84,39 +54,6 @@ yourself with our [Architectural Decision Records
 (ADRs)](./docs/architecture/README.md) and
 [Request For Comments (RFCs)](./docs/rfc/README.md).
 
-## Versioning
-
-### Semantic Versioning
-
-Tendermint uses [Semantic Versioning](http://semver.org/) to determine when and
-how the version changes. According to SemVer, anything in the public API can
-change at any time before version 1.0.0
-
-To provide some stability to users of 0.X.X versions of Tendermint, the MINOR
-version is used to signal breaking changes across Tendermint's API. This API
-includes all publicly exposed types, functions, and methods in non-internal Go
-packages as well as the types and methods accessible via the Tendermint RPC
-interface.
-
-Breaking changes to these public APIs will be documented in the CHANGELOG.
-
-### Upgrades
-
-In an effort to avoid accumulating technical debt prior to 1.0.0, we do not
-guarantee that breaking changes (ie. bumps in the MINOR version) will work with
-existing Tendermint blockchains. In these cases you will have to start a new
-blockchain, or write something custom to get the old data into the new chain.
-However, any bump in the PATCH version should be compatible with existing
-blockchain histories.
-
-For more information on upgrading, see [UPGRADING.md](./UPGRADING.md).
-
-### Supported Versions
-
-Because we are a small core team, we only ship patch updates, including security
-updates, to the most recent minor release and the second-most recent minor
-release. Consequently, we strongly recommend keeping Tendermint up-to-date.
-Upgrading instructions can be found in [UPGRADING.md](./UPGRADING.md).
 
 ## Resources
 
@@ -143,16 +80,9 @@ Upgrading instructions can be found in [UPGRADING.md](./UPGRADING.md).
 - [Tendermint Core Blog](https://medium.com/tendermint/tagged/tendermint-core)
 - [Cosmos Blog](https://blog.cosmos.network/tendermint/home)
 
-## Join us!
-
-Tendermint Core is maintained by [Interchain GmbH](https://interchain.berlin).
-If you'd like to work full-time on Tendermint Core,
-[we're hiring](https://interchain-gmbh.breezy.hr/)!
+## License
 
-Funding for Tendermint Core development comes primarily from the
-[Interchain Foundation](https://interchain.io), a Swiss non-profit. The
-Tendermint trademark is owned by [Tendermint Inc.](https://tendermint.com), the
-for-profit entity that also maintains [tendermint.com](https://tendermint.com).
+To be added.
 
 [bft]: https://en.wikipedia.org/wiki/Byzantine_fault_tolerance
 [smr]: https://en.wikipedia.org/wiki/State_machine_replication

node/node.go

@@ -7,7 +7,7 @@ import (
 	"fmt"
 	"net"
 	"net/http"
-	_ "net/http/pprof" //nolint: gosec // securely exposed on separate, optional port
+	_ "net/http/pprof" //#nosec //nolint: gosec // securely exposed on separate, optional port
 	"strings"
 	"time"
 

test/maverick/node/node.go

@@ -7,7 +7,7 @@ import (
 	"fmt"
 	"net"
 	"net/http"
-	_ "net/http/pprof" //nolint: gosec // securely exposed on separate, optional port
+	_ "net/http/pprof" //#nosec //nolint: gosec // securely exposed on separate, optional port
 	"strconv"
 	"strings"
 	"time"