Solana deployment scripts and module configs #4355
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Solidity | |
| on: | |
| schedule: | |
| - cron: "0 0 * * *" | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - "solidity/**" | |
| - ".github/workflows/contracts.yml" | |
| pull_request: | |
| # We intend to use `workflow dispatch` in two different situations/paths: | |
| # 1. If a workflow will be manually dispatched from branch named | |
| # `dapp-development`, workflow will deploy the contracts on the selected | |
| # testnet and publish them to NPM registry with `dapp-dev-<environment>` | |
| # suffix and `dapp-development-<environment>` tag. Such packages are meant | |
| # to be used locally by the team developing Threshold Token dApp and may | |
| # contain contracts that have different values from the ones used on | |
| # mainnet. | |
| # 2. If a workflow will be manually dispatched from a branch which name is not | |
| # `dapp-development`, the workflow will deploy the contracts on the | |
| # selected testnet and publish them to NPM registry with `<environment>` | |
| # suffix and tag. Such packages will be used later to deploy public | |
| # Threshold Token dApp on a testnet, with contracts resembling those used | |
| # on mainnet. | |
| workflow_dispatch: | |
| inputs: | |
| environment: | |
| description: "Environment (network) for workflow execution, e.g. `goerli`" | |
| required: false | |
| upstream_builds: | |
| description: "Upstream builds" | |
| required: false | |
| upstream_ref: | |
| description: "Git reference to checkout (e.g. branch name)" | |
| required: false | |
| default: "main" | |
| jobs: | |
| contracts-detect-changes: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| path-filter: ${{ steps.filter.outputs.path-filter }} | |
| steps: | |
| - uses: actions/checkout@v3 | |
| if: github.event_name == 'pull_request' | |
| - uses: dorny/paths-filter@v2 | |
| if: github.event_name == 'pull_request' | |
| id: filter | |
| with: | |
| filters: | | |
| path-filter: | |
| - './solidity/**' | |
| - './.github/workflows/contracts.yml' | |
| contracts-build-and-test: | |
| needs: contracts-detect-changes | |
| if: | | |
| github.event_name != 'pull_request' | |
| || needs.contracts-detect-changes.outputs.path-filter == 'true' | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: ./solidity | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-node@v3 | |
| with: | |
| node-version: "14.x" | |
| cache: "yarn" | |
| cache-dependency-path: solidity/yarn.lock | |
| # We need this step because the `@keep-network/tbtc` which we update in | |
| # next step has a dependency to `@summa-tx/[email protected]` package, which | |
| # downloads one of its sub-dependencies via unathenticated `git://` | |
| # protocol. That protocol is no longer supported. Thanks to this step | |
| # `https://` is used instead of `git://`. | |
| - name: Configure git to don't use unauthenticated protocol | |
| run: git config --global url."https://".insteadOf git:// | |
| - name: Install dependencies | |
| run: yarn install | |
| - name: Build contracts | |
| run: yarn build | |
| # We don't want to execute the tests for dapp-friendly contracts (either | |
| # when deploying from `dapp-development` or during PR checks on that branch). | |
| - name: Run tests | |
| if: github.ref != 'refs/heads/dapp-development' && github.head_ref != 'dapp-development' | |
| run: yarn test | |
| - name: Run integration tests | |
| if: github.ref != 'refs/heads/dapp-development' && github.head_ref != 'dapp-development' | |
| run: yarn test:integration | |
| contracts-deployment-dry-run: | |
| needs: contracts-detect-changes | |
| if: | | |
| github.event_name != 'pull_request' | |
| || needs.contracts-detect-changes.outputs.path-filter == 'true' | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: ./solidity | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-node@v3 | |
| with: | |
| node-version: "14.x" | |
| cache: "yarn" | |
| cache-dependency-path: solidity/yarn.lock | |
| # This step forces Git to download dependencies using `https://` protocol, | |
| # even if `yarn.json` refers to some package via `git://`. Using `git://` | |
| # is no longer supported by GH. One of the `tbtc-v2` dependencies by | |
| # default uses `git://` and we needed to manually remove it every time | |
| # it re-appeared in the lock file. Now even if it does re-appear, the | |
| # `yarn install --frozen-lockfile` will not fail. | |
| - name: Configure git to don't use unauthenticated protocol | |
| run: git config --global url."https://".insteadOf git:// | |
| - name: Install dependencies | |
| run: yarn install --frozen-lockfile | |
| - name: Deploy contracts | |
| run: yarn deploy:test | |
| contracts-deployment-testnet: | |
| needs: [contracts-build-and-test] | |
| if: | | |
| github.event_name == 'workflow_dispatch' | |
| && github.ref != 'refs/heads/dapp-development' | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: ./solidity | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-node@v3 | |
| with: | |
| node-version: "14.x" | |
| cache: "yarn" | |
| cache-dependency-path: solidity/yarn.lock | |
| registry-url: "https://registry.npmjs.org" | |
| # We need this step because the `@keep-network/tbtc` which we update in | |
| # next steps has a dependency to `@summa-tx/[email protected]` package, which | |
| # downloads one of its sub-dependencies via unathenticated `git://` | |
| # protocol. That protocol is no longer supported. Thanks to this step | |
| # `https://` is used instead of `git://`. This step also prevents the | |
| # error during `yarn install --frozen-lockfile` step in case `git://` gets | |
| # introduced to tbtc-v2's `yarn.lock`. | |
| - name: Configure git to don't use unauthenticated protocol | |
| run: git config --global url."https://".insteadOf git:// | |
| - name: Install dependencies | |
| run: yarn install --frozen-lockfile | |
| - name: Get upstream packages versions | |
| uses: keep-network/ci/actions/upstream-builds-query@v2 | |
| id: upstream-builds-query | |
| with: | |
| upstream-builds: ${{ github.event.inputs.upstream_builds }} | |
| query: | | |
| random-beacon-contracts-version = github.com/keep-network/keep-core/random-beacon#version | |
| ecdsa-contracts-version = github.com/keep-network/keep-core/ecdsa#version | |
| - name: Resolve latest contracts | |
| run: | | |
| yarn upgrade \ | |
| @keep-network/random-beacon@${{ steps.upstream-builds-query.outputs.random-beacon-contracts-version }} \ | |
| @keep-network/ecdsa@${{ steps.upstream-builds-query.outputs.ecdsa-contracts-version }} \ | |
| @keep-network/tbtc@${{ github.event.inputs.environment }} | |
| - name: Configure tenderly | |
| env: | |
| TENDERLY_TOKEN: ${{ secrets.TENDERLY_TOKEN }} | |
| run: ./config_tenderly.sh | |
| - name: Deploy contracts | |
| env: | |
| CHAIN_API_URL: ${{ secrets.GOERLI_ETH_HOSTNAME_HTTP }} | |
| ACCOUNTS_PRIVATE_KEYS: ${{ secrets.GOERLI_ETH_CONTRACT_OWNER_PRIVATE_KEY }} | |
| run: yarn deploy --network ${{ github.event.inputs.environment }} | |
| - name: Bump up package version | |
| id: npm-version-bump | |
| uses: keep-network/npm-version-bump@v2 | |
| with: | |
| work-dir: solidity | |
| environment: ${{ github.event.inputs.environment }} | |
| branch: ${{ github.ref }} | |
| commit: ${{ github.sha }} | |
| - name: Publish to npm | |
| env: | |
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | |
| run: npm publish --access=public --tag ${{ github.event.inputs.environment }} --network=${{ github.event.inputs.environment }} | |
| - name: Notify CI about completion of the workflow | |
| uses: keep-network/ci/actions/notify-workflow-completed@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.CI_GITHUB_TOKEN }} | |
| with: | |
| module: "github.com/keep-network/tbtc-v2" | |
| url: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} | |
| environment: ${{ github.event.inputs.environment }} | |
| upstream_builds: ${{ github.event.inputs.upstream_builds }} | |
| upstream_ref: ${{ github.event.inputs.upstream_ref }} | |
| version: ${{ steps.npm-version-bump.outputs.version }} | |
| - name: Upload files needed for etherscan verification | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: Artifacts for etherscan verification | |
| path: | | |
| ./solidity/deployments | |
| ./solidity/package.json | |
| ./solidity/yarn.lock | |
| contracts-etherscan-verification: | |
| needs: [contracts-deployment-testnet] | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: ./solidity | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Download files needed for etherscan verification | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: Artifacts for etherscan verification | |
| path: ./solidity | |
| - uses: actions/setup-node@v3 | |
| with: | |
| node-version: "14.x" | |
| cache: "yarn" | |
| cache-dependency-path: solidity/yarn.lock | |
| # This step forces Git to download dependencies using `https://` protocol, | |
| # even if `yarn.json` refers to some package via `git://`. Using `git://` | |
| # is no longer supported by GH. One of the `tbtc-v2` dependencies by | |
| # default uses `git://` and we needed to manually remove it every time | |
| # it re-appeared in the lock file. Now even if it does re-appear, the | |
| # `yarn install --frozen-lockfile` will not fail. | |
| - name: Configure git to don't use unauthenticated protocol | |
| run: git config --global url."https://".insteadOf git:// | |
| - name: Install needed dependencies | |
| run: yarn install --frozen-lockfile | |
| # If we don't remove the contracts from `node-modules`, the | |
| # `etherscan-verify` plugins tries to verify them, which is not desired. | |
| - name: Prepare for verification on Etherscan | |
| run: | | |
| rm -rf ./node_modules/@keep-network/random-beacon/artifacts | |
| rm -rf ./node_modules/@keep-network/ecdsa/artifacts | |
| rm -rf ./node_modules/@keep-network/tbtc/artifacts | |
| - name: Verify contracts on Etherscan | |
| env: | |
| ETHERSCAN_API_KEY: ${{ secrets.ETHERSCAN_API_KEY }} | |
| CHAIN_API_URL: ${{ secrets.GOERLI_ETH_HOSTNAME_HTTP }} | |
| run: yarn run hardhat --network ${{ github.event.inputs.environment }} etherscan-verify | |
| # This job is responsible for publishing packackes with slightly modified | |
| # contracts. The modifications are there to help with the process of testing | |
| # some features on the T Token Dashboard. The job starts only if workflow | |
| # gets triggered by the `workflow_dispatch` event on the branch called | |
| # `dapp-development`. | |
| contracts-dapp-development-deployment-testnet: | |
| needs: [contracts-build-and-test] | |
| if: | | |
| github.event_name == 'workflow_dispatch' | |
| && github.ref == 'refs/heads/dapp-development' | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: ./solidity | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-node@v3 | |
| with: | |
| node-version: "14.x" | |
| cache: "yarn" | |
| cache-dependency-path: solidity/yarn.lock | |
| registry-url: "https://registry.npmjs.org" | |
| # We need this step because the `@keep-network/tbtc` which we update in | |
| # next steps has a dependency to `@summa-tx/[email protected]` package, which | |
| # downloads one of its sub-dependencies via unathenticated `git://` | |
| # protocol. That protocol is no longer supported. Thanks to this step | |
| # `https://` is used instead of `git://`. This step also prevents the | |
| # error during `yarn install --frozen-lockfile` step in case `git://` gets | |
| # introduced to tbtc-v2's `yarn.lock`. | |
| - name: Configure git to don't use unauthenticated protocol | |
| run: git config --global url."https://".insteadOf git:// | |
| - name: Install dependencies | |
| run: yarn install --frozen-lockfile | |
| - name: Get upstream packages versions | |
| uses: keep-network/ci/actions/upstream-builds-query@v2 | |
| id: upstream-builds-query | |
| with: | |
| upstream-builds: ${{ github.event.inputs.upstream_builds }} | |
| query: | | |
| random-beacon-contracts-version = github.com/keep-network/keep-core/random-beacon#version | |
| ecdsa-contracts-version = github.com/keep-network/keep-core/ecdsa#version | |
| - name: Resolve latest contracts | |
| run: | | |
| yarn upgrade \ | |
| @keep-network/random-beacon@${{ steps.upstream-builds-query.outputs.random-beacon-contracts-version }} \ | |
| @keep-network/ecdsa@${{ steps.upstream-builds-query.outputs.ecdsa-contracts-version }} \ | |
| @keep-network/tbtc@${{ github.event.inputs.environment }} | |
| - name: Deploy contracts | |
| env: | |
| CHAIN_API_URL: ${{ secrets.GOERLI_ETH_HOSTNAME_HTTP }} | |
| ACCOUNTS_PRIVATE_KEYS: ${{ secrets.DAPP_DEV_GOERLI_ETH_CONTRACT_OWNER_PRIVATE_KEY }} | |
| run: yarn deploy --network ${{ github.event.inputs.environment }} | |
| - name: Bump up package version | |
| id: npm-version-bump | |
| uses: keep-network/npm-version-bump@v2 | |
| with: | |
| work-dir: solidity | |
| environment: dapp-dev-${{ github.event.inputs.environment }} | |
| branch: ${{ github.ref }} | |
| commit: ${{ github.sha }} | |
| - name: Publish to npm | |
| env: | |
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | |
| run: npm publish --access=public --tag dapp-development-${{ github.event.inputs.environment }} --network=${{ github.event.inputs.environment }} | |
| contracts-format: | |
| needs: contracts-detect-changes | |
| if: | | |
| github.event_name == 'push' | |
| || needs.contracts-detect-changes.outputs.path-filter == 'true' | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: ./solidity | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-node@v3 | |
| with: | |
| node-version: "14.x" | |
| cache: "yarn" | |
| cache-dependency-path: solidity/yarn.lock | |
| # Below step is a workaround. Eslint executed in `solidity` directory | |
| # finds `.prettierrc.js` config in the root directory and fails if | |
| # referenced `@keep-network/prettier-config-keep` module is missing. | |
| - name: Install dependencies in the root directory | |
| run: | | |
| cd .. | |
| yarn install --frozen-lockfile | |
| # We need this step because the `@keep-network/tbtc` which we update in | |
| # next steps has a dependency to `@summa-tx/[email protected]` package, which | |
| # downloads one of its sub-dependencies via unathenticated `git://` | |
| # protocol. That protocol is no longer supported. Thanks to this step | |
| # `https://` is used instead of `git://`. | |
| - name: Configure git to don't use unauthenticated protocol | |
| run: git config --global url."https://".insteadOf git:// | |
| - name: Install dependencies | |
| run: yarn install | |
| - name: Build | |
| run: yarn build | |
| - name: Check formatting | |
| run: yarn format | |
| contracts-slither: | |
| needs: contracts-detect-changes | |
| if: | | |
| github.event_name == 'push' | |
| || needs.contracts-detect-changes.outputs.path-filter == 'true' | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: ./solidity | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-node@v3 | |
| with: | |
| node-version: "14.x" | |
| cache: "yarn" | |
| cache-dependency-path: solidity/yarn.lock | |
| - uses: actions/setup-python@v4 | |
| with: | |
| python-version: 3.10.8 | |
| - name: Install Solidity | |
| env: | |
| SOLC_VERSION: 0.8.9 # according to solidity.version in hardhat.config.ts | |
| run: | | |
| pip3 install solc-select | |
| solc-select install $SOLC_VERSION | |
| solc-select use $SOLC_VERSION | |
| - name: Install Slither | |
| env: | |
| SLITHER_VERSION: 0.8.3 | |
| run: pip3 install slither-analyzer==$SLITHER_VERSION | |
| # We need this step because the `@keep-network/tbtc` which we update in | |
| # next steps has a dependency to `@summa-tx/[email protected]` package, which | |
| # downloads one of its sub-dependencies via unathenticated `git://` | |
| # protocol. That protocol is no longer supported. Thanks to this step | |
| # `https://` is used instead of `git://`. | |
| - name: Configure git to don't use unauthenticated protocol | |
| run: git config --global url."https://".insteadOf git:// | |
| - name: Install dependencies | |
| run: yarn install | |
| - name: Run Slither | |
| run: slither --hardhat-artifacts-directory build . |