feat: initial steps toward a monorepo

roderik · roderik · commit c24169ed6984 · 2024-06-25T11:47:08.000+02:00
feat: regular checkout for docker step

fix: demgrep fix

fix: improve security checks

fix: semgrepignore

fix: semgrep finding

fix: do not error on perfmance tips

fix: do not fail on perf checks

fix: fail and continue

feat: ensure builx is used

fix: buildx
diff --git a/.github/renovate.json b/.github/renovate.json
@@ -2,9 +2,6 @@
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
     "config:recommended",
-    ":automergeMinor",
-    ":automergePr",
-    ":automergeRequireAllStatusChecks",
     ":gitSignOff",
     ":pinVersions",
     ":semanticCommits",
@@ -15,14 +12,16 @@
     ":prHourlyLimitNone",
     "security:openssf-scorecard",
     "schedule:nonOfficeHours",
-    ":disableDependencyDashboard"
+    "group:all"
+  ],
+  "labels": [
+    "dependencies"
   ],
-  "labels": ["dependencies"],
   "rebaseWhen": "conflicted",
   "packageRules": [],
   "hostRules": [
     {
       "timeout": 3000000
     }
   ]
-}
+}
diff --git a/.github/scripts/comment.js b/.github/scripts/comment.js
@@ -0,0 +1,26 @@
+module.exports = async ({ github, context, header, body }) => {
+  const comment = [header, body].join("\n");
+
+  const { data: comments } = await github.rest.issues.listComments({
+    owner: context.repo.owner,
+    repo: context.repo.repo,
+    issue_number: context.payload.number,
+  });
+
+  const botComment = comments.find(
+    (comment) =>
+      // github-actions bot user
+      comment.user.id === 41898282 && comment.body.startsWith(header)
+  );
+
+  const commentFn = botComment ? "updateComment" : "createComment";
+
+  await github.rest.issues[commentFn]({
+    owner: context.repo.owner,
+    repo: context.repo.repo,
+    body: comment,
+    ...(botComment
+      ? { comment_id: botComment.id }
+      : { issue_number: context.payload.number }),
+  });
+};
diff --git a/.github/workflows/solidity.yml b/.github/workflows/solidity.yml
@@ -30,13 +30,203 @@ permissions:
   statuses: write
 
 jobs:
-  ci:
-    name: CI
-    uses: settlemint/smart-contracts-actions/.github/workflows/solidity.yml@main
-    secrets:
-      TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    with:
-      docker-image-name: solidity-empty
-      runs-on: solidity-empty
-      ignition-module: "ignition/modules/Counter.ts"
-      subgraph-contract-address-key: "CounterModule#Counter"
+  codescanning:
+    name: Code Scanning
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - name: Install canvas dependencies
+        run: |
+          apk update
+          apk add --no-cache cairo-dev jpeg-dev pango-dev giflib-dev build-base g++ pkgconfig
+
+      - name: Fetch semgrep rules
+        uses: actions/checkout@v4
+        with:
+          repository: decurity/semgrep-smart-contracts
+          path: rules
+
+      - run: semgrep ci --sarif --output=semgrep.sarif || true
+        env:
+          SEMGREP_RULES: rules/solidity/security rules/solidity/performance
+
+      - uses: crytic/slither-action@v0.4.0
+        id: slither
+        with:
+          sarif: slither.sarif
+          slither-args: --filter-paths "lib/" --filter-paths "node_modules/"
+          solc-version: 0.8.24
+          fail-on: none
+
+      - name: Upload findings to GitHub Advanced Security Dashboard
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: semgrep.sarif
+        if: always()
+
+      - name: Upload findings to GitHub Advanced Security Dashboard
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.slither.outputs.sarif }}
+        if: always()
+
+  test:
+    services:
+      foundry:
+        image: ghcr.io/settlemint/btp-anvil-test-node:latest
+        ports:
+          - '8545:8545'
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - name: Install Foundry
+        uses: foundry-rs/foundry-toolchain@v1
+        with:
+          version: nightly
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+
+      - name: Install Node dependencies
+        run: npm install
+
+      - name: Run Forge build
+        run: |
+          forge --version
+          forge build --sizes
+
+      - name: Run Hardhat build
+        run: |
+          npx hardhat compile
+
+      - name: Run Forge tests
+        run: |
+          forge test -vvv
+
+      - name: Run Hardhat test
+        run: |
+          npx hardhat test
+
+      - name: Setup LCOV
+        if: github.ref_name != 'main'
+        uses: hrishikesh-kadam/setup-lcov@v1
+
+      - name: Run Forge Coverage
+        if: github.ref_name != 'main'
+        run: |
+          forge coverage --report lcov --report summary
+        id: coverage
+
+      - name: Deploy to the local node
+        run: |
+          npx hardhat ignition deploy --network localhost ignition/modules/main.ts
+
+      - name: Install YQ
+        uses: alexellis/arkade-get@master
+        with:
+          print-summary: false
+          yq: latest
+
+      - name: Build the subgraph
+        run: |
+          if [ ! -d "subgraph" ] || [ -z "$(ls -A subgraph)" ]; then
+            echo "Subgraph directory is missing or empty"
+            exit 0
+          fi
+          npx graph-compiler --config subgraph/subgraph.config.json --include node_modules/@openzeppelin/subgraphs/src/datasources subgraph/datasources --export-schema --export-subgraph
+          yq -i e '.specVersion = "1.2.0"' generated/scs.subgraph.yaml
+          yq -i e '.features = ["nonFatalErrors", "fullTextSearch", "ipfsOnEthereumContracts"]' generated/scs.subgraph.yaml
+          yq -i e '.dataSources[].mapping.apiVersion = "0.0.7"' generated/scs.subgraph.yaml
+          yq -i e '.dataSources[].network = "localhost"' generated/scs.subgraph.yaml
+          yq -i e '.templates[].mapping.apiVersion = "0.0.7"' generated/scs.subgraph.yaml
+          yq -i e '.templates[].network = "localhost"' generated/scs.subgraph.yaml
+          npx graph codegen generated/scs.subgraph.yaml
+          npx graph build generated/scs.subgraph.yaml
+
+      - name: Report code coverage
+        if: github.ref_name != 'main'
+        uses: zgosalvez/github-actions-report-lcov@v4.1.10
+        with:
+          coverage-files: lcov.info
+          minimum-coverage: 90
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          update-comment: true
+
+  docker:
+    needs:
+      - test
+    name: Docker
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker meta
+        id: docker_meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ghcr.io/${{ github.repository }}
+          tags: |
+            type=schedule
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        id: build-and-push
+        with:
+          platforms: linux/amd64,linux/arm64
+          provenance: true
+          sbom: true
+          push: true
+          load: false
+          tags: ${{ steps.docker_meta.outputs.tags }}
+          labels: ${{ steps.docker_meta.outputs.labels }}
+          no-cache: true
+
+
+      - name: Sign the images with GitHub OIDC Token
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+          TAGS: ${{ steps.docker_meta.outputs.tags }}
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes ${images}
diff --git a/.semgrepignore b/.semgrepignore
@@ -0,0 +1,25 @@
+# Common large paths
+node_modules/
+build/
+dist/
+vendor/
+.env/
+.venv/
+.tox/
+*.min.js
+.npm/
+.yarn/
+
+# Common test paths
+test/
+tests/
+*_test.go
+
+# Semgrep rules folder
+.semgrep
+
+# Semgrep-action log folder
+.semgrep_logs/
+
+# lib
+lib/
diff --git a/.vscode/tasks.json b/.vscode/tasks.json
@@ -5,7 +5,7 @@
       "id": "deployment-module",
       "description": "Hardhat Ignition Module",
       "type": "promptString",
-      "default": "ignition/modules/Counter.ts"
+      "default": "ignition/modules/main.ts"
     },
     {
       "id": "extra-deployment",
@@ -100,4 +100,4 @@
       "problemMatcher": []
     }
   ],
-}
+}
diff --git a/contracts/Counter.sol b/contracts/Counter.sol
@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.26;
+pragma solidity ^0.8.24;
 
 contract Counter {
     event CounterIncremented(uint256 indexed newValue);
@@ -11,7 +11,7 @@ contract Counter {
     }
 
     function increment() public {
-        number++;
+        ++number;
         emit CounterIncremented(number);
     }
 }
diff --git a/foundry.toml b/foundry.toml
@@ -22,11 +22,10 @@
   libs = ['node_modules', 'lib']
   test = 'test'
   cache_path  = 'cache_forge'
-  solc = "0.8.26"
+  solc = "0.8.24"
   optimizer = true
   optimizer_runs = 10_000
   gas_reports = ["*"]
   fuzz = { runs = 1_000 }
   auto_detect_solc = false
-  extra_output_files = [ "metadata" ]
-  fs_permissions = [{ access = "read", path = "./deployment-anvil.txt"}, { access = "read", path = "./deployment.txt"} ]
+  extra_output_files = [ "metadata" ]
diff --git a/hardhat.config.ts b/hardhat.config.ts
@@ -5,7 +5,7 @@ import type { HardhatUserConfig } from "hardhat/config";
 
 const config: HardhatUserConfig = {
   solidity: {
-    version: "0.8.26",
+    version: "0.8.24",
     settings: {
       optimizer: {
         enabled: true,
diff --git a/ignition/modules/main.ts b/ignition/modules/main.ts
diff --git a/test/Counter.t.sol b/test/Counter.t.sol
@@ -1,8 +1,8 @@
 // SPDX-License-Identifier: MIT
-pragma solidity 0.8.26;
+pragma solidity ^0.8.24;
 
-import { Test, console } from "forge-std/Test.sol";
-import { Counter } from "../contracts/Counter.sol";
+import {Test, console} from "forge-std/Test.sol";
+import {Counter} from "../contracts/Counter.sol";
 
 contract CounterTest is Test {
     Counter public counter;

Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@`
`5`	`5`	`"id": "deployment-module",`
`6`	`6`	`"description": "Hardhat Ignition Module",`
`7`	`7`	`"type": "promptString",`
`8`		`- "default": "ignition/modules/Counter.ts"`
	`8`	`+ "default": "ignition/modules/main.ts"`
`9`	`9`	`},`
`10`	`10`	`{`
`11`	`11`	`"id": "extra-deployment",`
`@@ -100,4 +100,4 @@`
`100`	`100`	`"problemMatcher": []`
`101`	`101`	`}`
`102`	`102`	`],`
`103`		`-}`
	`103`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`// SPDX-License-Identifier: MIT`
`2`		`-pragma solidity 0.8.26;`
	`2`	`+pragma solidity ^0.8.24;`
`3`	`3`
`4`	`4`	`contract Counter {`
`5`	`5`	`event CounterIncremented(uint256 indexed newValue);`
`@@ -11,7 +11,7 @@ contract Counter {`
`11`	`11`	`}`
`12`	`12`
`13`	`13`	`function increment() public {`
`14`		`- number++;`
	`14`	`+ ++number;`
`15`	`15`	`emit CounterIncremented(number);`
`16`	`16`	`}`
`17`	`17`	`}`