1826618f12
Some checks failed
CI/CD Pipeline / Solidity Contracts (pull_request) Failing after 47s
CI/CD Pipeline / Security Scanning (pull_request) Successful in 1m22s
CI/CD Pipeline / Lint and Format (pull_request) Failing after 15s
CI/CD Pipeline / Terraform Validation (pull_request) Failing after 10s
CI/CD Pipeline / Kubernetes Validation (pull_request) Successful in 10s
Validation / validate-genesis (pull_request) Successful in 9s
Validation / validate-terraform (pull_request) Failing after 10s
Validation / validate-kubernetes (pull_request) Failing after 2s
Validation / validate-smart-contracts (pull_request) Failing after 3s
Validation / validate-security (pull_request) Successful in 1m54s
Validation / validate-documentation (pull_request) Failing after 5s
Tag @0.28.0 does not exist in act-runner's reference resolution
("Unable to resolve 0.28.0: reference not found"). Use @master and
rely on the 'version: v0.51.1' input to pin the Trivy binary so the
installer still skips api.github.com releases/latest.
Co-Authored-By: Nakamoto, S <defi@defi-oracle.io>
191 lines
5.4 KiB
YAML
191 lines
5.4 KiB
YAML
name: CI/CD Pipeline
|
|
|
|
on:
|
|
push:
|
|
branches: [ main, develop ]
|
|
pull_request:
|
|
branches: [ main, develop ]
|
|
|
|
env:
|
|
SOLIDITY_VERSION: "0.8.19"
|
|
FOUNDRY_VERSION: "nightly"
|
|
|
|
jobs:
|
|
# Compile and test Solidity contracts
|
|
solidity:
|
|
name: Solidity Contracts
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install Foundry
|
|
uses: foundry-rs/foundry-toolchain@v1
|
|
with:
|
|
version: ${{ env.FOUNDRY_VERSION }}
|
|
|
|
- name: Install dependencies
|
|
run: |
|
|
# Install OpenZeppelin if needed (for contracts requiring it)
|
|
# Note: New WETH contracts (WETH10, CCIPWETH9Bridge, CCIPWETH10Bridge) are independent
|
|
# Existing CCIP contracts (CCIPSender, CCIPRouter, etc.) require OpenZeppelin
|
|
if [ -d ".git" ]; then
|
|
forge install OpenZeppelin/openzeppelin-contracts --no-commit || echo "OpenZeppelin may already be installed or git not initialized"
|
|
else
|
|
echo "Git not initialized - skipping OpenZeppelin installation"
|
|
echo "Note: Contracts requiring OpenZeppelin will not compile"
|
|
fi
|
|
|
|
- name: Compile contracts
|
|
run: forge build
|
|
|
|
- name: Run tests
|
|
run: forge test --gas-report
|
|
|
|
- name: Run Slither
|
|
run: |
|
|
pip install slither-analyzer
|
|
chmod +x scripts/security/slither-scan.sh
|
|
./scripts/security/slither-scan.sh || true
|
|
continue-on-error: true
|
|
|
|
- name: Run Mythril
|
|
run: |
|
|
pip install mythril
|
|
chmod +x scripts/security/mythril-scan.sh
|
|
./scripts/security/mythril-scan.sh || true
|
|
continue-on-error: true
|
|
|
|
- name: Run SolidityScan
|
|
if: ${{ secrets.SOLIDITYSCAN_API_KEY != '' }}
|
|
run: |
|
|
pip install solidityscan
|
|
solidityscan --api-key ${{ secrets.SOLIDITYSCAN_API_KEY }} --project-path . || true
|
|
continue-on-error: true
|
|
env:
|
|
SOLIDITYSCAN_API_KEY: ${{ secrets.SOLIDITYSCAN_API_KEY }}
|
|
|
|
- name: Upload Slither reports
|
|
uses: actions/upload-artifact@v4
|
|
if: always()
|
|
with:
|
|
name: slither-reports
|
|
path: reports/slither/
|
|
|
|
- name: Upload Mythril reports
|
|
uses: actions/upload-artifact@v4
|
|
if: always()
|
|
with:
|
|
name: mythril-reports
|
|
path: reports/mythril/
|
|
|
|
# Security scanning
|
|
security:
|
|
name: Security Scanning
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Run Trivy container scan
|
|
uses: aquasecurity/trivy-action@master
|
|
env:
|
|
# Avoid "Bad credentials" from GitHub API when the runner's
|
|
# GITHUB_TOKEN is a Gitea token. Pin trivy binary so installer
|
|
# does not hit api.github.com releases/latest.
|
|
GITHUB_TOKEN: ""
|
|
with:
|
|
version: v0.51.1
|
|
scan-type: 'fs'
|
|
scan-ref: '.'
|
|
format: 'sarif'
|
|
output: 'trivy-results.sarif'
|
|
continue-on-error: true
|
|
|
|
- name: Upload Trivy results
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
if: always()
|
|
with:
|
|
sarif_file: 'trivy-results.sarif'
|
|
continue-on-error: true
|
|
|
|
- name: Run Snyk security scan
|
|
uses: snyk/actions/setup@master
|
|
continue-on-error: true
|
|
|
|
- name: Snyk test
|
|
uses: snyk/actions/node@master
|
|
env:
|
|
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
|
|
continue-on-error: true
|
|
with:
|
|
args: --severity-threshold=high
|
|
|
|
# Lint and format check
|
|
lint:
|
|
name: Lint and Format
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install Foundry
|
|
uses: foundry-rs/foundry-toolchain@v1
|
|
with:
|
|
version: ${{ env.FOUNDRY_VERSION }}
|
|
|
|
- name: Check formatting
|
|
run: forge fmt --check
|
|
|
|
- name: Lint YAML files
|
|
uses: ibiqlik/action-yamllint@v3
|
|
with:
|
|
file_or_dir: .
|
|
config_file: .yamllint.yml
|
|
continue-on-error: true
|
|
|
|
# Terraform validation
|
|
terraform:
|
|
name: Terraform Validation
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install unzip (act-runner image may lack it)
|
|
run: |
|
|
if ! command -v unzip >/dev/null 2>&1; then
|
|
sudo apt-get update && sudo apt-get install -y unzip
|
|
fi
|
|
|
|
- name: Setup Terraform
|
|
uses: hashicorp/setup-terraform@v3
|
|
with:
|
|
terraform_version: "1.6.0"
|
|
|
|
- name: Terraform Init
|
|
working-directory: terraform
|
|
run: terraform init -backend=false
|
|
|
|
- name: Terraform Validate
|
|
working-directory: terraform
|
|
run: terraform validate
|
|
|
|
- name: Terraform Format Check
|
|
working-directory: terraform
|
|
run: terraform fmt -check
|
|
|
|
# Kubernetes manifest validation
|
|
kubernetes:
|
|
name: Kubernetes Validation
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install kubectl
|
|
uses: azure/setup-kubectl@v3
|
|
|
|
- name: Validate Kubernetes manifests
|
|
run: |
|
|
for file in $(find k8s helm -name "*.yaml" -o -name "*.yml"); do
|
|
echo "Validating $file"
|
|
kubectl apply --dry-run=client -f "$file" || true
|
|
done
|
|
continue-on-error: true
|