smom-dbis-138/.github/workflows/validation.yml

name: Validation

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main, develop ]
  workflow_dispatch:

jobs:
  validate-genesis:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Install jq
        run: sudo apt-get update && sudo apt-get install -y jq
      
      - name: Validate genesis file
        run: ./scripts/validation/validate-genesis.sh
  
  validate-terraform:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Install unzip (act-runner image may lack it)
        run: |
          if ! command -v unzip >/dev/null 2>&1; then
            sudo apt-get update && sudo apt-get install -y unzip
          fi
      
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v2
      
      - name: Terraform Format Check
        run: |
          cd terraform
          terraform fmt -check
      
      - name: Terraform Validate
        run: |
          cd terraform
          terraform init -backend=false
          terraform validate
      
      - name: Terraform Security Scan
        uses: bridgecrewio/checkov-action@master
        with:
          directory: terraform
          framework: terraform
  
  validate-kubernetes:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Install kubectl
        uses: azure/setup-kubectl@v3
      
      - name: Validate Kubernetes manifests
        run: |
          kubectl apply --dry-run=client -f k8s/base/namespace.yaml
          kubectl apply --dry-run=client -f k8s/base/validators/statefulset.yaml
          kubectl apply --dry-run=client -f k8s/base/sentries/statefulset.yaml
          kubectl apply --dry-run=client -f k8s/base/rpc/statefulset.yaml
      
      - name: Kubernetes Security Scan
        uses: ludovico85/kube-score-action@v1
        with:
          path: k8s
  
  validate-smart-contracts:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Install Foundry
        uses: foundry-rs/foundry-toolchain@v1
      
      - name: Run tests
        run: forge test
      
      - name: Run fuzz tests
        run: forge test --fuzz-runs 1000
      
      - name: Check formatting
        run: forge fmt --check
      
      - name: Smart Contract Security Scan
        uses: crytic/slither-action@v0.10.0
        with:
          target: 'contracts'
  
  validate-security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Container Security Scan
        uses: aquasecurity/trivy-action@0.28.0
        env:
          # Avoid "Bad credentials" from GitHub API when the runner's
          # GITHUB_TOKEN is a Gitea token. Pin version to skip the lookup.
          GITHUB_TOKEN: ""
        with:
          version: v0.51.1
          scan-type: 'image'
          image-ref: 'hyperledger/besu:23.10.0'
          format: 'sarif'
          output: 'trivy-results.sarif'
        continue-on-error: true
      
      - name: Upload Trivy results
        # Gitea does not host GitHub code-scanning; don't fail the job.
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'
        continue-on-error: true
  
  validate-documentation:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Check documentation
        run: |
          # Check if all required documentation exists
          test -f README.md || exit 1
          test -f CONTRIBUTING.md || exit 1
          test -f CHANGELOG.md || exit 1
          test -f docs/DEPLOYMENT.md || exit 1
          test -f docs/ARCHITECTURE.md || exit 1
          test -f docs/SECURITY.md || exit 1