Stellar scaffold

.changeset/brown-walls-roll.md

@@ -0,0 +1,7 @@
+---
+'@openzeppelin/wizard-stellar': patch
+'@openzeppelin/wizard-common': patch
+'@openzeppelin/contracts-mcp': patch
+---
+
+Add tokenUri setting for stellar non fungible model

.github/actions/oidc/action.yaml

@@ -0,0 +1,45 @@
+---
+name: AWS OIDC Credentials via Role Assume Chaining
+description: Retrieve AWS credentials by chaining role assumes
+inputs:
+  role-for-oidc:
+    description: The role that should be used for GitHub OIDC authentication
+    required: true
+  role-to-assume:
+    description: The role that should be finally assumed
+    required: true
+  role-session-name:
+    description: The session name that should be used when assuming roles
+    required: true
+    default: github-actions
+  role-duration-seconds:
+    description: duration of the credentials validity
+    required: true
+    default: "3600"
+  aws-region:
+    description: The AWS region
+    required: false
+    default: us-east-1
+
+runs:
+  using: composite
+  steps:
+    - name: assume oidc role
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722  # v4.1.0
+      with:
+        aws-region: ${{ inputs.aws-region }}
+        role-to-assume: ${{ inputs.role-for-oidc }}
+        role-session-name: ${{ inputs.role-session-name }}
+        role-duration-seconds: 900
+    - name: assume target role
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722  # v4.1.0
+      id: assume-target-role
+      with:
+        aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
+        aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
+        aws-region: ${{ inputs.aws-region }}
+        role-chaining: true
+        role-to-assume: ${{ inputs.role-to-assume }}
+        role-session-name: ${{ inputs.role-session-name }}
+        role-duration-seconds: ${{ inputs.role-duration-seconds }}

.github/actions/prepare/action.yml

@@ -0,0 +1,22 @@
+---
+name: Cache
+description: Caches cargo dependencies
+inputs:
+  components:
+    description: Additional Rust components to install (comma separated). rustfmt and clippy are always included.
+    required: false
+    default: ''
+outputs:
+  cache-hit:
+    description: Cache Hit
+    value: ${{ steps.cache.outputs.cache-hit }}
+runs:
+  using: composite
+  steps:
+    - name: setup rust tool chain
+      uses: dtolnay/[email protected]  # v1.88.0
+      with:
+        components: ${{ (inputs.components != '') && format('{0}, rustfmt, clippy', inputs.components) || 'rustfmt, clippy' }}
+    - name: Restore cargo dependencies from cache
+      uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3  # v2.7.7
+      id: cache

.github/workflows/docker-prod.yaml

@@ -0,0 +1,102 @@
+name: (Production) Build and Deploy
+
+on:
+  push:
+    branches:
+      - stellar-scaffold
+      - master
+    # TODO enable
+    # paths:
+    # - "packages/ui/api/**"
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: "Branch to build from"
+        required: true
+        default: master
+        type: string
+
+permissions:
+  contents: read
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      packages: write
+      attestations: write
+      security-events: write
+    env:
+      REGISTRY: ${{ vars.DOCKER_REGISTRY }}
+      ROLE_FOR_OIDC: "${{ secrets.ROLE_FOR_OIDC }}"
+      ROLE_TO_ASSUME: "${{ secrets.ROLE_TO_ASSUME }}"
+      WIZARD_ORIGIN: https://wizard.openzeppelin.com
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout Repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
+
+      - name: Set up AWS credentials via OIDC and role chaining
+        uses: ./.github/actions/oidc
+        with:
+          role-for-oidc: ${{ env.ROLE_FOR_OIDC }}
+          role-to-assume: ${{ env.ROLE_TO_ASSUME }}
+
+      - name: Login to Amazon ECR
+        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
+
+      - name: Build and push Stellar API Docker image
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        id: push
+        with:
+          context: ./packages/ui/api/stellar
+          file: ./packages/ui/api/stellar/Dockerfile.prod
+          platforms: linux/amd64
+          push: true
+          tags: |
+            ${{ env.REGISTRY }}/wizard-api-prod:latest
+            ${{ env.REGISTRY }}/wizard-api-prod:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            WIZARD_ORIGIN=${{ env.WIZARD_ORIGIN }}
+
+  deploy:
+    runs-on: ubuntu-latest
+    needs: build-and-push
+    env:
+      ROLE_FOR_OIDC: "${{ secrets.ROLE_FOR_OIDC }}"
+      ROLE_TO_ASSUME: "${{ secrets.ROLE_TO_ASSUME }}"
+      ECS_CLUSTER: ${{ vars.ECS_PRD_CLUSTER }}
+      ECS_SERVICE: ${{ vars.ECS_PRD_SERVICE }}
+      AWS_REGION: ${{ vars.AWS_REGION }}
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up AWS credentials via OIDC and role chaining
+        uses: ./.github/actions/oidc
+        with:
+          role-for-oidc: ${{ env.ROLE_FOR_OIDC }}
+          role-to-assume: ${{ env.ROLE_TO_ASSUME }}
+
+      - name: AWS ECS force new deployment
+        run: |
+          aws ecs update-service --cluster $ECS_CLUSTER --service $ECS_SERVICE --force-new-deployment --region $AWS_REGION

.github/workflows/docker-stg.yaml

@@ -0,0 +1,102 @@
+name: (Staging) Build and Deploy
+
+on:
+  push:
+    branches:
+      - stellar-scaffold
+      - master
+    # TODO enable
+    # paths:
+    #   - "packages/ui/api/**"
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: "Branch to build from"
+        required: true
+        default: master
+        type: string
+
+permissions:
+  contents: read
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      packages: write
+      attestations: write
+      security-events: write
+    env:
+      REGISTRY: ${{ vars.DOCKER_REGISTRY }}
+      ROLE_FOR_OIDC: "${{ secrets.ROLE_FOR_OIDC }}"
+      ROLE_TO_ASSUME: "${{ secrets.ROLE_TO_ASSUME }}"
+      WIZARD_ORIGIN: https://wizard-stg.openzeppelin.com
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
+
+      - name: Set up AWS credentials via OIDC and role chaining
+        uses: ./.github/actions/oidc
+        with:
+          role-for-oidc: ${{ env.ROLE_FOR_OIDC }}
+          role-to-assume: ${{ env.ROLE_TO_ASSUME }}
+
+      - name: Login to Amazon ECR
+        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
+
+      - name: Build and push Stellar API Docker image
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        id: push
+        with:
+          context: ./packages/ui/api/stellar
+          file: ./packages/ui/api/stellar/Dockerfile.prod
+          platforms: linux/amd64
+          push: true
+          tags: |
+            ${{ env.REGISTRY }}/wizard-api-stg:latest
+            ${{ env.REGISTRY }}/wizard-api-stg:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            WIZARD_ORIGIN=${{ env.WIZARD_ORIGIN }}
+
+  deploy:
+    runs-on: ubuntu-latest
+    needs: build-and-push
+    env:
+      ROLE_FOR_OIDC: "${{ secrets.ROLE_FOR_OIDC }}"
+      ROLE_TO_ASSUME: "${{ secrets.ROLE_TO_ASSUME }}"
+      ECS_CLUSTER: ${{ vars.ECS_STG_CLUSTER }}
+      ECS_SERVICE: ${{ vars.ECS_STG_SERVICE }}
+      AWS_REGION: ${{ vars.AWS_REGION }}
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up AWS credentials via OIDC and role chaining
+        uses: ./.github/actions/oidc
+        with:
+          role-for-oidc: ${{ env.ROLE_FOR_OIDC }}
+          role-to-assume: ${{ env.ROLE_TO_ASSUME }}
+
+      - name: AWS ECS force new deployment
+        run: |
+          aws ecs update-service --cluster $ECS_CLUSTER --service $ECS_SERVICE --force-new-deployment --region $AWS_REGION