Audit fixes #1852
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This GitHub Action for the Certora Prover is licensed under the MIT License | |
| # by Syndicate Labs | |
| # No other files within this repository are licensed under the MIT License | |
| # unless the MIT license is stated explicitly at the top of the file. | |
| # This workflow runs Certora Prover checks | |
| # on our smart contracts (located in `synd-contracts/src`). | |
| # Certora specs contain our custom rules and this workflow ensures that our contracts adhere to | |
| # those rules any time a change is made. | |
| # https://www.certora.com/ | |
| name: Certora | |
| on: | |
| push: | |
| branches: [main] | |
| # Only run on PRs that touch synd-contracts .sol and .spec files to avoid unnecessary CI runs | |
| pull_request: | |
| types: [opened, synchronize, reopened, ready_for_review] # the first 3 are the defaults if you dont specify `types` | |
| paths: | |
| - "synd-contracts/src/**/*.sol" | |
| - "synd-contracts/certora/specs/**/*.spec" | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref || github.run_id }} | |
| cancel-in-progress: true | |
| env: | |
| FOUNDRY_PROFILE: ci | |
| jobs: | |
| ############################################################################## | |
| # This job is for running contract verification scripts on the production #### | |
| # installation of certora-cli ################################################ | |
| ############################################################################## | |
| certora: | |
| if: github.event.pull_request.draft == false | |
| name: Syndicate Certora Prover Run | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: synd-contracts | |
| strategy: | |
| matrix: | |
| rule: | |
| [ | |
| "SyndicateSequencingChain", | |
| "AllowlistSequencingModule", | |
| "AtomicSequencer", | |
| "AtomicSequencerImplementation", | |
| "AssertionPoster", | |
| "TestnetSyndToken", | |
| "RequireAndModule", | |
| "RequireOrModule", | |
| "WalletPoolWrapperModule", | |
| "EmissionsCalculator", | |
| "SyndStaking", | |
| ] | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| # Prerequisites for Certora Prover | |
| - name: Setup Java | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: "temurin" | |
| java-version: "21" | |
| - name: Setup Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| # Selecting a toolchain either by action or manual `rustup` calls should | |
| # happen before the rust-cache plugin, as it uses the current rustc | |
| # version as its cache key | |
| - name: Setup Rust toolchain | |
| uses: actions-rs/toolchain@v1 | |
| with: | |
| profile: minimal | |
| toolchain: stable | |
| - name: Install Foundry | |
| uses: foundry-rs/foundry-toolchain@v1 | |
| with: | |
| version: stable | |
| - name: Install Certora Prover | |
| run: | | |
| pip3 install setuptools==75.8.2 | |
| pip3 install certora-cli==7.29.1 | |
| - name: Install dependencies | |
| run: forge install | |
| # Install solc | |
| - name: Install solc | |
| run: | | |
| pipx install solc-select | |
| solc-select install 0.8.28 | |
| solc-select use 0.8.28 | |
| ls ~/.solc-select/artifacts/ | |
| which solc | |
| - name: Verify synd-contracts Certora rules | |
| env: | |
| CERTORAKEY: ${{ secrets.CERTORAKEY }} | |
| run: certoraRun certora/conf/${{ matrix.rule }}.conf --wait_for_results=all | |
| # Needs to be the last job step | |
| - name: Notify Slack on Failure | |
| # Only notify for workflow_run failures on main branch (not PRs) | |
| if: failure() && github.ref_name == 'main' | |
| uses: rtCamp/action-slack-notify@v2 | |
| env: | |
| SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }} | |
| SLACK_COLOR: "danger" | |
| SLACK_MESSAGE: ":x: `${{github.workflow}}` failed on `main` branch. View failure information here: <https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|View Workflow>" | |
| SLACK_TITLE: "*${{github.workflow}}* failed on `main` branch. Notify the author of the latest PR merged to `main`" |