feat: add core smart contract CI and deploy workflows with environment configuration

Le-Caignec · Le-Caignec · commit 37261dbcbf71 · 2025-07-23T23:58:18.000+02:00
diff --git a/.github/workflows/core-smart-contract-ci.yml b/.github/workflows/core-smart-contract-ci.yml
@@ -0,0 +1,65 @@
+name: Core Smart Contract - Default
+
+on:
+  pull_request:
+    branches:
+      - '*'
+    paths:
+      - 'packages/smart-contract/**'
+  workflow_call:
+    inputs:
+      node-version:
+        description: Node.js version to use
+        required: true
+        type: number
+        default: 20
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ${{ inputs.node-version }}
+          cache: 'npm'
+
+      - name: Install dependencies
+        working-directory: packages/smart-contract
+        run: npm ci
+
+      - name: Check Format
+        working-directory: packages/smart-contract
+        run: npm run check-format
+
+      - name: Check Lint
+        working-directory: packages/smart-contract
+        run: npm run lint
+
+      - name: Compile smart contracts
+        working-directory: packages/smart-contract
+        run: npm run compile
+
+      - name: Run Coverage
+        working-directory: packages/smart-contract
+        run: npm run coverage
+
+      - name: Upload coverage reports to Codecov
+        uses: codecov/codecov-action@v5
+        with:
+            token: ${{ secrets.CODECOV_TOKEN }}
+            slug: iExecBlockchainComputing/dataprotector-sdk
+
+      - name: Run static analysis with slither
+        uses: crytic/slither-action@v0.4.1
+        with:
+          target: "packages/smart-contract/"
+          slither-args: --checklist --markdown-root ${{ github.server_url }}/${{ github.repository }}/blob/${{ github.sha }}/
+          fail-on: none # TODO set this to high or other
+          sarif: results.sarif
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
diff --git a/.github/workflows/core-smart-contract-deploy.yml b/.github/workflows/core-smart-contract-deploy.yml
@@ -1,64 +1,54 @@
 name: Smart Contract Deploy
 
 on:
-  workflow_dispatch: # Manually trigger the workflow OR trigger with tags or releases ?
+  workflow_dispatch: # Manual trigger
     inputs:
-      target:
-        description: 'Deployment target (smart-contract-deploy-dev, smart-contract-deploy-staging, smart-contract-deploy-prod)'
+      network:
+        description: 'Network'
         required: true
         type: choice
         options:
-          - smart-contract-deploy-dev
-          - smart-contract-deploy-staging
-          - smart-contract-deploy-prod
-        default: smart-contract-deploy-dev
+          - hardhat
+          - avalancheFujiTestnet
+          - arbitrumSepolia
+          - arbitrum
+          - bellecour
+        default: 'hardhat'
+
+concurrency:
+  group: ${{ github.ref }}-core-smart-contract-ci
+  cancel-in-progress: true
 
 jobs:
+  build-and-test:
+    uses: ./.github/workflows/core-smart-contract-ci.yml
+    with:
+      node-version: 20
+
   deploy:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
 
       - uses: actions/setup-node@v4
         with:
-          node-version: '18'
+          node-version: 20
+          cache: 'npm'
 
       - name: Install dependencies
         working-directory: packages/smart-contract
-        run: |
-          node -v
-          npm -v
-          npm ci
-
-      - name: Check code format
-        working-directory: packages/smart-contract
-        run: npm run check-format
-
-      - name: Run lint
-        working-directory: packages/smart-contract
-        run: npm run lint
-
-      - name: Compile smart contracts
-        working-directory: packages/smart-contract
-        run: npm run compile
-
-      - name: Run tests
-        working-directory: packages/smart-contract
-        run: npm run test
-
-      - name: Deploy to dev/staging
-        if: ${{ (github.event.inputs.target == 'smart-contract-deploy-dev' || github.event.inputs.target == 'smart-contract-deploy-staging') && startsWith(github.ref, 'refs/heads/main') }}
-        working-directory: packages/smart-contract
-        env:
-          WALLET_PRIVATE_KEY: ${{ secrets.DEPLOYER_DEV_PRIVATEKEY }}
-        run: npm run deploy -- --network bellecour
+        run: npm ci
 
-      - name: Deploy to prod
-        if: ${{ github.event.inputs.target == 'smart-contract-deploy-prod' && github.ref == 'refs/heads/main' }}
+      - name: Deploy contract
         working-directory: packages/smart-contract
         env:
-          WALLET_PRIVATE_KEY: ${{ secrets.DEPLOYER_PROD_PRIVATEKEY }}
-        run: npm run deploy -- --network bellecour
+          # For Deployment
+          RPC_URL: ${{ secrets.RPC_URL }}
+          DEPLOYER_PRIVATE_KEY: ${{ secrets.DEPLOYER_PRIVATE_KEY }}
+          DATASET_REGISTRY_ADDRESS: ${{ vars.DATASET_REGISTRY_ADDRESS }}
+          # For Verification
+          EXPLORER_API_KEY: ${{ secrets.EXPLORER_API_KEY }}
+        run: npm run deploy -- --network ${{ inputs.network }} --deployment-id ${{ inputs.network }} --verify
 
       - name: Update production environment
         if: ${{ github.event.inputs.target == 'smart-contract-deploy-prod' }}
@@ -90,7 +80,3 @@ jobs:
           # Configure the SSH key to secrets GitHub
           SSH_KEY: ${{ secrets.SSH_KEY_TEAM_PRODUCT_GITHUB_PUSH }}
         shell: bash
-
-      - name: Verify contract
-        working-directory: packages/smart-contract
-        run: npm run verify -- --network bellecour $(cat deployments/DataProtector/address) $(cat deployments/DataProtector/args)
diff --git a/packages/smart-contract/.env.template b/packages/smart-contract/.env.template
@@ -1,5 +1,5 @@
 # wallet used for transactions
-WALLET_PRIVATE_KEY=
+DEPLOYER_PRIVATE_KEY=
 
 # DatasetRegistry contract address override (deploy script only)
 DATASET_REGISTRY_ADDRESS=
@@ -10,5 +10,5 @@ RPC_URL=
 ## Mnemonic for the network
 MNEMONIC=
 
-## Arbiscan API key to verify contracts
-ARBISCAN_API_KEY=
+## API key to verify contracts
+EXPLORER_API_KEY=
diff --git a/packages/smart-contract/.nvmrc b/packages/smart-contract/.nvmrc
@@ -0,0 +1 @@
+20
diff --git a/packages/smart-contract/config/env.ts b/packages/smart-contract/config/env.ts
@@ -6,7 +6,7 @@ const privateKeyRegex = /(^|\b)(0x)?[0-9a-fA-F]{64}(\b|$)/;
 
 const envSchema = z.object({
     // Private key of the wallet used for transactions
-    WALLET_PRIVATE_KEY: z
+    DEPLOYER_PRIVATE_KEY: z
         .string()
         .regex(privateKeyRegex, 'Invalid private key format')
         .optional()
@@ -26,7 +26,7 @@ const envSchema = z.object({
     MNEMONIC: z.string().min(1, 'MNEMONIC cannot be empty').optional().or(z.literal('')),
 
     // Arbiscan API key
-    ARBISCAN_API_KEY: z.string().optional().or(z.literal('')),
+    EXPLORER_API_KEY: z.string().optional().or(z.literal('')),
 });
 
 export const env = envSchema.parse(process.env);
diff --git a/packages/smart-contract/hardhat.config.ts b/packages/smart-contract/hardhat.config.ts
@@ -2,19 +2,7 @@ import '@nomicfoundation/hardhat-toolbox';
 import { HardhatUserConfig } from 'hardhat/config';
 import { env } from './config/env';
 
-const privateKey = env.WALLET_PRIVATE_KEY;
-
-// Avalanche Fuji specific configuration
-const fujiBaseConfig = {
-    blockGasLimit: 8_000_000,
-    chainId: 43113,
-};
-
-// Arbitrum Sepolia specific configuration
-const arbitrumSepoliaBaseConfig = {
-    blockGasLimit: 30_000_000, // Arbitrum has higher block gas limits
-    chainId: 421614,
-};
+const privateKey = env.DEPLOYER_PRIVATE_KEY;
 
 const config: HardhatUserConfig = {
     networks: {
@@ -34,13 +22,15 @@ const config: HardhatUserConfig = {
         avalancheFuji: {
             url: env.RPC_URL || 'https://api.avax-test.network/ext/bc/C/rpc',
             accounts: privateKey ? [privateKey] : [],
-            ...fujiBaseConfig,
+            blockGasLimit: 8_000_000,
+            chainId: 43113,
         },
         // Add Arbitrum Sepolia as a network
         arbitrumSepolia: {
             url: env.RPC_URL || 'https://sepolia-rollup.arbitrum.io/rpc',
             accounts: privateKey ? [privateKey] : [],
-            ...arbitrumSepoliaBaseConfig,
+            blockGasLimit: 30_000_000, // Arbitrum has higher block gas limits
+            chainId: 421614,
         },
         // poco-chain native config
         'dev-native': {
@@ -57,7 +47,7 @@ const config: HardhatUserConfig = {
         apiKey: {
             bellecour: 'nothing', // a non-empty string is needed by the plugin.
             avalancheFuji: 'nothing', // a non-empty string is needed by the plugin.
-            arbitrumSepolia: env.ARBISCAN_API_KEY || '',
+            arbitrumSepolia: env.EXPLORER_API_KEY || '',
         },
         customChains: [
             {
diff --git a/packages/smart-contract/package.json b/packages/smart-contract/package.json
@@ -3,8 +3,9 @@
   "version": "0.1.0",
   "scripts": {
     "compile": "hardhat compile && npm run artifact-to-abis",
-    "deploy": "hardhat ignition deploy ignition/modules/DataProtector.ts --strategy create2",
     "test": "hardhat test",
+    "coverage": "hardhat coverage",
+    "deploy": "hardhat ignition deploy ignition/modules/DataProtector.ts --strategy create2",
     "artifact-to-abis": "node tools/artifacts-to-abis.mjs",
     "check-format": "prettier --loglevel warn 'contracts/**/*.sol' '**/*.ts' --check",
     "format": "prettier --loglevel warn 'contracts/**/*.sol' '**/*.ts' --write",
