iExecBlockchainComputing
diff --git a/‎.github/workflows/README.md‎
Lines changed: 185 additions & 0 deletions b/‎.github/workflows/README.md‎
Lines changed: 185 additions & 0 deletions
diff --git a/‎.github/workflows/deployment/01-deploy-dapp-contract.yml‎
Lines changed: 143 additions & 0 deletions b/‎.github/workflows/deployment/01-deploy-dapp-contract.yml‎
Lines changed: 143 additions & 0 deletions
diff --git a/‎.github/workflows/deployment/02-push-dapp-secret.yml‎
Lines changed: 55 additions & 0 deletions b/‎.github/workflows/deployment/02-push-dapp-secret.yml‎
Lines changed: 55 additions & 0 deletions
@@ -0,0 +1,185 @@
+# GitHub Workflows - Web3Telegram SDK
+
+Complete documentation of GitHub Actions workflows for the Web3Telegram SDK project.
+
+## 📋 Overview
+
+The project uses 3 categories of workflows:
+
+- **SDK** : CI, build, NPM publication of the SDK
+- **DApp** : CI and application deployment
+- **Release** : Version management and releases
+
+## 🚀 SDK Workflows
+
+### `sdk-ci.yml`
+
+**SDK CI** - Automatic validation on every PR
+
+- **Trigger** : Pull Request on `src/`, `tests/`, configs
+- **Actions** : Lint, unit tests, TypeScript build
+- **Concurrency** : Cancels previous runs
+
+### `sdk-npm-publish.yml`
+
+**Manual NPM Publication** - Deploy to NPM
+
+- **Trigger** : `workflow_dispatch`
+- **Inputs** : `tag` (latest/nightly)
+- **Restriction** : `main` branch only
+
+### `sdk-release.yml`
+
+**Automatic NPM Publication** - Official release
+
+- **Trigger** : Tag `web3telegram-v*`
+- **Action** : Publication with `latest` tag
+
+### `reusable-sdk-npm.yml`
+
+**Reusable Workflow** - Template for NPM publication
+
+- **Type** : `workflow_call`
+- **Usage** : Used by `sdk-npm-publish.yml` and `sdk-release.yml`
+
+## 🏗️ DApp Workflows
+
+### `dapp-ci.yml`
+
+**Application CI** - DApp code validation
+
+- **Trigger** : Pull Request on `dapp/`
+- **Actions** : Lint, tests, validation
+
+### `deployment/deployment-dapp-ci.yml`
+
+**Deployment CI** - Deployment scripts validation
+
+- **Trigger** : Pull Request on `deployment-dapp/`
+- **Actions** : Lint, TypeScript scripts tests
+
+## 🚀 Deployment Workflows
+
+### `deployment/dapp-deploy.yml` (Main)
+
+**Complete Deployment**
+
+- **Trigger** : `workflow_dispatch`
+- **Inputs** : `environment` (bellecour-dev, arbitrum-sepolia-dev, etc.)
+- **Process** :
+  1. Docker build + Sconify
+  2. Contract deployment
+  3. Push secrets
+  4. Publish sell order
+  5. Whitelist
+  6. ENS configuration
+
+### `deployment/01-deploy-dapp-contract.yml`
+
+**Contract Deployment** - Deploy the smart contract
+
+- **Trigger** : `workflow_dispatch`
+- **Inputs** : `environment`, `docker_image_tag`, `checksum`, `fingerprint`
+- **Outputs** : `app_address`
+
+### `deployment/02-push-dapp-secret.yml`
+
+**Push Secrets** - Push secrets to SMS (Secret Management Service)
+
+- **Trigger** : `workflow_dispatch`
+- **Inputs** : `environment`, `app_address`
+
+### `deployment/03-publish-sell-order.yml`
+
+**Sell Order** - Publish a free sell order
+
+- **Trigger** : `workflow_dispatch`
+- **Inputs** : `environment`, `app_address`, `price`, `volume`
+
+### `deployment/04-add-resource-whitelist.yml`
+
+**Whitelist** - Add app to a whitelist already deployed on whitelist-smartcontract repo and transfer ownership to web3telegram wallet
+
+- **Trigger** : `workflow_dispatch`
+- **Inputs** : `environment`, `app_address`, `whitelist_contract_address`
+
+### `deployment/05-configure-ens.yml`
+
+**ENS Configuration** - Configure ENS name (only on bellecour environment)
+
+- **Trigger** : `workflow_dispatch`
+- **Inputs** : `environment`, `app_address`, `ens_name`
+
+## 📦 Release Workflows
+
+### `release.yml`
+
+**Release Please** - Automatic version management
+
+- **Trigger** : Push on `main`
+- **Action** : Automatic release PR creation
+
+### `conventional-commits.yml`
+
+**Commit Validation** - Check conventional commits
+
+- **Trigger** : Pull Request
+- **Action** : Commit format validation
+
+## 🎯 Usage
+
+### Complete Deployment
+
+```bash
+gh workflow run deployment/dapp-deploy.yml -f environment=bellecour-dev
+```
+
+### SDK Publication
+
+```bash
+# Manual publication
+gh workflow run sdk-npm-publish.yml -f tag=nightly
+
+# Automatic publication (via tag)
+git tag web3telegram-v1.0.0
+git push origin web3telegram-v1.0.0
+```
+
+## 🔧 Environments
+
+| Environment             | Network           | Usage           |
+| ----------------------- | ----------------- | --------------- |
+| `bellecour-dev`         | Bellecour Testnet | Development     |
+| `arbitrum-sepolia-dev`  | Arbitrum Sepolia  | Testing         |
+| `bellecour-prod`        | Bellecour Mainnet | Production      |
+| `arbitrum-sepolia-prod` | Arbitrum Sepolia  | Production test |
+| `arbitrum-prod`         | Arbitrum Mainnet  | Production      |
+
+## 📁 Structure
+
+```
+.github/workflows/
+├── sdk-ci.yml                    # SDK CI
+├── sdk-npm-publish.yml          # Manual NPM publication
+├── sdk-release.yml              # Automatic NPM publication
+├── reusable-sdk-npm.yml         # NPM template
+├── dapp-ci.yml                  # DApp CI
+├── release.yml                  # Release Please
+├── conventional-commits.yml     # Commit validation
+└── deployment/                  # Deployment workflows
+    ├── dapp-deploy.yml          # Main orchestrator
+    ├── 01-deploy-dapp-contract.yml
+    ├── 02-push-dapp-secret.yml
+    ├── 03-publish-sell-order.yml
+    ├── 04-add-resource-whitelist.yml
+    ├── 05-configure-ens.yml
+    └── deployment-dapp-ci.yml   # Deployment CI
+```
+
+## ⚡ Benefits
+
+- **Modularity** : Each step can be executed independently
+- **Recovery** : In case of failure, restart only the concerned step
+- **Flexibility** : Reusable and configurable workflows
+- **Security** : Automatic validation and separate environments
+- **Traceability** : Detailed logs for each step
@@ -0,0 +1,143 @@
+name: 01-deploy-dapp-contract
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Deployment environment'
+        required: true
+        type: choice
+        options:
+          # dev environments
+          - bellecour-dev
+          - arbitrum-sepolia-dev
+          # prod environments (requires a tag starting with dapp-v)
+          - bellecour-prod
+          - arbitrum-sepolia-prod
+          - arbitrum-prod
+      # Optional inputs for manual override
+      docker_image_tag:
+        description: 'Docker image tag (if not provided, will build from scratch)'
+        required: false
+        type: string
+      checksum:
+        description: 'Docker image checksum (if not provided, will build from scratch)'
+        required: false
+        type: string
+      fingerprint:
+        description: 'Docker image fingerprint (if not provided, will build from scratch)'
+        required: false
+        type: string
+
+jobs:
+  extract-tag:
+    runs-on: ubuntu-latest
+    outputs:
+      clean_tag: ${{ steps.tag.outputs.clean_tag }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Check and extract tag
+        id: tag
+        run: |
+          if [[ "${{ github.event.inputs.environment }}" == *-prod ]]; then
+            if [[ "${GITHUB_REF}" != refs/tags/dapp-v* ]]; then
+              echo "Error: The ref must be a tag starting with 'dapp-v' for production deployments."
+              exit 1
+            fi
+            TAG=${GITHUB_REF#refs/tags/dapp-v}-$(date +%s)
+            echo "clean_tag=${TAG}" | tee -a $GITHUB_OUTPUT
+          else
+            echo "clean_tag=dev" | tee -a $GITHUB_OUTPUT
+          fi
+
+  docker-publish:
+    if: ${{ !github.event.inputs.docker_image_tag }}
+    uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/[email protected]
+    needs: [extract-tag]
+    with:
+      image-name: 'iexechub/web3telegram-dapp'
+      registry: 'docker.io'
+      dockerfile: 'dapp/Dockerfile'
+      context: 'dapp'
+      security-scan: true
+      security-report: 'sarif'
+      hadolint: true
+      push: true
+      image-tag: ${{ needs.extract-tag.outputs.clean_tag }}
+    secrets:
+      username: ${{ secrets.DOCKERHUB_USERNAME }}
+      password: ${{ secrets.DOCKERHUB_PAT }}
+
+  sconify:
+    if: ${{ !github.event.inputs.docker_image_tag }}
+    uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/[email protected]
+    needs: [docker-publish, extract-tag]
+    with:
+      image-name: 'iexechub/web3telegram-dapp'
+      image-tag: ${{ needs.extract-tag.outputs.clean_tag }}
+      sconify-debug: false
+      sconify-prod: true
+      docker-registry: docker.io
+      sconify-version: ${{ vars.SCONIFY_VERSION }}
+      binary: /usr/local/bin/node
+      command: node
+      host-path: |
+        /etc/hosts
+        /etc/resolv.conf
+      binary-fs: true
+      fs-dir: /app
+      heap: 1G
+      dlopen: 1
+      mprotect: 0
+    secrets:
+      docker-username: ${{ secrets.DOCKERHUB_USERNAME }}
+      docker-password: ${{ secrets.DOCKERHUB_PAT }}
+      scontain-username: ${{ secrets.SCONTAIN_REGISTRY_USERNAME }}
+      scontain-password: ${{ secrets.SCONTAIN_REGISTRY_PAT }}
+      scone-signing-key: ${{ secrets.SCONIFY_SIGNING_PRIVATE_KEY }}
+
+  deploy-dapp:
+    needs: [extract-tag, sconify]
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+    outputs:
+      app_address: ${{ steps.deploy.outputs.app_address }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20.19.0'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: |
+          npm ci
+          cd node_modules/whitelist-smart-contract
+          npm install --save-dev ts-node
+          cd ../../deployment-dapp
+          npm ci
+
+      - name: Deploy dapp contract
+        id: deploy
+        env:
+          WALLET_PRIVATE_KEY: ${{ secrets.WEB3TELEGRAM_APP_OWNER_PRIVATEKEY }}
+          DOCKER_IMAGE_TAG: ${{ github.event.inputs.docker_image_tag || needs.sconify.outputs.prod-image-tag }}
+          CHECKSUM: ${{ github.event.inputs.checksum || needs.sconify.outputs.prod-checksum }}
+          FINGERPRINT: ${{ github.event.inputs.fingerprint || needs.sconify.outputs.prod-mrenclave }}
+          RPC_URL: ${{ secrets.RPC_URL }}
+          SCONIFY_VERSION: ${{ vars.SCONIFY_VERSION }}
+        run: |
+          cd deployment-dapp
+          npm run deploy-dapp
+          echo "app_address=$(cat .app-address)" >> $GITHUB_OUTPUT
+
+      - name: Upload app address artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: app-address
+          path: deployment-dapp/.app-address
+          retention-days: 30
@@ -0,0 +1,55 @@
+name: 02-push-dapp-secret.yml
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Deployment environment'
+        required: true
+        type: choice
+        options:
+          # dev environments
+          - bellecour-dev
+          - arbitrum-sepolia-dev
+          # prod environments
+          - bellecour-prod
+          - arbitrum-sepolia-prod
+          - arbitrum-prod
+      app_address:
+        description: 'App contract address'
+        required: true
+        type: string
+
+jobs:
+  push-secret:
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20.19.0'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: |
+          npm ci
+          cd deployment-dapp
+          npm ci
+
+      - name: Create app address file
+        run: |
+          echo "${{ inputs.app_address }}" > deployment-dapp/.app-address
+          echo "Using app address: ${{ inputs.app_address }}"
+
+      - name: Push dapp secret
+        env:
+          WALLET_PRIVATE_KEY: ${{ secrets.WEB3TELEGRAM_APP_OWNER_PRIVATEKEY }}
+          TELEGRAM_BOT_TOKEN: ${{ secrets.TELEGRAM_BOT_TOKEN }}
+          RPC_URL: ${{ secrets.RPC_URL }}
+        run: |
+          cd deployment-dapp
+          npm run push-dapp-secret