scroll-contracts/.github/workflows/contracts.yml at 40fa6173a28c800c9622d58e864a5a8989c13a00 · scroll-tech/scroll-contracts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
name: Contracts

on:
  push:
    branches:
      - main
    paths:
      - '**'
      - '.github/workflows/contracts.yaml'
  pull_request:
    types:
      - opened
      - reopened
      - synchronize
      - ready_for_review
    paths:
      - '**'
      - '.github/workflows/contracts.yaml'

defaults:
  run:
    working-directory: '.'

jobs:
  foundry:
    if: github.event.pull_request.draft == false
    runs-on: ubuntu-latest
    permissions: {}

    steps:
      - name: Checkout sources
        uses: actions/checkout@v4
        with:
          submodules: recursive
          persist-credentials: false

      - name: Install Foundry
        uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de # v1.4.0
        with:
          version: nightly

      - name: Setup LCOV
        uses: hrishikesh-kadam/setup-lcov@6c1aa0cc9e1c02f9f58f01ac599f1064ccc83470 # v1

      - name: Install Node.js 18
        uses: actions/setup-node@v4
        with:
          node-version: '18'

      - name: Get yarn cache directory path
        id: yarn-cache-dir-path
        run: echo "::set-output name=dir::$(yarn cache dir)"

      - name: Cache yarn dependencies
        uses: actions/cache@v4
        id: yarn-cache # use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`)
        with:
          path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
          key: ${{ runner.os }}-yarn-${{ hashFiles('yarn.lock') }}
          restore-keys: |
            ${{ runner.os }}-yarn-

      - name: Cache node_modules
        id: npm_cache
        uses: actions/cache@v4
        with:
          path: node_modules
          key: node_modules-${{ hashFiles('yarn.lock') }}

      - name: yarn install
        # if: steps.npm_cache.outputs.cache-hit != 'true'
        run: yarn install

      - name: Compile with foundry
        run: forge build --evm-version cancun

      - name: Run foundry tests
        run: forge test --evm-version cancun -vvv

      - name: Run foundry coverage
        run : forge coverage --evm-version cancun --report lcov

      - name : Prune coverage
        run : lcov --rc branch_coverage=1 --remove ./lcov.info -o ./lcov.info.pruned 'src/mocks/*' 'src/test/*' 'scripts/*' 'node_modules/*' 'lib/*' --ignore-errors unused,unused

      - name: Upload coverage reports to Codecov
        uses: codecov/codecov-action@fdcc8476540edceab3de004e990f80d881c6cc00 # v5.5.0
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
        with:
          files: lcov.info.pruned
          flags: contracts

  hardhat:
    if: github.event.pull_request.draft == false
    runs-on: ubuntu-latest
    permissions: {}

    steps:
      - name: Checkout sources
        uses: actions/checkout@v4
        with:
          submodules: recursive
          persist-credentials: false

      - name: Install Node.js 18
        uses: actions/setup-node@v4
        with:
          node-version: '18'

      - name: Get yarn cache directory path
        id: yarn-cache-dir-path
        run: echo "::set-output name=dir::$(yarn cache dir)"

      - name: Cache yarn dependencies
        uses: actions/cache@v4
        id: yarn-cache # use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`)
        with:
          path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
          key: ${{ runner.os }}-yarn-${{ hashFiles('yarn.lock') }}
          restore-keys: |
            ${{ runner.os }}-yarn-

      - name: Cache node_modules
        id: npm_cache
        uses: actions/cache@v4
        with:
          path: node_modules
          key: node_modules-${{ hashFiles('yarn.lock') }}

      - name: yarn install
        # if: steps.npm_cache.outputs.cache-hit != 'true'
        run: yarn install

      - name: Compile with hardhat
        run: npx hardhat compile

      - name: Run hardhat tests
        run: npx hardhat test

  slither:
    if: github.event.pull_request.draft == false
    needs: foundry
    runs-on: ubuntu-latest
    permissions:
      statuses: write
      security-events: write

    steps:
      - uses: actions/checkout@v4
        with:
          submodules: recursive
          persist-credentials: false

      - uses: actions/setup-node@v4
        with:
          node-version: '18'

      - run: yarn install --frozen-lockfile

      - uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de # v1.4.0
        with:
          version: nightly

      - name: Build contracts
        run: forge build --build-info --out out --evm-version cancun

      - uses: actions/setup-python@v5
        with:
          python-version: '3.11'

      - run: |
          python -m pip install --upgrade pip
          pip install slither-analyzer==0.11.3

      - name: Run Slither (High severity gate)
        run: |
          slither . \
            --filter-paths "src/test/*|src/mocks/*|scripts/*|node_modules" \
            --foundry-out-directory out \
            --exclude-dependencies \
            --exclude-medium \
            --exclude-low \
            --exclude-informational \
            --fail-high \
            --json slither-report.json \
            --markdown-root slither-report.md

      - uses: actions/upload-artifact@v4
        with:
          name: slither-static-analysis
          path: |
            slither-report.json
            slither-report.md