solidity.yml

name: Solidity

on:
  pull_request:
    branches:
      - main
  push:
    branches:
      - main
    tags:
      - "v*"

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

permissions:
  actions: write
  checks: write
  contents: write
  deployments: write
  id-token: write
  issues: write
  discussions: write
  packages: write
  pages: write
  pull-requests: write
  repository-projects: write
  security-events: write
  statuses: write

jobs:
  codescanning:
    name: Code Scanning
    #runs-on: ubuntu-latest
    runs-on: namespace-profile-btp-scs
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          submodules: recursive

      - name: Install canvas dependencies
        run: |
          sudo apt-get update
          sudo apt-get install -y build-essential libcairo2-dev libpango1.0-dev libjpeg-dev libgif-dev librsvg2-dev

      - uses: crytic/slither-action@v0.4.0
        id: slither
        with:
          sarif: slither.sarif
          slither-args: --filter-paths "lib/" --filter-paths "node_modules/"
          solc-version: ${{ vars.SOL_VERSION || '0.8.27' }}
          fail-on: none

      - name: Upload findings to GitHub Advanced Security Dashboard
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ steps.slither.outputs.sarif }}
        if: always()

  test:
    services:
      foundry:
        image: ghcr.io/settlemint/btp-anvil-test-node:latest
        ports:
          - '8545:8545'
    name: Build Set
    #runs-on: ubuntu-latest
    runs-on: namespace-profile-btp-scs
    steps:
      - name: Checkout
        uses: namespacelabs/nscloud-checkout-action@v5
        with:
          submodules: recursive
          token: ${{ secrets.PAT_TOKEN }}

      - name: Setup caches
        uses: namespacelabs/nscloud-cache-action@v1
        with:
          path: |
            ./node_modules
            ~/.npm
            ~/.bun/install/cache

      - name: Install Foundry
        uses: foundry-rs/foundry-toolchain@v1
        with:
          version: nightly

      - uses: actions/setup-node@v4
        with:
          node-version: 22

      - uses: oven-sh/setup-bun@v2

      - name: Install Node dependencies
        run: bun install

      - name: Install circom
        if: github.repository == 'settlemint/solidity-zeto'
        run: |
          curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf | sh -s -- -y
          git clone https://github.com/iden3/circom.git
          cd circom
          cargo build --release
          cargo install --path circom

      - name: Install snarkjs
        if: github.repository == 'settlemint/solidity-zeto'
        run: |
          bun install -g snarkjs@latest

      - name: Install zeto
        if: github.repository == 'settlemint/solidity-zeto'
        run: |
          git clone https://github.com/victoryeo/zeto.git
          cd zeto
          cd zkp/circuits
          bun install
          cd ..
          circom circuits/anon_enc_nullifier.circom --output ./js/lib --sym --wasm
          circom circuits/anon_enc.circom --output ./js/lib --sym --wasm
          circom circuits/anon_nullifier.circom --output ./js/lib --sym --wasm
          circom circuits/anon.circom --output ./js/lib --sym --wasm
          circom circuits/check-nullifiers.circom --output ./js/lib --sym --wasm
          circom circuits/nf_anon_nullifier.circom --output ./js/lib --sym --wasm
          circom circuits/nf_anon.circom --output ./js/lib --sym --wasm

      - name: Create folders
        if: github.repository == 'settlemint/solidity-zeto'
        run: |
          mkdir -p ./zeto/proving-keys
          mkdir -p ./zeto/contracts-lib

      - name: Download ptau
        if: github.repository == 'settlemint/solidity-zeto'
        working-directory: zeto/proving-keys/
        run: |
          wget -nv https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final_12.ptau
          wget -nv https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final_13.ptau
          wget -nv https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final_16.ptau
          wget -nv https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final_11.ptau
          wget -nv https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final_15.ptau

      - name: Generate R1CS circuit format
        if: github.repository == 'settlemint/solidity-zeto'
        working-directory: zeto/zkp/
        run: |
          circom circuits/anon_enc_nullifier.circom --output ../proving-keys --r1cs
          circom circuits/anon_enc.circom --output ../proving-keys --r1cs
          circom circuits/anon_nullifier.circom --output ../proving-keys --r1cs
          circom circuits/anon.circom --output ../proving-keys --r1cs
          circom circuits/check-nullifiers.circom --output ../proving-keys --r1cs
          circom circuits/nf_anon_nullifier.circom --output ../proving-keys --r1cs
          circom circuits/nf_anon.circom --output ../proving-keys --r1cs

      - name: Generate proving keys
        if: github.repository == 'settlemint/solidity-zeto'
        working-directory: zeto/zkp/
        run: |
          snarkjs groth16 setup ../proving-keys/anon.r1cs ../proving-keys/powersOfTau28_hez_final_12.ptau ../proving-keys/anon.zkey
          snarkjs groth16 setup ../proving-keys/anon_enc.r1cs ../proving-keys/powersOfTau28_hez_final_13.ptau ../proving-keys/anon_enc.zkey
          snarkjs groth16 setup ../proving-keys/anon_nullifier.r1cs ../proving-keys/powersOfTau28_hez_final_16.ptau ../proving-keys/anon_nullifier.zkey
          snarkjs groth16 setup ../proving-keys/anon_enc_nullifier.r1cs ../proving-keys/powersOfTau28_hez_final_16.ptau ../proving-keys/anon_enc_nullifier.zkey
          snarkjs groth16 setup ../proving-keys/nf_anon.r1cs ../proving-keys/powersOfTau28_hez_final_11.ptau ../proving-keys/nf_anon.zkey
          snarkjs groth16 setup ../proving-keys/nf_anon_nullifier.r1cs ../proving-keys/powersOfTau28_hez_final_15.ptau ../proving-keys/nf_anon_nullifier.zkey

      - name: Per-circuit set up ceremony on proving keys
        if: github.repository == 'settlemint/solidity-zeto'
        working-directory: zeto/zkp/
        run: |
          snarkjs zkey contribute ../proving-keys/anon.zkey ../proving-keys/anon_new.zkey --name="contribution" -v -e="random entropy"
          snarkjs zkey contribute ../proving-keys/anon_enc.zkey ../proving-keys/anon_enc_new.zkey --name="contribution" -v -e="random entropy"
          snarkjs zkey contribute ../proving-keys/anon_nullifier.zkey ../proving-keys/anon_nullifier_new.zkey --name="contribution" -v -e="random entropy"
          snarkjs zkey contribute ../proving-keys/anon_enc_nullifier.zkey ../proving-keys/anon_enc_nullifier_new.zkey --name="contribution" -v -e="random entropy"
          snarkjs zkey contribute ../proving-keys/nf_anon.zkey ../proving-keys/nf_anon_new.zkey --name="contribution" -v -e="random entropy"
          snarkjs zkey contribute ../proving-keys/nf_anon_nullifier.zkey ../proving-keys/nf_anon_nullifier_new.zkey --name="contribution" -v -e="random entropy"

      - name: Generate verfication keys
        if: github.repository == 'settlemint/solidity-zeto'
        working-directory: zeto/zkp/
        run: |
          snarkjs zkey export verificationkey ../proving-keys/anon_new.zkey ../proving-keys/anon-vkey.json
          snarkjs zkey export verificationkey ../proving-keys/anon_enc_new.zkey ../proving-keys/anon_enc-vkey.json
          snarkjs zkey export verificationkey ../proving-keys/anon_nullifier_new.zkey ../proving-keys/anon_nullifier-vkey.json
          snarkjs zkey export verificationkey ../proving-keys/anon_enc_nullifier_new.zkey ../proving-keys/anon_enc_nullifier-vkey.json
          snarkjs zkey export verificationkey ../proving-keys/nf_anon_new.zkey ../proving-keys/nf_anon-vkey.json
          snarkjs zkey export verificationkey ../proving-keys/nf_anon_nullifier_new.zkey ../proving-keys/nf_anon_nullifier-vkey.json

      - name: Generate solidity verifier library
        if: github.repository == 'settlemint/solidity-zeto'
        working-directory: zeto/zkp/
        run: |
          snarkjs zkey export solidityverifier ../proving-keys/anon_new.zkey ../contracts-lib/verifier_anon.sol
          snarkjs zkey export solidityverifier ../proving-keys/anon_enc_new.zkey ../contracts-lib/verifier_anon_enc.sol
          snarkjs zkey export solidityverifier ../proving-keys/anon_nullifier_new.zkey ../contracts-lib/verifier_anon_nullifier.sol
          snarkjs zkey export solidityverifier ../proving-keys/anon_enc_nullifier_new.zkey ../contracts-lib/verifier_anon_enc_nullifier.sol
          snarkjs zkey export solidityverifier ../proving-keys/nf_anon_new.zkey ../contracts-lib/verifier_nf_anon.sol
          snarkjs zkey export solidityverifier ../proving-keys/nf_anon_nullifier_new.zkey ../contracts-lib/verifier_nf_anon_nullifier.sol

      - name: Edit solidity files
        if: github.repository == 'settlemint/solidity-zeto'
        working-directory: zeto/contracts-lib/
        run: |
            sed 's/Groth16Verifier/Groth16Verifier_Anon/' verifier_anon.sol > ../solidity/contracts/lib/verifier_anon.sol
            sed 's/Groth16Verifier/Groth16Verifier_AnonEnc/' verifier_anon_enc.sol > ../solidity/contracts/lib/verifier_anon_enc.sol
            sed 's/Groth16Verifier/Groth16Verifier_AnonNullifier/' verifier_anon_nullifier.sol > ../solidity/contracts/lib/verifier_anon_nullifier.sol
            sed 's/Groth16Verifier/Groth16Verifier_AnonEncNullifier/' verifier_anon_enc_nullifier.sol > ../solidity/contracts/lib/verifier_anon_enc_nullifier.sol
            sed 's/Groth16Verifier/Groth16Verifier_NFAnon/' verifier_nf_anon.sol > ../solidity/contracts/lib/verifier_nf_anon.sol
            sed 's/Groth16Verifier/Groth16Verifier_NFAnonNullifier/' verifier_nf_anon_nullifier.sol > ../solidity/contracts/lib/verifier_nf_anon_nullifier.sol

      - name: Run Forge build
        run: |
          forge --version
          forge build --sizes

      - name: Run Hardhat build
        run: |
          npx hardhat compile

      - name: Run Forge tests
        run: |
          forge test -vvv

      - name: Run Hardhat test
        run: |
          npx hardhat test

      - name: Setup LCOV
        if: github.ref_name != 'main'
        uses: hrishikesh-kadam/setup-lcov@v1

      - name: Run Forge Coverage
        if: github.ref_name != 'main'
        run: |
          forge coverage --report lcov --report summary
        id: coverage

      - name: Deploy to the local node
        run: |
          npx hardhat ignition deploy --network localhost ignition/modules/main.ts

      - name: Install YQ
        uses: alexellis/arkade-get@master
        with:
          print-summary: false
          yq: latest

      - name: Build the subgraph
        run: |
          if [ ! -d "subgraph" ] || [ -z "$(ls -A subgraph)" ]; then
            echo "Subgraph directory is missing or empty"
            exit 0
          fi
          if [ -f "subgraph/subgraph.config.json" ]; then
            npx graph-compiler --config subgraph/subgraph.config.json --include node_modules/@openzeppelin/subgraphs/src/datasources subgraph/datasources --export-schema --export-subgraph
            yq -i e '.specVersion = "1.2.0"' generated/scs.subgraph.yaml
            yq -i e '.features = ["nonFatalErrors", "fullTextSearch", "ipfsOnEthereumContracts"]' generated/scs.subgraph.yaml
            yq -i e '.dataSources[].mapping.apiVersion = "0.0.7"' generated/scs.subgraph.yaml
            yq -i e '.dataSources[].network = "localhost"' generated/scs.subgraph.yaml
            yq -i e '.templates[].mapping.apiVersion = "0.0.7"' generated/scs.subgraph.yaml
            yq -i e '.templates[].network = "localhost"' generated/scs.subgraph.yaml
            npx graph codegen generated/scs.subgraph.yaml
            npx graph build --ipfs=https://ipfs.network.thegraph.com generated/scs.subgraph.yaml | tee build_output.txt
          else
            cd subgraph
            npx graph codegen subgraph.yaml
            npx graph build --ipfs=https://ipfs.network.thegraph.com subgraph.yaml | tee build_output.txt

            cat build_output.txt

            # Extract and process IPFS hashes from the file
            ipfs_hashes=$(grep -oP 'Qm[a-zA-Z0-9]{44}' build_output.txt)

            echo "IPFS hashes: $ipfs_hashes"

            for hash in $ipfs_hashes; do
              echo "Processing IPFS hash: $hash"
              echo "Pinning $hash to Infura"
              curl -s -X POST -u "${{ secrets.INFURA_IPFS_API_KEY }}:${{ secrets.INFURA_IPFS_API_SECRET }}" "https://ipfs.infura.io:5001/api/v0/pin/add?arg=$hash" || true
              echo "Pinning $hash to Chainstack"
              curl -s --request POST --url https://api.chainstack.com/v1/ipfs/pins/pinbycid --header 'accept: application/json' --header 'authorization: Bearer ${{ secrets.CHAINSTACK_API_KEY }}' --header 'content-type: application/json' --data "{\"bucket_id\": \"BUCK-8412-8292-8457\", \"cid\": \"$hash\"}" || true
            done

            # Write IPFS hashes to a file
            echo "$ipfs_hashes" | sed 's/^/"/;s/$/"/' | paste -sd ',' > ipfs_hashes.txt
          fi


      - name: Report code coverage
        if: github.event_name == 'pull_request'
        uses: zgosalvez/github-actions-report-lcov@v4.1.19
        continue-on-error: true
        with:
          coverage-files: lcov.info
          github-token: ${{ secrets.GITHUB_TOKEN }}
          update-comment: true

      - name: Inject slug/short variables
        uses: rlespinasse/github-slug-action@v5

      - name: Package version
        id: package-version
        run: |
          OLD_VERSION=$(jq -r '.version' package.json)
          echo "Old version: $OLD_VERSION"
          if [[ $GITHUB_REF_SLUG =~ ^v?[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
            VERSION=$(echo $GITHUB_REF_SLUG | sed 's/^v//')
            echo "TAG=latest" >> $GITHUB_ENV
          elif [[ $GITHUB_REF_NAME == "main" ]]; then
            VERSION="${OLD_VERSION}-main$(echo $GITHUB_SHA_SHORT | sed 's/^v//')"
            echo "TAG=main" >> $GITHUB_ENV
          else
            VERSION="${OLD_VERSION}-pr$(echo $GITHUB_SHA_SHORT | sed 's/^v//')"
            echo "TAG=pr" >> $GITHUB_ENV
          fi
          echo "VERSION=$VERSION" >> $GITHUB_ENV
          echo "Updating version to $VERSION"
          jq --arg version "$VERSION" '.version = $version' package.json > package.json.tmp && mv package.json.tmp package.json

          echo "Updated version to $VERSION"

      - name: Install zsh
        run: |
          sudo apt-get update
          sudo apt-get install -y zsh

      - name: Verify zsh installation
        run: |
          zsh --version
          which zsh

      - name: Generate README.md
        if: github.repository == 'settlemint/solidity-predeployed'
        run: |
          rm -Rf README.md
          cp .github/BASE.md README.md
          ./genesis-output
          echo "" >> README.md
          echo "\`\`\`json" >> README.md
          cat all_allocations.json >> README.md
          echo "\`\`\`" >> README.md
          cat all_allocations.json

      - name: Add IPFS hashes to README if exists
        run: |
          if [ -f ipfs_hashes.txt ]; then
            echo "" >> README.md
            echo "## IPFS Hashes" >> README.md
            echo "\`\`\`" >> README.md
            cat ipfs_hashes.txt >> README.md
            echo "\`\`\`" >> README.md
          fi

      - uses: JS-DevTools/npm-publish@v3
        with:
          token: ${{ secrets.NPM_TOKEN }}
          package: ./package.json
          access: public
          provenance: false
          strategy: all
          tag: ${{ env.TAG }}

      - name: Create or update a comment
        if: ${{ github.event_name == 'pull_request' }}
        uses: taoliujun/action-unique-comment@v1
        with:
            uniqueIdentifier: ${{ github.workflow }}
            body: |
                # 📦 Packages
                | Package | Install |
                | ------- | -------------------- |
                | React | `bun add @${{ github.repository_owner }}/${{ github.repository }}@${{ env.VERSION }}` |

      - uses: stefanzweifel/git-auto-commit-action@v5
        if: env.TAG == 'latest' && github.repository != 'settlemint/solidity-predeployed'
        with:
          commit_message: "chore: update package versions [skip ci]"
          branch: main
          file_pattern: 'package.json README.md'

      - uses: stefanzweifel/git-auto-commit-action@v5
        if: env.TAG == 'latest' && github.repository == 'settlemint/solidity-predeployed'
        with:
          commit_message: "chore: update package versions [skip ci]"
          branch: main
          file_pattern: 'package.json README.md all_allocations.json'

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Install Cosign
        uses: sigstore/cosign-installer@v3

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Docker meta
        id: docker_meta
        uses: docker/metadata-action@v5
        with:
          images: |
            ghcr.io/${{ github.repository }}
          tags: |
            type=schedule
            type=ref,event=branch
            type=ref,event=pr
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=semver,pattern={{major}}
            type=sha

      - name: Build and push
        uses: docker/build-push-action@v6
        id: build-and-push
        with:
          platforms: linux/amd64,linux/arm64
          provenance: true
          sbom: true
          push: true
          load: false
          tags: ${{ steps.docker_meta.outputs.tags }}
          labels: ${{ steps.docker_meta.outputs.labels }}
          no-cache: true


      - name: Sign the images with GitHub OIDC Token
        env:
          DIGEST: ${{ steps.build-and-push.outputs.digest }}
          TAGS: ${{ steps.docker_meta.outputs.tags }}
        run: |
          images=""
          for tag in ${TAGS}; do
            images+="${tag}@${DIGEST} "
          done
          cosign sign --yes ${images}