solidity.yml

name: Branch

on:
  pull_request:
    branches:
      - main
  push:
    branches:
      - main
    tags:
      - "v*"

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

permissions:
  actions: write
  checks: write
  contents: write
  deployments: write
  id-token: write
  issues: write
  discussions: write
  packages: write
  pages: write
  pull-requests: write
  repository-projects: write
  security-events: write
  statuses: write

jobs:
  codescanning:
    name: Code Scanning
    #runs-on: ubuntu-latest
    runs-on: namespace-profile-btp-scs
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          submodules: recursive

      - name: Install canvas dependencies
        run: |
          sudo apt-get update
          sudo apt-get install -y build-essential libcairo2-dev libpango1.0-dev libjpeg-dev libgif-dev librsvg2-dev

      - uses: crytic/slither-action@v0.4.0
        id: slither
        with:
          sarif: slither.sarif
          slither-args: --filter-paths "lib/" --filter-paths "node_modules/"
          solc-version: 0.8.24
          fail-on: none

      - name: Upload findings to GitHub Advanced Security Dashboard
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ steps.slither.outputs.sarif }}
        if: always()

  test:
    services:
      foundry:
        image: ghcr.io/settlemint/btp-anvil-test-node:latest
        ports:
          - '8545:8545'
    name: Test
    #runs-on: ubuntu-latest
    runs-on: namespace-profile-btp-scs
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          submodules: recursive

      - name: Install Foundry
        uses: foundry-rs/foundry-toolchain@v1
        with:
          version: nightly

      - uses: actions/setup-node@v4
        with:
          node-version: 20

      - name: Install Node dependencies
        run: npm install

      - name: Run Forge build
        run: |
          forge --version
          forge build --sizes

      - name: Run Hardhat build
        run: |
          npx hardhat compile

      - name: Run Forge tests
        run: |
          forge test -vvv

      - name: Run Hardhat test
        run: |
          npx hardhat test

      - name: Setup LCOV
        if: github.ref_name != 'main'
        uses: hrishikesh-kadam/setup-lcov@v1

      - name: Run Forge Coverage
        if: github.ref_name != 'main'
        run: |
          forge coverage --report lcov --report summary
        id: coverage

      - name: Deploy to the local node
        run: |
          npx hardhat ignition deploy --network localhost ignition/modules/main.ts

      - name: Install YQ
        uses: alexellis/arkade-get@master
        with:
          print-summary: false
          yq: latest

      - name: Build the subgraph
        run: |
          if [ ! -d "subgraph" ] || [ -z "$(ls -A subgraph)" ]; then
            echo "Subgraph directory is missing or empty"
            exit 0
          fi
          npx graph-compiler --config subgraph/subgraph.config.json --include node_modules/@openzeppelin/subgraphs/src/datasources subgraph/datasources --export-schema --export-subgraph
          yq -i e '.specVersion = "1.2.0"' generated/scs.subgraph.yaml
          yq -i e '.features = ["nonFatalErrors", "fullTextSearch", "ipfsOnEthereumContracts"]' generated/scs.subgraph.yaml
          yq -i e '.dataSources[].mapping.apiVersion = "0.0.7"' generated/scs.subgraph.yaml
          yq -i e '.dataSources[].network = "localhost"' generated/scs.subgraph.yaml
          yq -i e '.templates[].mapping.apiVersion = "0.0.7"' generated/scs.subgraph.yaml
          yq -i e '.templates[].network = "localhost"' generated/scs.subgraph.yaml
          npx graph codegen generated/scs.subgraph.yaml
          npx graph build generated/scs.subgraph.yaml

      - name: Report code coverage
        if: github.ref_name != 'main'
        uses: zgosalvez/github-actions-report-lcov@v4.1.12
        with:
          coverage-files: lcov.info
          minimum-coverage: 90
          github-token: ${{ secrets.GITHUB_TOKEN }}
          update-comment: true

  docker:
    needs:
      - test
    name: Docker
    #runs-on: ubuntu-latest
    runs-on: namespace-profile-btp-scs
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          submodules: recursive

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Install Cosign
        uses: sigstore/cosign-installer@v3

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Docker meta
        id: docker_meta
        uses: docker/metadata-action@v5
        with:
          images: |
            ghcr.io/${{ github.repository }}
          tags: |
            type=schedule
            type=ref,event=branch
            type=ref,event=pr
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=semver,pattern={{major}}
            type=sha

      - name: Build and push
        uses: docker/build-push-action@v6
        id: build-and-push
        with:
          platforms: linux/amd64,linux/arm64
          provenance: true
          sbom: true
          push: true
          load: false
          tags: ${{ steps.docker_meta.outputs.tags }}
          labels: ${{ steps.docker_meta.outputs.labels }}
          no-cache: true


      - name: Sign the images with GitHub OIDC Token
        env:
          DIGEST: ${{ steps.build-and-push.outputs.digest }}
          TAGS: ${{ steps.docker_meta.outputs.tags }}
        run: |
          images=""
          for tag in ${TAGS}; do
            images+="${tag}@${DIGEST} "
          done
          cosign sign --yes ${images}