Skip to content

chore(deps): update zgosalvez/github-actions-report-lcov action to v4.1.17 #67

chore(deps): update zgosalvez/github-actions-report-lcov action to v4.1.17

chore(deps): update zgosalvez/github-actions-report-lcov action to v4.1.17 #67

Workflow file for this run

name: Solidity
on:
pull_request:
branches:
- main
push:
branches:
- main
tags:
- "v*"
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
actions: write
checks: write
contents: write
deployments: write
id-token: write
issues: write
discussions: write
packages: write
pages: write
pull-requests: write
repository-projects: write
security-events: write
statuses: write
jobs:
codescanning:
name: Code Scanning
#runs-on: ubuntu-latest
runs-on: namespace-profile-btp-scs
steps:
- name: Checkout
uses: actions/checkout@v4
with:
submodules: recursive
- name: Install canvas dependencies
run: |
sudo apt-get update
sudo apt-get install -y build-essential libcairo2-dev libpango1.0-dev libjpeg-dev libgif-dev librsvg2-dev
- uses: crytic/[email protected]
id: slither
with:
sarif: slither.sarif
slither-args: --filter-paths "lib/" --filter-paths "node_modules/"
solc-version: ${{ vars.SOL_VERSION || '0.8.27' }}
fail-on: none
- name: Upload findings to GitHub Advanced Security Dashboard
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.slither.outputs.sarif }}
if: always()
test:
services:
foundry:
image: ghcr.io/settlemint/btp-anvil-test-node:latest
ports:
- '8545:8545'
name: Build Set
#runs-on: ubuntu-latest
runs-on: namespace-profile-btp-scs
steps:
- name: Checkout
uses: namespacelabs/nscloud-checkout-action@v5
with:
submodules: recursive
token: ${{ secrets.PAT_TOKEN }}
- name: Setup caches
uses: namespacelabs/nscloud-cache-action@v1
with:
path: |
./node_modules
~/.npm
- name: Install Foundry
uses: foundry-rs/foundry-toolchain@v1
with:
version: nightly
- uses: actions/setup-node@v4
with:
node-version: 20
- name: Install Node dependencies
run: npm install
- name: Install circom
if: github.repository == 'settlemint/solidity-zeto'
run: |
curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf | sh -s -- -y
git clone https://github.com/iden3/circom.git
cd circom
cargo build --release
cargo install --path circom
- name: Install snarkjs
if: github.repository == 'settlemint/solidity-zeto'
run: |
npm install -g snarkjs@latest
- name: Install zeto
if: github.repository == 'settlemint/solidity-zeto'
run: |
git clone https://github.com/victoryeo/zeto.git
cd zeto
cd zkp/circuits
npm install
cd ..
circom circuits/anon_enc_nullifier.circom --output ./js/lib --sym --wasm
circom circuits/anon_enc.circom --output ./js/lib --sym --wasm
circom circuits/anon_nullifier.circom --output ./js/lib --sym --wasm
circom circuits/anon.circom --output ./js/lib --sym --wasm
circom circuits/check-nullifiers.circom --output ./js/lib --sym --wasm
circom circuits/nf_anon_nullifier.circom --output ./js/lib --sym --wasm
circom circuits/nf_anon.circom --output ./js/lib --sym --wasm
- name: Create folders
if: github.repository == 'settlemint/solidity-zeto'
run: |
mkdir -p ./zeto/proving-keys
mkdir -p ./zeto/contracts-lib
- name: Download ptau
if: github.repository == 'settlemint/solidity-zeto'
working-directory: zeto/proving-keys/
run: |
wget -nv https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final_12.ptau
wget -nv https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final_13.ptau
wget -nv https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final_16.ptau
wget -nv https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final_11.ptau
wget -nv https://storage.googleapis.com/zkevm/ptau/powersOfTau28_hez_final_15.ptau
- name: Generate R1CS circuit format
if: github.repository == 'settlemint/solidity-zeto'
working-directory: zeto/zkp/
run: |
circom circuits/anon_enc_nullifier.circom --output ../proving-keys --r1cs
circom circuits/anon_enc.circom --output ../proving-keys --r1cs
circom circuits/anon_nullifier.circom --output ../proving-keys --r1cs
circom circuits/anon.circom --output ../proving-keys --r1cs
circom circuits/check-nullifiers.circom --output ../proving-keys --r1cs
circom circuits/nf_anon_nullifier.circom --output ../proving-keys --r1cs
circom circuits/nf_anon.circom --output ../proving-keys --r1cs
- name: Generate proving keys
if: github.repository == 'settlemint/solidity-zeto'
working-directory: zeto/zkp/
run: |
snarkjs groth16 setup ../proving-keys/anon.r1cs ../proving-keys/powersOfTau28_hez_final_12.ptau ../proving-keys/anon.zkey
snarkjs groth16 setup ../proving-keys/anon_enc.r1cs ../proving-keys/powersOfTau28_hez_final_13.ptau ../proving-keys/anon_enc.zkey
snarkjs groth16 setup ../proving-keys/anon_nullifier.r1cs ../proving-keys/powersOfTau28_hez_final_16.ptau ../proving-keys/anon_nullifier.zkey
snarkjs groth16 setup ../proving-keys/anon_enc_nullifier.r1cs ../proving-keys/powersOfTau28_hez_final_16.ptau ../proving-keys/anon_enc_nullifier.zkey
snarkjs groth16 setup ../proving-keys/nf_anon.r1cs ../proving-keys/powersOfTau28_hez_final_11.ptau ../proving-keys/nf_anon.zkey
snarkjs groth16 setup ../proving-keys/nf_anon_nullifier.r1cs ../proving-keys/powersOfTau28_hez_final_15.ptau ../proving-keys/nf_anon_nullifier.zkey
- name: Per-circuit set up ceremony on proving keys
if: github.repository == 'settlemint/solidity-zeto'
working-directory: zeto/zkp/
run: |
snarkjs zkey contribute ../proving-keys/anon.zkey ../proving-keys/anon_new.zkey --name="contribution" -v -e="random entropy"
snarkjs zkey contribute ../proving-keys/anon_enc.zkey ../proving-keys/anon_enc_new.zkey --name="contribution" -v -e="random entropy"
snarkjs zkey contribute ../proving-keys/anon_nullifier.zkey ../proving-keys/anon_nullifier_new.zkey --name="contribution" -v -e="random entropy"
snarkjs zkey contribute ../proving-keys/anon_enc_nullifier.zkey ../proving-keys/anon_enc_nullifier_new.zkey --name="contribution" -v -e="random entropy"
snarkjs zkey contribute ../proving-keys/nf_anon.zkey ../proving-keys/nf_anon_new.zkey --name="contribution" -v -e="random entropy"
snarkjs zkey contribute ../proving-keys/nf_anon_nullifier.zkey ../proving-keys/nf_anon_nullifier_new.zkey --name="contribution" -v -e="random entropy"
- name: Generate verfication keys
if: github.repository == 'settlemint/solidity-zeto'
working-directory: zeto/zkp/
run: |
snarkjs zkey export verificationkey ../proving-keys/anon_new.zkey ../proving-keys/anon-vkey.json
snarkjs zkey export verificationkey ../proving-keys/anon_enc_new.zkey ../proving-keys/anon_enc-vkey.json
snarkjs zkey export verificationkey ../proving-keys/anon_nullifier_new.zkey ../proving-keys/anon_nullifier-vkey.json
snarkjs zkey export verificationkey ../proving-keys/anon_enc_nullifier_new.zkey ../proving-keys/anon_enc_nullifier-vkey.json
snarkjs zkey export verificationkey ../proving-keys/nf_anon_new.zkey ../proving-keys/nf_anon-vkey.json
snarkjs zkey export verificationkey ../proving-keys/nf_anon_nullifier_new.zkey ../proving-keys/nf_anon_nullifier-vkey.json
- name: Generate solidity verifier library
if: github.repository == 'settlemint/solidity-zeto'
working-directory: zeto/zkp/
run: |
snarkjs zkey export solidityverifier ../proving-keys/anon_new.zkey ../contracts-lib/verifier_anon.sol
snarkjs zkey export solidityverifier ../proving-keys/anon_enc_new.zkey ../contracts-lib/verifier_anon_enc.sol
snarkjs zkey export solidityverifier ../proving-keys/anon_nullifier_new.zkey ../contracts-lib/verifier_anon_nullifier.sol
snarkjs zkey export solidityverifier ../proving-keys/anon_enc_nullifier_new.zkey ../contracts-lib/verifier_anon_enc_nullifier.sol
snarkjs zkey export solidityverifier ../proving-keys/nf_anon_new.zkey ../contracts-lib/verifier_nf_anon.sol
snarkjs zkey export solidityverifier ../proving-keys/nf_anon_nullifier_new.zkey ../contracts-lib/verifier_nf_anon_nullifier.sol
- name: Edit solidity files
if: github.repository == 'settlemint/solidity-zeto'
working-directory: zeto/contracts-lib/
run: |
sed 's/Groth16Verifier/Groth16Verifier_Anon/' verifier_anon.sol > ../solidity/contracts/lib/verifier_anon.sol
sed 's/Groth16Verifier/Groth16Verifier_AnonEnc/' verifier_anon_enc.sol > ../solidity/contracts/lib/verifier_anon_enc.sol
sed 's/Groth16Verifier/Groth16Verifier_AnonNullifier/' verifier_anon_nullifier.sol > ../solidity/contracts/lib/verifier_anon_nullifier.sol
sed 's/Groth16Verifier/Groth16Verifier_AnonEncNullifier/' verifier_anon_enc_nullifier.sol > ../solidity/contracts/lib/verifier_anon_enc_nullifier.sol
sed 's/Groth16Verifier/Groth16Verifier_NFAnon/' verifier_nf_anon.sol > ../solidity/contracts/lib/verifier_nf_anon.sol
sed 's/Groth16Verifier/Groth16Verifier_NFAnonNullifier/' verifier_nf_anon_nullifier.sol > ../solidity/contracts/lib/verifier_nf_anon_nullifier.sol
- name: Run Forge build
run: |
forge --version
forge build --sizes
- name: Run Hardhat build
run: |
npx hardhat compile
- name: Run Forge tests
run: |
forge test -vvv
- name: Run Hardhat test
run: |
npx hardhat test
- name: Setup LCOV
if: github.ref_name != 'main'
uses: hrishikesh-kadam/setup-lcov@v1
- name: Run Forge Coverage
if: github.ref_name != 'main'
run: |
forge coverage --report lcov --report summary
id: coverage
- name: Deploy to the local node
run: |
npx hardhat ignition deploy --network localhost ignition/modules/main.ts
- name: Install YQ
uses: alexellis/arkade-get@master
with:
print-summary: false
yq: latest
- name: Build the subgraph
run: |
if [ ! -d "subgraph" ] || [ -z "$(ls -A subgraph)" ]; then
echo "Subgraph directory is missing or empty"
exit 0
fi
if [ -f "subgraph/subgraph.config.json" ]; then
npx graph-compiler --config subgraph/subgraph.config.json --include node_modules/@openzeppelin/subgraphs/src/datasources subgraph/datasources --export-schema --export-subgraph
yq -i e '.specVersion = "1.2.0"' generated/scs.subgraph.yaml
yq -i e '.features = ["nonFatalErrors", "fullTextSearch", "ipfsOnEthereumContracts"]' generated/scs.subgraph.yaml
yq -i e '.dataSources[].mapping.apiVersion = "0.0.7"' generated/scs.subgraph.yaml
yq -i e '.dataSources[].network = "localhost"' generated/scs.subgraph.yaml
yq -i e '.templates[].mapping.apiVersion = "0.0.7"' generated/scs.subgraph.yaml
yq -i e '.templates[].network = "localhost"' generated/scs.subgraph.yaml
npx graph codegen generated/scs.subgraph.yaml
npx graph build --ipfs=https://ipfs.network.thegraph.com generated/scs.subgraph.yaml | tee build_output.txt
else
cd subgraph
npx graph codegen subgraph.yaml
npx graph build --ipfs=https://ipfs.network.thegraph.com subgraph.yaml | tee build_output.txt
cat build_output.txt
# Extract and process IPFS hashes from the file
ipfs_hashes=$(grep -oP 'Qm[a-zA-Z0-9]{44}' build_output.txt)
echo "IPFS hashes: $ipfs_hashes"
for hash in $ipfs_hashes; do
echo "Processing IPFS hash: $hash"
echo "Pinning $hash to Infura"
curl -s -X POST -u "${{ secrets.INFURA_IPFS_API_KEY }}:${{ secrets.INFURA_IPFS_API_SECRET }}" "https://ipfs.infura.io:5001/api/v0/pin/add?arg=$hash" || true
echo "Pinning $hash to Chainstack"
curl -s --request POST --url https://api.chainstack.com/v1/ipfs/pins/pinbycid --header 'accept: application/json' --header 'authorization: Bearer ${{ secrets.CHAINSTACK_API_KEY }}' --header 'content-type: application/json' --data "{\"bucket_id\": \"BUCK-8412-8292-8457\", \"cid\": \"$hash\"}" || true
done
# Write IPFS hashes to a file
echo "$ipfs_hashes" | sed 's/^/"/;s/$/"/' | paste -sd ',' > ipfs_hashes.txt
fi
- name: Report code coverage
if: github.event_name == 'pull_request'
uses: zgosalvez/[email protected]
with:
coverage-files: lcov.info
github-token: ${{ secrets.GITHUB_TOKEN }}
update-comment: true
- name: Inject slug/short variables
uses: rlespinasse/github-slug-action@v4
- name: Package version
id: package-version
run: |
OLD_VERSION=$(jq -r '.version' package.json)
echo "Old version: $OLD_VERSION"
if [[ $GITHUB_REF_SLUG =~ ^v?[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
VERSION=$(echo $GITHUB_REF_SLUG | sed 's/^v//')
echo "TAG=latest" >> $GITHUB_ENV
elif [[ $GITHUB_REF_NAME == "main" ]]; then
VERSION="${OLD_VERSION}-main$(echo $GITHUB_SHA_SHORT | sed 's/^v//')"
echo "TAG=main" >> $GITHUB_ENV
else
VERSION="${OLD_VERSION}-pr$(echo $GITHUB_SHA_SHORT | sed 's/^v//')"
echo "TAG=pr" >> $GITHUB_ENV
fi
echo "VERSION=$VERSION" >> $GITHUB_ENV
echo "Updating version to $VERSION"
jq --arg version "$VERSION" '.version = $version' package.json > package.json.tmp && mv package.json.tmp package.json
echo "Updated version to $VERSION"
- name: Install zsh
run: |
sudo apt-get update
sudo apt-get install -y zsh
- name: Verify zsh installation
run: |
zsh --version
which zsh
- name: Generate README.md
if: github.repository == 'settlemint/solidity-predeployed'
run: |
rm -Rf README.md
cp .github/BASE.md README.md
./genesis-output
echo "" >> README.md
echo "\`\`\`json" >> README.md
cat all_allocations.json >> README.md
echo "\`\`\`" >> README.md
cat all_allocations.json
- name: Add IPFS hashes to README if exists
run: |
if [ -f ipfs_hashes.txt ]; then
echo "" >> README.md
echo "## IPFS Hashes" >> README.md
echo "\`\`\`" >> README.md
cat ipfs_hashes.txt >> README.md
echo "\`\`\`" >> README.md
fi
- uses: JS-DevTools/npm-publish@v3
with:
token: ${{ secrets.NPM_TOKEN }}
package: ./package.json
access: public
provenance: false
strategy: all
tag: ${{ env.TAG }}
- name: Create or update a comment
if: ${{ github.event_name == 'pull_request' }}
uses: taoliujun/action-unique-comment@v1
with:
uniqueIdentifier: ${{ github.workflow }}
body: |
# 📦 Packages
| Package | Install |
| ------- | -------------------- |
| React | `npm i @${{ github.repository_owner }}/${{ github.repository }}@${{ env.VERSION }}` |
- uses: stefanzweifel/git-auto-commit-action@v5
if: ${{ env.TAG == 'latest' }}
with:
commit_message: "chore: update package versions [skip ci]"
branch: main
file_pattern: 'package.json README.md'
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Install Cosign
uses: sigstore/cosign-installer@v3
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Docker meta
id: docker_meta
uses: docker/metadata-action@v5
with:
images: |
ghcr.io/${{ github.repository }}
tags: |
type=schedule
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=sha
- name: Build and push
uses: docker/build-push-action@v6
id: build-and-push
with:
platforms: linux/amd64,linux/arm64
provenance: true
sbom: true
push: true
load: false
tags: ${{ steps.docker_meta.outputs.tags }}
labels: ${{ steps.docker_meta.outputs.labels }}
no-cache: true
- name: Sign the images with GitHub OIDC Token
env:
DIGEST: ${{ steps.build-and-push.outputs.digest }}
TAGS: ${{ steps.docker_meta.outputs.tags }}
run: |
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
cosign sign --yes ${images}