-
Notifications
You must be signed in to change notification settings - Fork 51
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' of github.com:lifinance/contracts into increaseTe…
…stCoverage
- Loading branch information
Showing
172 changed files
with
6,246 additions
and
6,406 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,117 @@ | ||
| # Audit Requirement Checker | ||
| # - checks if an audit is required for a given PR | ||
| # - an audit is required if any .sol file in path 'src/' has been modified or added | ||
| # - if audit is required, the action will assign the label "AuditRequired", otherwise it will assign label "AuditNotRequired" | ||
| # - it will also make sure that at the end, exactly one of these two labels is indeed assigned | ||
|
|
||
| name: Audit Requirement Check | ||
|
|
||
| on: | ||
| pull_request: | ||
| types: [opened, synchronize, reopened] | ||
|
|
||
| jobs: | ||
| check-audit-required: | ||
| if: ${{ github.event.pull_request.draft == false }} # will only run once the PR is in "Ready for Review" state | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| pull-requests: write | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 ##### Fetch all history for all branches | ||
|
|
||
| - name: Remove existing 'AuditRequired' and 'AuditNotRequired' labels | ||
| uses: actions-ecosystem/action-remove-labels@v1 | ||
| with: | ||
| github_token: ${{ secrets.GIT_ACTIONS_BOT_PAT_CLASSIC }} | ||
| labels: | | ||
| AuditRequired | ||
| AuditNotRequired | ||
| number: ${{ github.event.pull_request.number }} | ||
|
|
||
| - name: Check Git Diff for protected contracts | ||
| id: check_eligibility | ||
| run: | | ||
| ##### get all files modified by this PR | ||
| FILES=$(git diff --name-only origin/main HEAD) | ||
| ##### make sure that there are modified files | ||
| if [[ -z $FILES ]]; then | ||
| echo -e "\033[31mNo files found. This should not happen. Please check the code of the Github action. Aborting now.\033[0m" | ||
| echo "CONTINUE=false" >> $GITHUB_ENV | ||
| fi | ||
| ##### Initialize empty variables | ||
| PROTECTED_CONTRACTS="" | ||
| ##### go through all modified file names/paths and identify contracts with path 'src/*' | ||
| while IFS= read -r FILE; do | ||
| if echo "$FILE" | grep -E '^src/.*\.sol$'; then | ||
| ##### contract found | ||
| PROTECTED_CONTRACTS="${PROTECTED_CONTRACTS}${FILE}"$'\n' | ||
| fi | ||
| done <<< "$FILES" | ||
| ##### if none found, exit here as there is nothing to do | ||
| if [[ -z "$PROTECTED_CONTRACTS" ]]; then | ||
| echo -e "\033[32mNo protected contracts found in Git Diff.\033[0m" | ||
| echo -e "\033[32mAssigning label 'AuditNotRequired' to this PR.\033[0m" | ||
| echo "AUDIT_REQUIRED=false" >> $GITHUB_ENV | ||
| exit 0 | ||
| else | ||
| echo -e "\033[31mProtected contracts found in Git Diff.\033[0m" | ||
| echo -e "\033[31mAssigning label 'AuditRequired' to this PR.\033[0m" | ||
| echo "AUDIT_REQUIRED=true" >> $GITHUB_ENV | ||
| fi | ||
| echo "PROTECTED_CONTRACTS: $PROTECTED_CONTRACTS" | ||
| ##### Write filenames to temporary files (using variables here was causing issues due to the file names) | ||
| echo -e "$PROTECTED_CONTRACTS" > protected_contracts.txt | ||
| - name: Assign correct label based on check outcome | ||
| uses: actions-ecosystem/action-add-labels@v1 | ||
| id: assign_label | ||
| with: | ||
| github_token: ${{ secrets.GIT_ACTIONS_BOT_PAT_CLASSIC }} # we use the token of the git action user so the label protection check will pass | ||
| labels: ${{ env.AUDIT_REQUIRED == 'true' && 'AuditRequired' || 'AuditNotRequired' }} # if the action made it until here and CONTINUE was true then all checks passed. It CONTINUE was false then no audit is required | ||
| number: ${{ github.event.pull_request.number }} | ||
|
|
||
| - name: Verify label assignments (make sure exactly one of the two labels is assigned) | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GIT_ACTIONS_BOT_PAT_CLASSIC }} | ||
| run: | | ||
| echo "Fetching currently assigned labels..." | ||
| assigned_labels=$(gh pr view ${{ github.event.pull_request.number }} --json labels --jq '.labels | map(.name) | .[]') | ||
| echo "Assigned labels: $assigned_labels" | ||
| audit_required_assigned=0 | ||
| audit_not_required_assigned=0 | ||
| ##### go through all assigned labels and count how many protected labels are found | ||
| for label in $assigned_labels; do | ||
| if [ "$label" = "AuditRequired" ]; then | ||
| audit_required_assigned=$((audit_required_assigned + 1)) | ||
| elif [ "$label" = "AuditNotRequired" ]; then | ||
| audit_not_required_assigned=$((audit_not_required_assigned + 1)) | ||
| fi | ||
| done | ||
| total_labels_assigned=$((audit_required_assigned + audit_not_required_assigned)) | ||
| echo "Total labels assigned: $total_labels_assigned" | ||
| ##### make sure that exactly (only) one protected label is assigned | ||
| if [ "$total_labels_assigned" -ne 1 ]; then | ||
| echo -e "\033[31mError: Exactly one of the two labels should be assigned but found $total_labels_assigned assigned labels.\033[0m" | ||
| exit 1 | ||
| else | ||
| echo -e "\033[32mVerified that exactly one label is assigned.\033[0m" | ||
| echo -e "\033[32mAll good :)\033[0m" | ||
| fi | ||
| echo -e "\033[31mGit Action completed successfully\033[0m" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,119 @@ | ||
| # - Smart Contract Core Dev Approval checker | ||
| # - makes sure that every pull_request is at least reviewed by one Smart Contract Core Dev | ||
| # (member of group https://github.com/orgs/lifinance/teams/smart-contract-core) | ||
|
|
||
| name: SC Core Dev Approval Check | ||
|
|
||
| on: | ||
| pull_request: | ||
| types: [opened, synchronize, reopened] | ||
|
|
||
| jobs: | ||
| core-dev-approval: | ||
| if: ${{ github.event.pull_request.draft == false }} # will only run once the PR is in "Ready for Review" state | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Get smart-contract-core Team Members | ||
| env: | ||
| GH_PAT: ${{ secrets.GIT_TOKEN }} | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| ##### unset the default git token (does not have sufficient rights to get team members) | ||
| unset GITHUB_TOKEN | ||
| ##### use the Personal Access Token to log into git CLI | ||
| echo $GH_PAT | gh auth login --with-token | ||
| ##### Function that uses github's REST API via CLI to get team members | ||
| getTeamMembers() { | ||
| local org=$1 | ||
| local team=$2 | ||
| gh api \ | ||
| -H "Accept: application/vnd.github+json" \ | ||
| -H "X-GitHub-Api-Version: 2022-11-28" \ | ||
| "/orgs/$org/teams/$team/members" | jq -r '.[].login' | ||
| } | ||
| ORG_NAME="lifinance" | ||
| TEAM_SLUG="smart-contract-core" | ||
| # Get members of each group | ||
| echo "Fetching members of $TEAM_SLUG..." | ||
| MEMBERS=$(getTeamMembers $ORG_NAME $TEAM_SLUG) | ||
| #### check if any members were returned | ||
| if [[ -z $MEMBERS ]]; then | ||
| echo -e "\033[31mERROR: Could not retrieve team members of group $TEAM_SLUG\033[0m" | ||
| echo "CONTINUE=false" >> "$GITHUB_ENV" | ||
| exit 1 | ||
| fi | ||
| echo "The following Github users are members of team smart-contract-core: " | ||
| echo "$MEMBERS" | ||
| echo -e "$MEMBERS" > sc_core_dev_members.txt | ||
| echo "CONTINUE=true" >> "$GITHUB_ENV" | ||
| - name: Check if PR is approved by at least one SC core dev | ||
| id: check-core-dev-approval | ||
| if: env.CONTINUE == 'true' | ||
| uses: actions/github-script@v7 | ||
| env: | ||
| PR_NUMBER: ${{ github.event.number }} | ||
| with: | ||
| script: | | ||
| const fs = require('fs'); | ||
| // ANSI escape codes for colors (used for colored output in Git action console) | ||
| const colors = { | ||
| reset: "\033[0m", | ||
| red: "\033[31m", | ||
| green: "\033[32m", | ||
| }; | ||
| const coreDevsFile = 'sc_core_dev_members.txt'; | ||
| // Read handles from file | ||
| const coreDevs = fs.readFileSync(coreDevsFile, 'utf-8').split(/\r?\n/).filter(Boolean); | ||
| // get all reviewers that have approved this PR | ||
| const { data: reviews } = await github.rest.pulls.listReviews({ | ||
| owner: context.repo.owner, | ||
| repo: context.repo.repo, | ||
| pull_number: process.env.PR_NUMBER, | ||
| }); | ||
| // make sure that reviews are available | ||
| if(!reviews || reviews.length === 0) { | ||
| console.log(`${colors.red}Could not get reviewers of this PR from Github. Are there any reviews yet?${colors.reset}`); | ||
| console.log(`${colors.red}Check failed.${colors.reset}`); | ||
| core.setFailed("Required approval is missing"); | ||
| return | ||
| } | ||
| // Filter to only include reviews that have "APPROVED" status | ||
| const approvedReviews = reviews.filter(review => review.state === 'APPROVED'); | ||
| if(!approvedReviews.length === 0) { | ||
| console.log(`${colors.red}Could not find any reviews with approval.${colors.reset}`); | ||
| console.log(`${colors.red}Cannot continue. Check failed.${colors.reset}`); | ||
| core.setFailed("Required approval is missing"); | ||
| return | ||
| } | ||
| // extract the git login handles of all reviewers that approved this PR | ||
| const reviewerHandles = approvedReviews.map(review => review.user.login); | ||
| if(approvedReviews.length === 0) | ||
| console.log(`${colors.red}This PR has no approvals${colors.reset}`); | ||
| else | ||
| console.log(`This PR has been approved by the following git members: ${reviewerHandles}`); | ||
| // check if at least one of these reviewers is member in smart-contract-core group | ||
| if (reviewerHandles.some((handle) => coreDevs.includes(handle))) { | ||
| console.log(`${colors.green}The current PR is approved by a member of the smart-contract-core group.${colors.reset}`); | ||
| console.log(`${colors.green}Check passed.${colors.reset}`); | ||
| core.setOutput('approved', 'true'); | ||
| } else { | ||
| console.log(`${colors.red}The PR requires a missing approval by a member of the smart-contract-core group (https://github.com/orgs/lifinance/teams/smart-contract-core).${colors.reset}`); | ||
| console.log(`${colors.red}Check failed.${colors.reset}`); | ||
| core.setFailed("Required approval is missing"); | ||
| } |
Oops, something went wrong.