name: CI/CD Pipeline on: push: branches: [ main, develop ] pull_request: branches: [ main, develop ] env: SOLIDITY_VERSION: "0.8.19" FOUNDRY_VERSION: "nightly" jobs: # Compile and test Solidity contracts solidity: name: Solidity Contracts runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Install Foundry uses: foundry-rs/foundry-toolchain@v1 with: version: ${{ env.FOUNDRY_VERSION }} - name: Install dependencies run: | # Install OpenZeppelin if needed (for contracts requiring it) # Note: New WETH contracts (WETH10, CCIPWETH9Bridge, CCIPWETH10Bridge) are independent # Existing CCIP contracts (CCIPSender, CCIPRouter, etc.) require OpenZeppelin if [ -d ".git" ]; then forge install OpenZeppelin/openzeppelin-contracts --no-commit || echo "OpenZeppelin may already be installed or git not initialized" else echo "Git not initialized - skipping OpenZeppelin installation" echo "Note: Contracts requiring OpenZeppelin will not compile" fi - name: Compile contracts run: forge build - name: Run tests run: forge test --gas-report - name: Run Slither run: | pip install slither-analyzer chmod +x scripts/security/slither-scan.sh ./scripts/security/slither-scan.sh || true continue-on-error: true - name: Run Mythril run: | pip install mythril chmod +x scripts/security/mythril-scan.sh ./scripts/security/mythril-scan.sh || true continue-on-error: true - name: Run SolidityScan if: ${{ secrets.SOLIDITYSCAN_API_KEY != '' }} run: | pip install solidityscan solidityscan --api-key ${{ secrets.SOLIDITYSCAN_API_KEY }} --project-path . || true continue-on-error: true env: SOLIDITYSCAN_API_KEY: ${{ secrets.SOLIDITYSCAN_API_KEY }} - name: Upload Slither reports uses: actions/upload-artifact@v4 if: always() with: name: slither-reports path: reports/slither/ - name: Upload Mythril reports uses: actions/upload-artifact@v4 if: always() with: name: mythril-reports path: reports/mythril/ # Security scanning security: name: Security Scanning runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Run Trivy container scan uses: aquasecurity/trivy-action@master with: scan-type: 'fs' scan-ref: '.' format: 'sarif' output: 'trivy-results.sarif' continue-on-error: true - name: Upload Trivy results uses: github/codeql-action/upload-sarif@v3 if: always() with: sarif_file: 'trivy-results.sarif' continue-on-error: true - name: Run Snyk security scan uses: snyk/actions/setup@master continue-on-error: true - name: Snyk test uses: snyk/actions/node@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} continue-on-error: true with: args: --severity-threshold=high # Lint and format check lint: name: Lint and Format runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Install Foundry uses: foundry-rs/foundry-toolchain@v1 with: version: ${{ env.FOUNDRY_VERSION }} - name: Check formatting run: forge fmt --check - name: Lint YAML files uses: ibiqlik/action-yamllint@v3 with: file_or_dir: . config_file: .yamllint.yml continue-on-error: true # Terraform validation terraform: name: Terraform Validation runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: terraform_version: "1.6.0" - name: Terraform Init working-directory: terraform run: terraform init -backend=false - name: Terraform Validate working-directory: terraform run: terraform validate - name: Terraform Format Check working-directory: terraform run: terraform fmt -check # Kubernetes manifest validation kubernetes: name: Kubernetes Validation runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Install kubectl uses: azure/setup-kubectl@v3 - name: Validate Kubernetes manifests run: | for file in $(find k8s helm -name "*.yaml" -o -name "*.yml"); do echo "Validating $file" kubectl apply --dry-run=client -f "$file" || true done continue-on-error: true