smom-dbis-138/.github/workflows/ci.yml

name: CI/CD Pipeline

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main, develop ]

env:
  SOLIDITY_VERSION: "0.8.19"
  FOUNDRY_VERSION: "nightly"

jobs:
  # Compile and test Solidity contracts
  solidity:
    name: Solidity Contracts
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Install Foundry
        uses: foundry-rs/foundry-toolchain@v1
        with:
          version: ${{ env.FOUNDRY_VERSION }}
      
      - name: Install dependencies
        run: |
          # Install OpenZeppelin if needed (for contracts requiring it)
          # Note: New WETH contracts (WETH10, CCIPWETH9Bridge, CCIPWETH10Bridge) are independent
          # Existing CCIP contracts (CCIPSender, CCIPRouter, etc.) require OpenZeppelin
          if [ -d ".git" ]; then
            forge install OpenZeppelin/openzeppelin-contracts --no-commit || echo "OpenZeppelin may already be installed or git not initialized"
          else
            echo "Git not initialized - skipping OpenZeppelin installation"
            echo "Note: Contracts requiring OpenZeppelin will not compile"
          fi
      
      - name: Compile contracts
        run: forge build
      
      - name: Run tests
        run: forge test --gas-report
      
      - name: Run Slither
        run: |
          pip install slither-analyzer
          chmod +x scripts/security/slither-scan.sh
          ./scripts/security/slither-scan.sh || true
        continue-on-error: true
      
      - name: Run Mythril
        run: |
          pip install mythril
          chmod +x scripts/security/mythril-scan.sh
          ./scripts/security/mythril-scan.sh || true
        continue-on-error: true
      
      - name: Run SolidityScan
        if: ${{ secrets.SOLIDITYSCAN_API_KEY != '' }}
        run: |
          pip install solidityscan
          solidityscan --api-key ${{ secrets.SOLIDITYSCAN_API_KEY }} --project-path . || true
        continue-on-error: true
        env:
          SOLIDITYSCAN_API_KEY: ${{ secrets.SOLIDITYSCAN_API_KEY }}
      
      - name: Upload Slither reports
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: slither-reports
          path: reports/slither/
      
      - name: Upload Mythril reports
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: mythril-reports
          path: reports/mythril/

  # Security scanning
  security:
    name: Security Scanning
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Run Trivy container scan
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: '.'
          format: 'sarif'
          output: 'trivy-results.sarif'
        continue-on-error: true
      
      - name: Upload Trivy results
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: 'trivy-results.sarif'
        continue-on-error: true
      
      - name: Run Snyk security scan
        uses: snyk/actions/setup@master
        continue-on-error: true
      
      - name: Snyk test
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        continue-on-error: true
        with:
          args: --severity-threshold=high

  # Lint and format check
  lint:
    name: Lint and Format
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Install Foundry
        uses: foundry-rs/foundry-toolchain@v1
        with:
          version: ${{ env.FOUNDRY_VERSION }}
      
      - name: Check formatting
        run: forge fmt --check
      
      - name: Lint YAML files
        uses: ibiqlik/action-yamllint@v3
        with:
          file_or_dir: .
          config_file: .yamllint.yml
        continue-on-error: true

  # Terraform validation
  terraform:
    name: Terraform Validation
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: "1.6.0"
      
      - name: Terraform Init
        working-directory: terraform
        run: terraform init -backend=false
      
      - name: Terraform Validate
        working-directory: terraform
        run: terraform validate
      
      - name: Terraform Format Check
        working-directory: terraform
        run: terraform fmt -check

  # Kubernetes manifest validation
  kubernetes:
    name: Kubernetes Validation
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Install kubectl
        uses: azure/setup-kubectl@v3
      
      - name: Validate Kubernetes manifests
        run: |
          for file in $(find k8s helm -name "*.yaml" -o -name "*.yml"); do
            echo "Validating $file"
            kubectl apply --dry-run=client -f "$file" || true
          done
        continue-on-error: true