TrustEVM Contract CI

.github/workflows/build-contract-test.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+set -eo pipefail
+
+# print and run a command
+function ee()
+{
+    echo "$ $*"
+    eval "$@"
+}
+
+export Deosio_DIR='/usr/lib/x86_64-linux-gnu/cmake/eosio'
+# debug code
+ee cmake --version
+echo 'Leap version:'
+cat "$Deosio_DIR/EosioTester.cmake" | grep 'EOSIO_VERSION' | grep -oP "['\"].*['\"]" | tr -d "'\"" || :
+
+# build
+ee mkdir -p contract/tests/build
+ee pushd contract/tests
+ee pushd build
+ee "cmake -Deosio_DIR=$Deosio_DIR .."
+ee make -j "$(nproc)" unit_test
+
+# pack
+ee popd
+ee 'tar -czf ../../contract-test.tar.gz build/*'
+ee popd
+
+echo "Done! - ${0##*/}"

.github/workflows/build-contract.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+set -eo pipefail
+
+# print and run a command
+function ee()
+{
+    echo "$ $*"
+    eval "$@"
+}
+
+# debug code
+ee cdt-cc --version
+ee cmake --version
+
+# build
+ee mkdir -p contract/build
+ee pushd contract
+ee pushd build
+ee cmake -DCMAKE_BUILD_TYPE=Release -DWITH_TEST_ACTIONS=On ..
+ee make -j "$(nproc)"
+
+# pack
+ee popd
+ee 'tar -czf ../contract.tar.gz build/*'
+ee popd
+
+echo "Done! - ${0##*/}"

.github/workflows/contract.md

@@ -0,0 +1,64 @@
+# TrustEVM Contract CI
+This GitHub Actions workflow builds the TrustEVM contract and its associated tests.
+
+### Index
+1. [Triggers](#triggers)
+1. [Inputs](#inputs)
+1. [Steps](#steps)
+1. [Outputs](#outputs)
+1. [GitHub App Integration](#github-app-integration)
+1. [See Also](#see-also)
+
+## Triggers
+This GitHub action will run under the following circumstances:
+1. When code is pushed to the `main` branch.
+1. When code is pushed to any branch with a name starting with `release/`.
+1. Workflow dispatch event, which is triggered manually using the "Workflow Dispatch" button in the Actions tab of the GitHub repository.
+
+## Inputs
+The inputs for this GitHub action are:
+1. `TRUSTEVM_CI_APP_ID` - the app ID of the `trustevm-ci-submodule-checkout` GitHub App.
+1. `TRUSTEVM_CI_APP_KEY` - the private key to the `trustevm-ci-submodule-checkout` GitHub App.
+1. `GITHUB_TOKEN` - a GitHub Actions intrinsic used to access the repository and other public resources.
+
+These inputs are used in various steps of the workflow to perform actions such as authentication, downloading artifacts, and uploading artifacts.
+
+## Steps
+This workflow performs the following steps:
+1. Authenticate to the `trustevm-ci-submodule-checkout` GitHub app using the [AntelopeIO/github-app-token-action](https://github.com/AntelopeIO/github-app-token-action) action to obtain an ephemeral token.
+1. Checkout the repo and submodules using the ephemeral token.
+1. Attach an annotation to the build with CI documentation.
+1. Download the CDT binary using the [AntelopeIO/asset-artifact-download-action](https://github.com/AntelopeIO/asset-artifact-download-action) action.
+1. Install the CDT binary.
+1. Build the TrustEVM contract using `make` and `cmake`.
+1. Upload the contract build folder to GitHub Actions.
+1. Download the `leap-dev` binary using [AntelopeIO/asset-artifact-download-action](https://github.com/AntelopeIO/asset-artifact-download-action) action.
+1. Install the `leap-dev` binary.
+1. Build the TrustEVM contract tests using `make` and `cmake`.
+1. Upload the build folder for the contract test code to GitHub Actions.
+
+## Outputs
+This workflow produces the following outputs:
+1. Contract Build Artifacts - `contract.tar.gz` containing the built contract from the `contract/build` folder.
+1. Contract Test Artifacts - `contract-test.tar.gz` containing the built contract test artifacts from the `contract/tests/build` folder.
+
+Note that, due to actions/upload-artifact [issue 39](https://github.com/actions/upload-artifact/issues/39) which has been open for over _three years_ and counting, the archives attached as artifacts will be zipped by GitHub when you download them such that you get a `*.zip` containing the `*.tar.gz`. There is nothing anyone can do about this except for GitHub.
+
+## GitHub App Integration
+This workflow uses the [AntelopeIO/github-app-token-action](https://github.com/AntelopeIO/github-app-token-action) GitHub action to assume the role of a GitHub application installed to the AntelopeIO organization to clone the private submodules. It requests a token from the GitHub app, clones everything using this token under the identity of the app, then the token expires. This is advantageous over a persistent API key from a GitHub service account because this does not consume a paid user seat, the "account" associated with the app cannot be logged into in the GitHub web UI, the app is scoped to exactly the permissions it needs to perform the clones for this repo _and nothing more_, and the API key expires very quickly so a bad actor who exfiltrates this key from the CI system should find it is not useful.
+
+**The downside is that if TrustEVM adds additional private submodules, the GitHub app must be granted permissions to these new submodules.** The CI system will not work until this happens.
+
+## See Also
+- [asset-artifact-download-action](https://github.com/AntelopeIO/asset-artifact-download-action) GitHub Action
+- [github-app-token-action](https://github.com/AntelopeIO/github-app-token-action) GitHub action
+- [TrustEVM Documentation](../../README.md)
+
+For assistance with the CI system, please open an issue in this repo or reach out in the `#help-automation` channel via IM.
+
+***
+**_Legal notice_**  
+This document was generated in collaboration with ChatGPT from OpenAI, a machine learning algorithm or weak artificial intelligence (AI). At the time of this writing, the [OpenAI terms of service agreement](https://openai.com/terms) §3.a states:
+> Your Content. You may provide input to the Services (“Input”), and receive output generated and returned by the Services based on the Input (“Output”). Input and Output are collectively “Content.” As between the parties and to the extent permitted by applicable law, you own all Input, and subject to your compliance with these Terms, OpenAI hereby assigns to you all its right, title and interest in and to Output.
+
+This notice is required in some countries.

.github/workflows/contract.yml

@@ -0,0 +1,82 @@
+name: TrustEVM Contract CI
+
+on:
+  push:
+    branches:
+      - main
+      - release/*
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: TrustEVM Contract Build
+    runs-on: ubuntu-20.04
+    env:
+      CC: gcc-10
+      CXX: g++-10
+
+    steps:
+      - name: Authenticate
+        id: auth
+        uses: AntelopeIO/github-app-token-action@v1
+        with:
+          app_id: ${{ secrets.TRUSTEVM_CI_APP_ID }}
+          private_key: ${{ secrets.TRUSTEVM_CI_APP_KEY }}
+
+      - name: Checkout Repo
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          submodules: 'recursive'
+          token: ${{ steps.auth.outputs.token }}
+
+      - name: Attach Documentation
+        run: cat .github/workflows/contract.md >> $GITHUB_STEP_SUMMARY
+
+      - name: Download CDT
+        uses: AntelopeIO/asset-artifact-download-action@v2
+        with:
+          owner: AntelopeIO
+          repo: cdt
+          target: 'v3.1.0'
+          prereleases: false
+          file: 'cdt_.*amd64.deb'
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install CDT
+        run: sudo apt-get install -y ./cdt*.deb
+
+      - name: Build TrustEVM Contract
+        run: .github/workflows/build-contract.sh
+
+      - name: Upload Artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: contract.tar.gz
+          path: contract.tar.gz
+          if-no-files-found: error
+
+      - name: Download Leap - dev binary
+        uses: AntelopeIO/asset-artifact-download-action@v2
+        with:
+          owner: AntelopeIO
+          repo: leap
+          target: 'v3.1.3'
+          prereleases: false
+          file: 'leap-dev.*(x86_64|amd64).deb'
+          container-package: experimental-binaries
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install Leap
+        run: sudo apt-get install -y ./leap*.deb
+
+      - name: Build TrustEVM Contract Tests
+        run: .github/workflows/build-contract-test.sh
+
+      - name: Upload Artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: contract-test.tar.gz
+          path: contract-test.tar.gz
+          if-no-files-found: error

README.md

@@ -115,3 +115,11 @@ https://github.com/eosnetworkfoundation/TrustEVM/blob/main/docs/local_testnet_de
 
 For public testnet deployment, please refer to 
 https://github.com/eosnetworkfoundation/TrustEVM/blob/main/docs/public_testnet_deployment_plan.md
+
+## CI
+This repo contains the following GitHub Actions workflows for CI:
+- TrustEVM Contract CI - build the TrustEVM contract and its associated tests
+    - [Pipeline](https://github.com/eosnetworkfoundation/TrustEVM/actions/workflows/contract.yml)
+    - [Documentation](./.github/workflows/contract.md)
+
+See the pipeline documentation for more information.