d-bis/smom-dbis-138
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Oracle Aggregator and CCIP Integration

Browse Source 
- Introduced Aggregator.sol for Chainlink-compatible oracle functionality, including round-based updates and access control.
- Added OracleWithCCIP.sol to extend Aggregator with CCIP cross-chain messaging capabilities.
- Created .gitmodules to include OpenZeppelin contracts as a submodule.
- Developed a comprehensive deployment guide in NEXT_STEPS_COMPLETE_GUIDE.md for Phase 2 and smart contract deployment.
- Implemented Vite configuration for the orchestration portal, supporting both Vue and React frameworks.
- Added server-side logic for the Multi-Cloud Orchestration Portal, including API endpoints for environment management and monitoring.
- Created scripts for resource import and usage validation across non-US regions.
- Added tests for CCIP error handling and integration to ensure robust functionality.
- Included various new files and directories for the orchestration portal and deployment scripts.
This commit is contained in:
defiQUG
2025-12-12 14:57:48 -08:00
parent a1466e4005
commit 1fb7266469
1720 changed files with 241279 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

178
.github/workflows/ci.yml vendored Normal file
View File

@@ -0,0 +1,178 @@
name: CI/CD Pipeline
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main, develop ]
env:
SOLIDITY_VERSION: "0.8.19"
FOUNDRY_VERSION: "nightly"
jobs:
# Compile and test Solidity contracts
solidity:
name: Solidity Contracts
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Foundry
uses: foundry-rs/foundry-toolchain@v1
with:
version: ${{ env.FOUNDRY_VERSION }}
- name: Install dependencies
run: |
# Install OpenZeppelin if needed (for contracts requiring it)
# Note: New WETH contracts (WETH10, CCIPWETH9Bridge, CCIPWETH10Bridge) are independent
# Existing CCIP contracts (CCIPSender, CCIPRouter, etc.) require OpenZeppelin
if [ -d ".git" ]; then
forge install OpenZeppelin/openzeppelin-contracts --no-commit || echo "OpenZeppelin may already be installed or git not initialized"
else
echo "Git not initialized - skipping OpenZeppelin installation"
echo "Note: Contracts requiring OpenZeppelin will not compile"
fi
- name: Compile contracts
run: forge build
- name: Run tests
run: forge test --gas-report
- name: Run Slither
run: |
pip install slither-analyzer
chmod +x scripts/security/slither-scan.sh
./scripts/security/slither-scan.sh || true
continue-on-error: true
- name: Run Mythril
run: |
pip install mythril
chmod +x scripts/security/mythril-scan.sh
./scripts/security/mythril-scan.sh || true
continue-on-error: true
- name: Run SolidityScan
if: ${{ secrets.SOLIDITYSCAN_API_KEY != '' }}
run: |
pip install solidityscan
solidityscan --api-key ${{ secrets.SOLIDITYSCAN_API_KEY }} --project-path . || true
continue-on-error: true
env:
SOLIDITYSCAN_API_KEY: ${{ secrets.SOLIDITYSCAN_API_KEY }}
- name: Upload Slither reports
uses: actions/upload-artifact@v4
if: always()
with:
name: slither-reports
path: reports/slither/
- name: Upload Mythril reports
uses: actions/upload-artifact@v4
if: always()
with:
name: mythril-reports
path: reports/mythril/
# Security scanning
security:
name: Security Scanning
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Trivy container scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
continue-on-error: true
- name: Upload Trivy results
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'
continue-on-error: true
- name: Run Snyk security scan
uses: snyk/actions/setup@master
continue-on-error: true
- name: Snyk test
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
continue-on-error: true
with:
args: --severity-threshold=high
# Lint and format check
lint:
name: Lint and Format
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Foundry
uses: foundry-rs/foundry-toolchain@v1
with:
version: ${{ env.FOUNDRY_VERSION }}
- name: Check formatting
run: forge fmt --check
- name: Lint YAML files
uses: ibiqlik/action-yamllint@v3
with:
file_or_dir: .
config_file: .yamllint.yml
continue-on-error: true
# Terraform validation
terraform:
name: Terraform Validation
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_version: "1.6.0"
- name: Terraform Init
working-directory: terraform
run: terraform init -backend=false
- name: Terraform Validate
working-directory: terraform
run: terraform validate
- name: Terraform Format Check
working-directory: terraform
run: terraform fmt -check
# Kubernetes manifest validation
kubernetes:
name: Kubernetes Validation
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install kubectl
uses: azure/setup-kubectl@v3
- name: Validate Kubernetes manifests
run: |
for file in $(find k8s helm -name "*.yaml" -o -name "*.yml"); do
echo "Validating $file"
kubectl apply --dry-run=client -f "$file" || true
done
continue-on-error: true

199
.github/workflows/deploy.yml vendored Normal file
View File

@@ -0,0 +1,199 @@
name: Deploy ChainID 138
on:
workflow_dispatch:
inputs:
environment:
description: 'Deployment environment'
required: true
default: 'staging'
type: choice
options:
- staging
- production
skip_infrastructure:
description: 'Skip infrastructure deployment'
required: false
default: false
type: boolean
skip_kubernetes:
description: 'Skip Kubernetes deployment'
required: false
default: false
type: boolean
skip_blockscout:
description: 'Skip Blockscout deployment'
required: false
default: false
type: boolean
skip_contracts:
description: 'Skip contract deployment'
required: false
default: false
type: boolean
skip_cloudflare:
description: 'Skip Cloudflare DNS configuration'
required: false
default: false
type: boolean
push:
branches:
- main
paths:
- 'scripts/deployment/**'
- 'terraform/**'
- 'k8s/**'
- '.github/workflows/deploy.yml'
env:
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
AZURE_RESOURCE_GROUP: ${{ secrets.AZURE_RESOURCE_GROUP }}
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
CLOUDFLARE_ZONE_ID: ${{ secrets.CLOUDFLARE_ZONE_ID }}
PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }}
RPC_URL: ${{ secrets.RPC_URL }}
EXPLORER_URL: ${{ secrets.EXPLORER_URL }}
jobs:
deploy:
name: Deploy ChainID 138
runs-on: ubuntu-latest
environment: ${{ github.event.inputs.environment || 'staging' }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Azure CLI
uses: azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Set up Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_version: 1.6.0
- name: Set up kubectl
uses: azure/setup-kubectl@v3
version: 'latest'
- name: Set up Helm
uses: azure/setup-helm@v3
version: 'latest'
- name: Set up Foundry
uses: foundry-rs/foundry-toolchain@v1
with:
version: nightly
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install dependencies
run: |
sudo apt-get update
sudo apt-get install -y jq curl dnsutils
npm install -g ajv-cli
- name: Make scripts executable
run: chmod +x scripts/deployment/*.sh
- name: Create .env file
run: |
cat > .env << EOF
AZURE_SUBSCRIPTION_ID=${{ env.AZURE_SUBSCRIPTION_ID }}
AZURE_TENANT_ID=${{ env.AZURE_TENANT_ID }}
AZURE_CLIENT_ID=${{ env.AZURE_CLIENT_ID }}
AZURE_CLIENT_SECRET=${{ env.AZURE_CLIENT_SECRET }}
AZURE_RESOURCE_GROUP=${{ env.AZURE_RESOURCE_GROUP }}
CLOUDFLARE_API_TOKEN=${{ env.CLOUDFLARE_API_TOKEN }}
CLOUDFLARE_ZONE_ID=${{ env.CLOUDFLARE_ZONE_ID }}
PRIVATE_KEY=${{ env.PRIVATE_KEY }}
RPC_URL=${{ env.RPC_URL }}
EXPLORER_URL=${{ env.EXPLORER_URL }}
EOF
- name: Deploy infrastructure
if: ${{ !github.event.inputs.skip_infrastructure }}
run: |
./scripts/deployment/deploy-all.sh \
--skip-kubernetes \
--skip-blockscout \
--skip-contracts \
--skip-cloudflare
continue-on-error: true
- name: Configure Cloudflare DNS
if: ${{ !github.event.inputs.skip_cloudflare }}
run: |
# Get Application Gateway IP
APP_GATEWAY_IP=$(az network application-gateway show \
--resource-group ${{ env.AZURE_RESOURCE_GROUP }} \
--name $(cd terraform && terraform output -raw app_gateway_name) \
--query "frontendIPConfigurations[0].publicIpAddress.id" \
-o tsv | xargs az network public-ip show --ids --query ipAddress -o tsv)
./scripts/deployment/cloudflare-dns.sh \
--zone-id ${{ env.CLOUDFLARE_ZONE_ID }} \
--api-token ${{ env.CLOUDFLARE_API_TOKEN }} \
--ip $APP_GATEWAY_IP
continue-on-error: true
- name: Deploy Kubernetes resources
if: ${{ !github.event.inputs.skip_kubernetes }}
run: |
./scripts/deployment/deploy-all.sh \
--skip-infrastructure \
--skip-blockscout \
--skip-contracts \
--skip-cloudflare
continue-on-error: true
- name: Deploy Blockscout
if: ${{ !github.event.inputs.skip_blockscout }}
run: |
./scripts/deployment/deploy-all.sh \
--skip-infrastructure \
--skip-kubernetes \
--skip-contracts \
--skip-cloudflare
continue-on-error: true
- name: Deploy contracts
if: ${{ !github.event.inputs.skip_contracts }}
run: |
./scripts/deployment/deploy-all.sh \
--skip-infrastructure \
--skip-kubernetes \
--skip-blockscout \
--skip-cloudflare
continue-on-error: true
- name: Update token list
if: ${{ !github.event.inputs.skip_contracts }}
run: |
./scripts/deployment/update-token-list.sh
continue-on-error: true
- name: Verify deployment
run: |
./scripts/deployment/verify-deployment.sh
continue-on-error: true
- name: Upload deployment artifacts
if: always()
uses: actions/upload-artifact@v4
with:
name: deployment-artifacts
path: |
contracts-deployed.json
deployment.log
deployment-verification-report.md
retention-days: 30

176
.github/workflows/multi-cloud-deploy.yml vendored Normal file
View File

@@ -0,0 +1,176 @@
name: Multi-Cloud Deployment
on:
workflow_dispatch:
inputs:
environment:
description: 'Environment name to deploy'
required: true
type: choice
options:
- all
- admin-azure-westus
- workload-azure-eastus
- workload-aws-usw2
- workload-gcp-ew1
- workload-hci-dc1
strategy:
description: 'Deployment strategy'
required: false
default: 'blue-green'
type: choice
options:
- blue-green
- canary
- rolling
dry_run:
description: 'Dry run (plan only)'
required: false
default: false
type: boolean
env:
TF_VERSION: "1.6.0"
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
jobs:
load-environments:
runs-on: ubuntu-latest
outputs:
environments: ${{ steps.parse.outputs.environments }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Parse environments.yaml
id: parse
run: |
python3 << 'EOF'
import yaml
import json
with open('config/environments.yaml', 'r') as f:
config = yaml.safe_load(f)
environments = config.get('environments', [])
enabled = [e['name'] for e in environments if e.get('enabled', False)]
print(f"environments={json.dumps(enabled)}")
EOF
id: parse
terraform-plan:
needs: load-environments
runs-on: ubuntu-latest
strategy:
matrix:
environment: ${{ fromJson(needs.load-environments.outputs.environments) }}
if: |
github.event.inputs.environment == 'all' ||
github.event.inputs.environment == matrix.environment
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ env.TF_VERSION }}
- name: Terraform Init
working-directory: terraform/multi-cloud
run: terraform init
- name: Terraform Plan
working-directory: terraform/multi-cloud
env:
TF_VAR_environment: ${{ matrix.environment }}
run: |
terraform plan \
-var="environment=${{ matrix.environment }}" \
-out=tfplan-${{ matrix.environment }}.tfplan
- name: Upload Plan
uses: actions/upload-artifact@v4
with:
name: tfplan-${{ matrix.environment }}
path: terraform/multi-cloud/tfplan-${{ matrix.environment }}.tfplan
terraform-apply:
needs: [load-environments, terraform-plan]
runs-on: ubuntu-latest
if: github.event.inputs.dry_run == false
strategy:
matrix:
environment: ${{ fromJson(needs.load-environments.outputs.environments) }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ env.TF_VERSION }}
- name: Download Plan
uses: actions/download-artifact@v4
with:
name: tfplan-${{ matrix.environment }}
path: terraform/multi-cloud
- name: Terraform Apply
working-directory: terraform/multi-cloud
env:
TF_VAR_environment: ${{ matrix.environment }}
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
GOOGLE_APPLICATION_CREDENTIALS: ${{ secrets.GCP_SA_KEY }}
run: |
terraform apply -auto-approve tfplan-${{ matrix.environment }}.tfplan
deploy-applications:
needs: [load-environments, terraform-apply]
runs-on: ubuntu-latest
if: github.event.inputs.dry_run == false
strategy:
matrix:
environment: ${{ fromJson(needs.load-environments.outputs.environments) }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Helm
uses: azure/setup-helm@v3
with:
version: '3.13.0'
- name: Deploy Besu Network
run: |
# Get kubeconfig for environment
# Deploy Helm charts
helm upgrade --install besu-network ./helm/besu-network \
--namespace besu-network \
--create-namespace \
--set environment=${{ matrix.environment }}
- name: Verify Deployment
run: |
# Check pod status
kubectl get pods -n besu-network
kubectl wait --for=condition=ready pod -l app=besu-validator -n besu-network --timeout=300s
notify:
needs: [terraform-apply, deploy-applications]
runs-on: ubuntu-latest
if: always()
steps:
- name: Notify Deployment Status
run: |
echo "Deployment completed"
# Add notification logic (Slack, Teams, etc.)

45
.github/workflows/update-assets.yml vendored Normal file
View File

@@ -0,0 +1,45 @@
# GitHub Actions workflow for updating Azure Architecture Icons
# This workflow can be run manually to update Azure icons
name: Update Azure Icons
on:
workflow_dispatch:
inputs:
force_update:
description: 'Force update even if icons exist'
required: false
default: 'false'
type: boolean
jobs:
update-icons:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Setup assets directory
run: |
chmod +x scripts/assets/*.sh
./scripts/assets/setup-assets.sh
- name: Download Azure icons
run: |
./scripts/assets/download-azure-icons.sh
continue-on-error: true
- name: Create stencil
run: |
./scripts/assets/create-diagram-stencil.sh
- name: Commit changes
if: success()
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git add assets/
git diff --staged --quiet || git commit -m "Update Azure Architecture Icons [skip ci]"
git push
continue-on-error: true

74
.github/workflows/validate-token-list.yml vendored Normal file
View File

@@ -0,0 +1,74 @@
name: Validate Token List
on:
push:
paths:
- 'metamask/token-list.json'
- '.github/workflows/validate-token-list.yml'
pull_request:
paths:
- 'metamask/token-list.json'
- '.github/workflows/validate-token-list.yml'
jobs:
validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install dependencies
run: |
npm install -g ajv-cli
- name: Validate JSON schema
run: |
ajv validate -s metamask/token-list.schema.json -d metamask/token-list.json
- name: Validate token addresses
run: |
node -e "
const fs = require('fs');
const list = JSON.parse(fs.readFileSync('metamask/token-list.json', 'utf8'));
const addressRegex = /^0x[a-fA-F0-9]{40}$/;
list.tokens.forEach((token, i) => {
if (!addressRegex.test(token.address)) {
throw new Error(\`Token \${i}: Invalid address format: \${token.address}\`);
}
if (token.chainId !== 138) {
throw new Error(\`Token \${i}: Invalid chainId: \${token.chainId}\`);
}
if (token.decimals < 0 || token.decimals > 18) {
throw new Error(\`Token \${i}: Invalid decimals: \${token.decimals}\`);
}
});
console.log('Token list validation passed');
"
- name: Check logo availability
run: |
node -e "
const fs = require('fs');
const https = require('https');
const list = JSON.parse(fs.readFileSync('metamask/token-list.json', 'utf8'));
const promises = [];
if (list.logoURI) promises.push(checkUrl(list.logoURI));
list.tokens.forEach(token => {
if (token.logoURI) promises.push(checkUrl(token.logoURI));
});
Promise.all(promises).then(() => console.log('Logo URLs validated'));
function checkUrl(url) {
return new Promise((resolve, reject) => {
https.get(url, (res) => {
if (res.statusCode === 200) resolve();
else reject(new Error(\`Failed to fetch \${url}: \${res.statusCode}\`));
}).on('error', reject);
});
}
" || echo "Warning: Logo URL validation failed (may be expected for local development)"

121
.github/workflows/validation.yml vendored Normal file
View File

@@ -0,0 +1,121 @@
name: Validation
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main, develop ]
workflow_dispatch:
jobs:
validate-genesis:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install jq
run: sudo apt-get update && sudo apt-get install -y jq
- name: Validate genesis file
run: ./scripts/validation/validate-genesis.sh
validate-terraform:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
- name: Terraform Format Check
run: |
cd terraform
terraform fmt -check
- name: Terraform Validate
run: |
cd terraform
terraform init -backend=false
terraform validate
- name: Terraform Security Scan
uses: bridgecrewio/checkov-action@master
with:
directory: terraform
framework: terraform
validate-kubernetes:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install kubectl
uses: azure/setup-kubectl@v3
- name: Validate Kubernetes manifests
run: |
kubectl apply --dry-run=client -f k8s/base/namespace.yaml
kubectl apply --dry-run=client -f k8s/base/validators/statefulset.yaml
kubectl apply --dry-run=client -f k8s/base/sentries/statefulset.yaml
kubectl apply --dry-run=client -f k8s/base/rpc/statefulset.yaml
- name: Kubernetes Security Scan
uses: ludovico85/kube-score-action@v1
with:
path: k8s
validate-smart-contracts:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install Foundry
uses: foundry-rs/foundry-toolchain@v1
- name: Run tests
run: forge test
- name: Run fuzz tests
run: forge test --fuzz-runs 1000
- name: Check formatting
run: forge fmt --check
- name: Smart Contract Security Scan
uses: crytic/slither-action@v0.10.0
with:
target: 'contracts'
validate-security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Container Security Scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'image'
image-ref: 'hyperledger/besu:23.10.0'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy results
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
validate-documentation:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Check documentation
run: |
# Check if all required documentation exists
test -f README.md || exit 1
test -f CONTRIBUTING.md || exit 1
test -f CHANGELOG.md || exit 1
test -f docs/DEPLOYMENT.md || exit 1
test -f docs/ARCHITECTURE.md || exit 1
test -f docs/SECURITY.md || exit 1

68
.github/workflows/verify-deployment.yml vendored Normal file
View File

@@ -0,0 +1,68 @@
name: Verify Deployment
on:
schedule:
- cron: '0 */6 * * *' # Every 6 hours
workflow_dispatch:
push:
branches:
- main
paths:
- 'scripts/deployment/**'
- '.github/workflows/verify-deployment.yml'
env:
RPC_URL: ${{ secrets.RPC_URL || 'https://rpc.d-bis.org' }}
EXPLORER_URL: ${{ secrets.EXPLORER_URL || 'https://explorer.d-bis.org' }}
jobs:
verify:
name: Verify Deployment
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install dependencies
run: |
sudo apt-get update
sudo apt-get install -y jq curl dnsutils
- name: Make scripts executable
run: chmod +x scripts/deployment/*.sh
- name: Verify deployment
run: |
./scripts/deployment/verify-deployment.sh
continue-on-error: true
- name: Upload verification report
if: always()
uses: actions/upload-artifact@v4
with:
name: verification-report
path: deployment-verification-report.md
retention-days: 30
- name: Create issue on failure
if: failure()
uses: actions/github-script@v7
with:
script: |
const title = 'Deployment Verification Failed';
const body = `Deployment verification failed. See [verification report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) for details.`;
await github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: title,
body: body,
labels: ['deployment', 'verification', 'bug']
});