Skip to content

[FEAT] Add CI checks for cofhe-contracts#53

Draft
roeezolantz wants to merge 5 commits intomasterfrom
feat/ci-checks
Draft

[FEAT] Add CI checks for cofhe-contracts#53
roeezolantz wants to merge 5 commits intomasterfrom
feat/ci-checks

Conversation

@roeezolantz
Copy link
Contributor

@roeezolantz roeezolantz commented Feb 26, 2026
edited
Loading

Summary

Adds a comprehensive CI pipeline (checks.yml) with 5 parallel jobs to catch issues before merge. The existing test.yml is untouched.

  • Storage layout snapshot validation — prevents accidental storage slot changes that would brick UUPS upgrades for TaskManager, ACL, and PlaintextsStorage
  • Contract size enforcement — enforces the 24KB EVM bytecode limit (currently masked by Hardhat's allowUnlimitedContractSize: true)
  • Solhint linting — static lint with project-specific rule overrides matching existing code patterns
  • Slither static analysis — catches medium+ severity findings (informational/optimization excluded)
  • Gas reporting — runs tests with hardhat-gas-reporter and uploads the report as a CI artifact

New Files

File Purpose
.github/workflows/checks.yml CI workflow with 5 parallel jobs
tasks/storageLayout.ts Hardhat task: extract & validate storage layout via @openzeppelin/upgrades-core
tasks/checkContractSize.ts Hardhat task: enforce 24KB bytecode limit, warn at 22KB
.solhint.json Solhint config (extends solhint:recommended)
.solhintignore Excludes node_modules/, contracts/tests/, contracts/detereministic-tm/
slither.config.json Slither config (filter paths, exclude informational, fail on medium+)
storage-layout-snapshot.json Initial storage layout snapshot

Modified Files

File Change
tasks/index.ts Exports new tasks
package.json Added solhint devDep + scripts: storage-layout:generate, storage-layout:check, check:size, lint:sol
hardhat.config.ts Added gasReporter config (gated by REPORT_GAS env var)

New Scripts

pnpm storage-layout:generate  # Generate/update storage-layout-snapshot.json
pnpm storage-layout:check     # Validate current layout matches snapshot (CI)
pnpm check:size                # Check contract sizes against 24KB limit
pnpm lint:sol                  # Run Solhint

Local Verification

All checks pass locally:

pnpm compile             ✅
pnpm test                ✅ 32/32 passing
pnpm lint:sol            ✅ (1 warning: unused Strings import in TaskManager.sol)
pnpm storage-layout:check ✅
pnpm check:size          ✅ TaskManager 66.8%, ACL 37.2%, PlaintextsStorage 9.2%, ERC1967Proxy 0.4%

Current Contract Sizes

Contract Size % of 24KB Limit
TaskManager 16,428 bytes 66.8%
ACL 9,130 bytes 37.2%
PlaintextsStorage 2,258 bytes 9.2%
ERC1967Proxy 100 bytes 0.4%

Notes

  • Solhint flags an unused Strings import in TaskManager.sol as a warning (not error). Consider removing it in a follow-up.
  • Slither job uses crytic/slither-action@v0.4.0 with solc 0.8.25 pinned.
  • Gas report is uploaded as a CI artifact with 30-day retention.

Test plan

  • Verify checks.yml CI jobs all pass on this PR
  • Confirm existing test.yml is unaffected
  • Modify a storage slot locally and verify storage-layout:check fails
  • Verify Slither doesn't produce false-positive medium+ findings

@roeezolantz
[FEAT] Add CI checks: storage layout, contract size, solhint, slither…
ab8857a 
…, gas report

Add comprehensive CI pipeline for cofhe-contracts with 5 parallel jobs:

- Storage layout snapshot validation to catch breaking upgrade changes
- Contract size enforcement (24KB EVM limit)
- Solhint linting with project-specific rule overrides
- Slither static analysis (medium+ severity)
- Gas usage reporting uploaded as CI artifact
@roeezolantz
[FIX] Fix Slither medium-severity findings in TaskManager
230d671 
- Initialize `combined` variable explicitly (`bytes memory combined = ""`)
- Add slither-disable comments for false-positive unused-return on
  ECDSA.tryRecover tuple destructuring and getDecryptResultSafe forwarding
- Exclude low-severity false positives from Slither config (trusted
  contract calls in loops, reentrancy-events, missing-zero-check on
  intentionally-nullable signers, timestamp, events-maths)
@roeezolantz
[TEST] Add storage variable to TaskManager (should fail storage-layou…
99c1957 
…t CI)

This commit intentionally adds a new storage variable to break the
storage layout snapshot check. Expected CI failure: storage-layout job.
@roeezolantz
Revert "[TEST] Add storage variable to TaskManager (should fail stora…
b21a656 
…ge-layout CI)"

This reverts commit 99c1957.
@roeezolantz
[FIX] Use upgrade-compatibility check instead of strict snapshot equa…
af51b60 
…lity

Replace exact JSON comparison with OZ's getStorageUpgradeReport which
understands UUPS upgrade rules: appending variables is safe, inserting
or reordering is breaking. Stores raw StorageLayout in snapshot for
direct use by the compatibility checker.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@roeezolantz