Add build CI, remappings validation, and ERC721 Medusa coverage#107
Add build CI, remappings validation, and ERC721 Medusa coverage#107
Conversation
Lightweight build workflow that verifies Foundry and Hardhat compilation succeeds for both root contracts and all test harnesses (ERC20, ERC721, ERC4626). Catches remapping, config, and dependency issues early. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Validates that all remapping targets in every remappings.txt actually exist on disk, resolving paths through Foundry's libs config. Catches broken remappings early (like the issue in PR#82/#90). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The Medusa CI workflow covered ERC20 and ERC4626 but was missing ERC721. Add internal and external Medusa configs for ERC721 (modeled after ERC20) and wire them into the medusa.yaml workflow. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
nisedo
requested review from
bsamuels453,
elopez and
glarregay-tob
as code owners
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Validate remappings | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v6 | ||
| with: | ||
| submodules: recursive | ||
|
|
||
| - name: Check all remapping targets exist | ||
| run: | | ||
| rc=0 | ||
| for file in $(find . -name remappings.txt -not -path './lib/*' -not -path './node_modules/*'); do | ||
| dir=$(dirname "$file") | ||
| # Collect search bases: the remappings dir + libs from foundry.toml | ||
| bases="$dir" | ||
| if [ -f "$dir/foundry.toml" ]; then | ||
| for lib in $(grep "^libs" "$dir/foundry.toml" | sed "s/.*\[//;s/\].*//;s/'//g;s/\"//g;s/,/ /g"); do | ||
| bases="$bases $dir/$lib" | ||
| done | ||
| fi | ||
| while IFS= read -r line; do | ||
| [ -z "$line" ] && continue | ||
| target=$(echo "$line" | sed 's/.*=//') | ||
| found=false | ||
| for base in $bases; do | ||
| if [ -d "$base/$target" ]; then | ||
| found=true | ||
| break | ||
| fi | ||
| done | ||
| if [ "$found" = false ]; then | ||
| echo "::error file=$file::Broken remapping: $line (target '$target' not found)" | ||
| rc=1 | ||
| fi | ||
| done < "$file" | ||
| done | ||
| exit $rc | ||
|
|
||
| foundry-root: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 days ago
In general, the fix is to add an explicit permissions block that grants only the minimal necessary scopes to the GITHUB_TOKEN. Since this workflow only checks out code and runs build/test commands, it can safely operate with read-only access to repository contents. The simplest and clearest solution is to add a top-level permissions: block (at the root of the workflow, alongside name and on) with contents: read, which will apply to all jobs in this workflow.
Concretely, edit .github/workflows/build.yaml and insert:
permissions:
contents: readbetween the name: Build line and the on: block (lines 1–3 in the given snippet). This will not change any existing behavior of the jobs, since actions/checkout and the other actions used only require read access to repository contents. No other lines or jobs need individual permissions blocks unless you later introduce steps that require additional scopes.
| @@ -1,5 +1,8 @@ | ||
| name: Build | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| branches: |
| name: Compile root contracts (Foundry) | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v6 | ||
| with: | ||
| submodules: recursive | ||
|
|
||
| - name: Install Foundry | ||
| uses: foundry-rs/foundry-toolchain@v1 | ||
|
|
||
| - name: Run forge build | ||
| run: forge build | ||
|
|
||
| foundry-tests: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 days ago
In general, fix this by explicitly declaring a minimal permissions block in the workflow, either at the top level (applies to all jobs) or per job, granting only what is needed (here, read access to contents). This ensures the GITHUB_TOKEN cannot be used with broader write permissions, even if repository defaults are permissive.
The best minimal fix without changing existing functionality is to add a root-level permissions block right after the name: Build line, setting contents: read. All the jobs (validate-remappings, foundry-root, foundry-tests, hardhat-root, and any elided ones like hardhat-tests) only need to check out code and run commands; they do not perform write operations against the GitHub API. No extra imports or dependencies are required; it is a pure YAML modification.
Concretely, edit .github/workflows/build.yaml near the top: insert
permissions:
contents: readbetween line 1 (name: Build) and line 3 (on:). This will satisfy CodeQL’s requirement and lock GITHUB_TOKEN down to read-only repository contents for all jobs that do not override permissions. No other regions/lines need to change.
| @@ -1,4 +1,6 @@ | ||
| name: Build | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: |
| name: Compile ${{ matrix.standard }} test harness (Foundry) | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| standard: [ERC20, ERC721, ERC4626] | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v6 | ||
| with: | ||
| submodules: recursive | ||
|
|
||
| - name: Install Foundry | ||
| uses: foundry-rs/foundry-toolchain@v1 | ||
|
|
||
| - name: Run forge build | ||
| working-directory: tests/${{ matrix.standard }}/foundry | ||
| run: forge build | ||
|
|
||
| hardhat-root: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 days ago
To fix the problem, explicitly declare restricted GITHUB_TOKEN permissions in the workflow. Since all jobs just check out code and build/test, they only require read access to repository contents. The simplest and safest fix is to add a root‑level permissions block (so it applies to all jobs that don’t override it) with contents: read. This avoids changing any existing behavior of the build/test steps while ensuring the token cannot perform write operations.
Concretely, in .github/workflows/build.yaml, add:
permissions:
contents: readimmediately after the name: Build line (line 1) and before the on: block (line 3). This will satisfy CodeQL’s requirement for explicit minimal permissions and apply uniformly to validate-remappings, foundry-root, foundry-tests, hardhat-root, and any other jobs in this workflow. No additional imports, methods, or other definitions are needed.
| @@ -1,4 +1,6 @@ | ||
| name: Build | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: |
| name: Compile root contracts (Hardhat) | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v6 | ||
| with: | ||
| submodules: recursive | ||
|
|
||
| - name: Set up Node.js | ||
| uses: actions/setup-node@v6 | ||
| with: | ||
| node-version: 22 | ||
|
|
||
| - name: Install dependencies | ||
| run: npm install | ||
|
|
||
| - name: Run hardhat compile | ||
| run: npx hardhat compile | ||
|
|
||
| hardhat-tests: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 days ago
To fix this, explicitly restrict the GITHUB_TOKEN permissions used by this workflow to the minimal scope needed. All jobs here only read the repository contents (via actions/checkout and subsequent builds), and do not push changes, create releases, or modify issues/PRs. The least-privilege configuration is to set permissions: contents: read. The cleanest way without changing behavior is to add a single permissions: block at the workflow root (top level), so it applies to all jobs that do not override it.
Concretely, in .github/workflows/build.yaml, add a top-level permissions: section between the name: and on: keys (around lines 1–3). Use:
permissions:
contents: readThis leaves all job logic unchanged while ensuring that the GITHUB_TOKEN has read-only access to repository contents for all jobs, including hardhat-root. No additional methods, imports, or definitions are needed because this is purely a YAML configuration change.
| @@ -1,5 +1,8 @@ | ||
| name: Build | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| branches: |
| name: Compile ${{ matrix.standard }} test harness (Hardhat) | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| standard: [ERC20, ERC721, ERC4626] | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v6 | ||
| with: | ||
| submodules: recursive | ||
|
|
||
| - name: Set up Node.js | ||
| uses: actions/setup-node@v6 | ||
| with: | ||
| node-version: 22 | ||
|
|
||
| - name: Install dependencies | ||
| working-directory: tests/${{ matrix.standard }}/hardhat | ||
| run: npm install | ||
|
|
||
| - name: Run hardhat compile | ||
| working-directory: tests/${{ matrix.standard }}/hardhat | ||
| run: npx hardhat compile |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 days ago
To fix the problem, explicitly set minimal GITHUB_TOKEN permissions for the workflow. The simplest and best approach without changing existing functionality is to add a top-level permissions block applying to all jobs. Since all jobs just check out code and run builds/tests, they only need read access to repository contents, so contents: read is sufficient.
Concretely, in .github/workflows/build.yaml, add a root-level permissions section after the name: Build line and before the on: block:
- Add:
permissions: contents: read
This will restrict the token for all jobs (validate-remappings, foundry-root, foundry-tests, hardhat-root, hardhat-tests) to read-only access to repository contents, resolving the CodeQL finding while preserving current behavior.
| @@ -1,5 +1,8 @@ | ||
| name: Build | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| branches: |
No foundry.toml defines a [profile.ci] section. Newer Foundry nightly versions error on missing profiles instead of silently falling back to the default, causing CI failures. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 participant
Summary
remappings.txttargets resolve to existing directoriesTest plan
forge buildat root + 3 test dirs)🤖 Generated with Claude Code