refactor: Refactor sharing contract deployer action (#515)

zguesmi · web-flow · commit 95973ff26282 · 2025-09-24T11:23:45.000+02:00
* refactor: Clean action files

* ci: Migrate deserializer CI from Drone to GHA

* fix: Restaure non-migrated sharing contract upgrade drone ci

* ci: Remove migrated file

* ci: Fix CI

* ci: Clean and fix ci

* ci: Rename CI parameter for better clarity

* ci: Refactor environment check

* ci: Move check earlier

* ci: Create pull requests for main branch

* ci: Fix pull request step
diff --git a/.github/workflows/sharing-smart-contract-deploy.yml b/.github/workflows/sharing-smart-contract-deploy.yml
@@ -14,8 +14,8 @@ on:
           - arbitrum
           - bellecour
         default: 'hardhat'
-      environment:
-        description: 'Environment'
+      stage:
+        description: 'Deployment stage'
         required: true
         type: choice
         options:
@@ -32,12 +32,42 @@ jobs:
   deploy:
     needs: build-and-test
     runs-on: ubuntu-latest
-    env:
-      CI: true
+    environment: ${{ inputs.network }}
     permissions:
       contents: write # Required to commit deployment files.
-    environment: ${{ inputs.network }}
+      pull-requests: write # Required to create pull requests.
+    env:
+      CI: true
+      # For commit action
+      COMMIT_MESSAGE: 'chore: Save deployment artifacts - ${{ inputs.network }} ${{ inputs.stage }} (${{ github.run_id }})'
+      GHA_BOT_NAME: 'GitHub Actions Bot'
+      GHA_BOT_EMAIL: 'github-actions[bot]@users.noreply.github.com'
+
     steps:
+      - name: Validate target environment
+        id: validate-env
+        if: inputs.network != 'hardhat'
+        env:
+          NETWORK: ${{ inputs.network }}
+          STAGE: ${{ inputs.stage }}
+        run: |
+          DEPLOYMENT_ID=""
+          case "$NETWORK" in
+            arbitrum|bellecour)
+              if [ "$STAGE" = "dev" ]; then
+                echo "Error: Cannot use 'dev' stage with mainnet ($NETWORK)"
+                exit 1
+              fi
+              # Use <network> as deployment id for mainnets.
+              DEPLOYMENT_ID="${{ inputs.network }}"
+              ;;
+            *)
+              # Use <network>-<stage> as deployment id for testnets.
+              DEPLOYMENT_ID="${{ inputs.network }}-${{ inputs.stage }}"
+              ;;
+          esac
+          echo "deployment-id=$DEPLOYMENT_ID" >> $GITHUB_OUTPUT
+
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
@@ -58,74 +88,52 @@ jobs:
           version: stable
           cache: true
 
-      - name: Validate deployment environment and prepare variables
-        if: inputs.network != 'hardhat'
-        run: |
-          NETWORK="${{ inputs.network }}"
-          ENVIRONMENT="${{ inputs.environment }}"
-
-          case "$NETWORK" in
-            arbitrum|bellecour)
-              if [ "$ENVIRONMENT" = "dev" ]; then
-                echo "Error: Cannot deploy to mainnet ($NETWORK) with dev environment"
-                exit 1
-              fi
-              echo "IS_MAINNET=true" >> $GITHUB_ENV
-              ;;
-            *)
-              echo "IS_MAINNET=false" >> $GITHUB_ENV
-              ;;
-          esac
-
       - name: Deploy contracts
-        id: deploy
         working-directory: packages/sharing-smart-contract
         env:
-          # For Deployment
+          DEPLOYMENT_ID: ${{ steps.validate-env.outputs.deployment-id }}
           RPC_URL: ${{ secrets.RPC_URL }}
           DEPLOYER_PRIVATE_KEY: ${{ secrets.DEPLOYER_PRIVATE_KEY }}
-          ADMIN_PRIVATE_KEY: ${{ secrets.DATAPROTECTOR_OWNER_PRIVATEKEY }} # Fix secret name
+          ADMIN_PRIVATE_KEY: ${{ secrets.DATAPROTECTOR_OWNER_PRIVATEKEY }} # TODO Fix secret name
           POCO_ADDRESS: ${{ vars.POCO_ADDRESS }}
           DATASET_REGISTRY_ADDRESS: ${{ vars.DATASET_REGISTRY_ADDRESS }}
         run: |
-          if [ "${{ inputs.network }}" = "hardhat" ]; then
-            npm run deploy -- --network ${{ inputs.network }}
-          else
-            # For testnets, use network-environment; for mainnets, use network only
-            if [ "$IS_MAINNET" = false ]; then
-              DEPLOYMENT_ID="${{ inputs.network }}-${{ inputs.environment }}"
-            else
-              DEPLOYMENT_ID="${{ inputs.network }}"
-            fi
-            echo "deployment-id=$DEPLOYMENT_ID" >> $GITHUB_OUTPUT
             DEPLOYMENT_ID="$DEPLOYMENT_ID" \
               npm run deploy -- --network ${{ inputs.network }}
-          fi
 
-      - name: Save deployment artifacts
-        if: inputs.network != 'hardhat'
+      - name: Push deployment artifacts to the current branch
+        if: inputs.network != 'hardhat' && github.ref != 'refs/heads/main'
         uses: stefanzweifel/git-auto-commit-action@v5
         with:
-          commit_message: 'chore: save deployment artifacts for ${{ inputs.network }} ${{ inputs.environment }} (${{ github.run_id }})'
-          file_pattern: 'packages/sharing-smart-contract/ignition/deployments/* packages/sharing-smart-contract/.openzeppelin/*'
-          commit_user_name: 'GitHub Actions Bot'
-          commit_user_email: 'github-actions[bot]@users.noreply.github.com'
-          commit_author: 'GitHub Actions Bot <github-actions[bot]@users.noreply.github.com>'
+          commit_message: ${{ env.COMMIT_MESSAGE }}
+          file_pattern: |
+            packages/sharing-smart-contract/ignition/deployments/*
+            packages/sharing-smart-contract/.openzeppelin/*
+          commit_user_name: ${{ env.GHA_BOT_NAME }}
+          commit_user_email: ${{ env.GHA_BOT_EMAIL }}
+          commit_author: '${{ env.GHA_BOT_NAME }} <${{ env.GHA_BOT_EMAIL }}>'
+
+      # Since `main` branch is protected, create a PR to push deployment files.
+      - name: Push deployment artifacts through a pull request
+        if: inputs.network != 'hardhat' && github.ref == 'refs/heads/main'
+        uses: peter-evans/create-pull-request@v7
+        with:
+          commit-message: ${{ env.COMMIT_MESSAGE }}
+          add-paths: |
+            packages/sharing-smart-contract/ignition/deployments/
+            packages/sharing-smart-contract/.openzeppelin/
+          committer: '${{ env.GHA_BOT_NAME }} <${{ env.GHA_BOT_EMAIL }}>'
+          author: '${{ env.GHA_BOT_NAME }} <${{ env.GHA_BOT_EMAIL }}>'
+          branch: chore/save-deployment-artifacts
+          title: ${{ env.COMMIT_MESSAGE }}
+          body: 'PR created by "Create Pull Request" action.'
+          draft: true
 
       - name: Verify contracts
         if: inputs.network != 'hardhat'
         continue-on-error: true
         working-directory: packages/sharing-smart-contract
         env:
-          # For Verification
           EXPLORER_API_KEY: ${{ secrets.EXPLORER_API_KEY }}
           IS_VERIFICATION_API_V2: ${{ vars.IS_VERIFICATION_API_V2 }}
-        run: |
-          # For testnets, use network-environment; for mainnets, use network only
-          if [ "$IS_MAINNET" = false ]; then
-            DEPLOYMENT_ID="${{ inputs.network }}-${{ inputs.environment }}"
-          else
-            DEPLOYMENT_ID="${{ inputs.network }}"
-          fi
-          npm run verify -- "$DEPLOYMENT_ID"
-
+        run: npm run verify -- "$DEPLOYMENT_ID"
diff --git a/.github/workflows/sharing-smart-contracts-ci.yml b/.github/workflows/sharing-smart-contracts-ci.yml
@@ -89,8 +89,8 @@ jobs:
       - name: Upgrade test
         working-directory: packages/sharing-smart-contract
         env:
-          DATA_PROTECTOR_SHARING_ADDRESS: 0x1390c3c6a545198809F1C7c5Dd2600ef74D60925
-          ADD_ONLY_APP_WHITELIST_REGISTRY_ADDRESS: 0x498D324F711b8998Be81818742e268dEE30347c6
+          DATA_PROTECTOR_SHARING_ADDRESS: '0x1390c3c6a545198809F1C7c5Dd2600ef74D60925'
+          ADD_ONLY_APP_WHITELIST_REGISTRY_ADDRESS: '0x498D324F711b8998Be81818742e268dEE30347c6'
         run: npm run upgrade-local-fork -- --network local-bellecour-fork
 
         # TODO check why the CI does not fail when the following error occurs
