feat: migrate erc721a

Author: roderik

.github/renovate.json

@@ -2,9 +2,6 @@
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
     "config:recommended",
-    ":automergeMinor",
-    ":automergePr",
-    ":automergeRequireAllStatusChecks",
     ":gitSignOff",
     ":pinVersions",
     ":semanticCommits",
@@ -15,14 +12,16 @@
     ":prHourlyLimitNone",
     "security:openssf-scorecard",
     "schedule:nonOfficeHours",
-    ":disableDependencyDashboard"
+    "group:all"
+  ],
+  "labels": [
+    "dependencies"
   ],
-  "labels": ["dependencies"],
   "rebaseWhen": "conflicted",
   "packageRules": [],
   "hostRules": [
     {
       "timeout": 3000000
     }
   ]
-}
+}

.github/scripts/comment.js

@@ -0,0 +1,26 @@
+module.exports = async ({ github, context, header, body }) => {
+  const comment = [header, body].join("\n");
+
+  const { data: comments } = await github.rest.issues.listComments({
+    owner: context.repo.owner,
+    repo: context.repo.repo,
+    issue_number: context.payload.number,
+  });
+
+  const botComment = comments.find(
+    (comment) =>
+      // github-actions bot user
+      comment.user.id === 41898282 && comment.body.startsWith(header)
+  );
+
+  const commentFn = botComment ? "updateComment" : "createComment";
+
+  await github.rest.issues[commentFn]({
+    owner: context.repo.owner,
+    repo: context.repo.repo,
+    body: comment,
+    ...(botComment
+      ? { comment_id: botComment.id }
+      : { issue_number: context.payload.number }),
+  });
+};

.github/workflows/solidity.yml

@@ -8,7 +8,7 @@ on:
     branches:
       - main
     tags:
-      - 'v*'
+      - "v*"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -30,13 +30,203 @@ permissions:
   statuses: write
 
 jobs:
-  ci:
-    name: CI
-    uses: settlemint/smart-contracts-actions/.github/workflows/solidity.yml@main
-    secrets:
-      TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    with:
-      docker-image-name: solidity-token-erc721a
-      runs-on: solidity-token-erc721a
-      ignition-module: 'ignition/modules/ExampleERC721a.ts'
-      subgraph-contract-address-key: 'ExampleERC721aModule#ExampleERC721a'
+  codescanning:
+    name: Code Scanning
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - name: Install canvas dependencies
+        run: |
+          apk update
+          apk add --no-cache cairo-dev jpeg-dev pango-dev giflib-dev build-base g++ pkgconfig
+
+      - name: Fetch semgrep rules
+        uses: actions/checkout@v4
+        with:
+          repository: decurity/semgrep-smart-contracts
+          path: rules
+
+      - run: semgrep ci --sarif --output=semgrep.sarif || true
+        env:
+          SEMGREP_RULES: rules/solidity/security rules/solidity/performance
+
+      - uses: crytic/slither-action@v0.4.0
+        id: slither
+        with:
+          sarif: slither.sarif
+          slither-args: --filter-paths "lib/" --filter-paths "node_modules/"
+          solc-version: 0.8.24
+          fail-on: none
+
+      - name: Upload findings to GitHub Advanced Security Dashboard
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: semgrep.sarif
+        if: always()
+
+      - name: Upload findings to GitHub Advanced Security Dashboard
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.slither.outputs.sarif }}
+        if: always()
+
+  test:
+    services:
+      foundry:
+        image: ghcr.io/settlemint/btp-anvil-test-node:latest
+        ports:
+          - '8545:8545'
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - name: Install Foundry
+        uses: foundry-rs/foundry-toolchain@v1
+        with:
+          version: nightly
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+
+      - name: Install Node dependencies
+        run: npm install
+
+      - name: Run Forge build
+        run: |
+          forge --version
+          forge build --sizes
+
+      - name: Run Hardhat build
+        run: |
+          npx hardhat compile
+
+      - name: Run Forge tests
+        run: |
+          forge test -vvv
+
+      - name: Run Hardhat test
+        run: |
+          npx hardhat test
+
+      - name: Setup LCOV
+        if: github.ref_name != 'main'
+        uses: hrishikesh-kadam/setup-lcov@v1
+
+      - name: Run Forge Coverage
+        if: github.ref_name != 'main'
+        run: |
+          forge coverage --report lcov --report summary
+        id: coverage
+
+      - name: Deploy to the local node
+        run: |
+          npx hardhat ignition deploy --network localhost ignition/modules/main.ts
+
+      - name: Install YQ
+        uses: alexellis/arkade-get@master
+        with:
+          print-summary: false
+          yq: latest
+
+      - name: Build the subgraph
+        run: |
+          if [ ! -d "subgraph" ] || [ -z "$(ls -A subgraph)" ]; then
+            echo "Subgraph directory is missing or empty"
+            exit 0
+          fi
+          npx graph-compiler --config subgraph/subgraph.config.json --include node_modules/@openzeppelin/subgraphs/src/datasources subgraph/datasources --export-schema --export-subgraph
+          yq -i e '.specVersion = "1.2.0"' generated/scs.subgraph.yaml
+          yq -i e '.features = ["nonFatalErrors", "fullTextSearch", "ipfsOnEthereumContracts"]' generated/scs.subgraph.yaml
+          yq -i e '.dataSources[].mapping.apiVersion = "0.0.7"' generated/scs.subgraph.yaml
+          yq -i e '.dataSources[].network = "localhost"' generated/scs.subgraph.yaml
+          yq -i e '.templates[].mapping.apiVersion = "0.0.7"' generated/scs.subgraph.yaml
+          yq -i e '.templates[].network = "localhost"' generated/scs.subgraph.yaml
+          npx graph codegen generated/scs.subgraph.yaml
+          npx graph build generated/scs.subgraph.yaml
+
+      - name: Report code coverage
+        if: github.ref_name != 'main'
+        uses: zgosalvez/github-actions-report-lcov@v4.1.10
+        with:
+          coverage-files: lcov.info
+          minimum-coverage: 90
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          update-comment: true
+
+  docker:
+    needs:
+      - test
+    name: Docker
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker meta
+        id: docker_meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ghcr.io/${{ github.repository }}
+          tags: |
+            type=schedule
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        id: build-and-push
+        with:
+          platforms: linux/amd64,linux/arm64
+          provenance: true
+          sbom: true
+          push: true
+          load: false
+          tags: ${{ steps.docker_meta.outputs.tags }}
+          labels: ${{ steps.docker_meta.outputs.labels }}
+          no-cache: true
+
+
+      - name: Sign the images with GitHub OIDC Token
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+          TAGS: ${{ steps.docker_meta.outputs.tags }}
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes ${images}

.gitignore

@@ -12,7 +12,6 @@ node_modules
 # solidity-coverage files
 /coverage
 /coverage.json
-lcov.info
 
 # Hardhat Ignition default folder for deployments against a local node
 ignition/deployments/chain-31337

.semgrepignore

@@ -0,0 +1,25 @@
+# Common large paths
+node_modules/
+build/
+dist/
+vendor/
+.env/
+.venv/
+.tox/
+*.min.js
+.npm/
+.yarn/
+
+# Common test paths
+test/
+tests/
+*_test.go
+
+# Semgrep rules folder
+.semgrep
+
+# Semgrep-action log folder
+.semgrep_logs/
+
+# lib
+lib/

.vscode/extensions.json

@@ -3,7 +3,6 @@
     "nomicfoundation.hardhat-solidity",
     "genieai.chatgpt-vscode",
     "esbenp.prettier-vscode",
-    "dracula-theme.theme-dracula",
     "cnshenj.vscode-task-manager",
     "catppuccin.catppuccin-vsc-icons",
     "catppuccin.catppuccin-vsc"

.vscode/tasks.json

@@ -5,7 +5,7 @@
       "id": "deployment-module",
       "description": "Hardhat Ignition Module",
       "type": "promptString",
-      "default": "ignition/modules/ExampleERC721a.ts"
+      "default": "ignition/modules/main.ts"
     },
     {
       "id": "extra-deployment",
@@ -100,4 +100,4 @@
       "problemMatcher": []
     }
   ],
-}
+}

SECURITY.md

@@ -0,0 +1,12 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 7.x.x   | :white_check_mark: |
+| < 7.0   | :x:                |
+
+## Reporting a Vulnerability
+
+Please report any issues to support@settlemint.com

contracts/ExampleERC721a.sol

@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: MIT
 // SettleMint.com
 
-pragma solidity 0.8.26;
+pragma solidity ^0.8.24;
 
 import {IERC721A, ERC721A} from "erc721a/contracts/ERC721A.sol";
 import {ERC2981} from "@openzeppelin/contracts/token/common/ERC2981.sol";

contracts/extensions/ERC721Whitelist.sol

@@ -8,7 +8,7 @@
  *
  * SPDX-License-Identifier: UNLICENSED
  */
-pragma solidity 0.8.26;
+pragma solidity ^0.8.24;
 
 import {Context} from "@openzeppelin/contracts/utils/Context.sol";
 import {Strings} from "@openzeppelin/contracts/utils/Strings.sol";