Deploy to testnet-staging

[neekolas]

tl;dr

Auto deploy to testnet staging

Summary by CodeRabbit

• Chores
  • Updated the deployment workflow to change the Terraform workspace to testnet-staging.
  • Adjusted formatting for consistency in the variable declaration within the deployment workflow.
  • Changed dependency management command from forge soldeer update to forge soldeer install in multiple deployment scripts.

[coderabbitai]

Walkthrough

The pull request modifies the GitHub Actions workflow file for building the xmtpd image. The primary change involves updating the terraform-workspace from testnet to testnet-staging in the deploy job. The variable-value-required-prefix parameter remains consistent in content but has been reformatted. The workflow's core structure and job dependencies remain unchanged, with the push_to_registry job continuing to handle Docker image building and pushing processes as before. Additionally, scripts for deploying smart contracts have been updated to change the dependency management command from forge soldeer update to forge soldeer install.

Changes

File	Change Summary
.github/workflows/build-xmtpd.yml	- Changed terraform-workspace from testnet to testnet-staging in deploy job - Reformatted variable-value-required-prefix parameter
dev/contracts/deploy-ephemeral	- Updated dependency management command from forge soldeer update to forge soldeer install
dev/contracts/deploy-local	- Updated dependency management command from forge soldeer update to forge soldeer install - No changes to contract deployment logic
dev/contracts/deploy-testnet	- Updated dependency management command from forge soldeer update to forge soldeer install - No changes to contract deployment logic

Possibly related PRs

• Fix CI step name #306: The changes in this PR involve modifying the step name in the same workflow file (.github/workflows/build-xmtpd.yml) that the main PR alters, indicating a related focus on the deployment process.
• Build the correct image #308: This PR also modifies the .github/workflows/build-xmtpd.yml file, specifically updating the workflow to dynamically set the Dockerfile based on a matrix variable, which is relevant to the overall structure of the deployment process addressed in the main PR.

Suggested reviewers

• richardhuaaa
• mkysel

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/build-xmtpd.yml (1)

Line range hint 73-76: Verify terraform-deployer action version

The workflow uses xmtp-labs/terraform-deployer@v1. Consider pinning to a specific commit SHA for better security and reproducibility.

-      uses: xmtp-labs/terraform-deployer@v1
+      uses: xmtp-labs/terraform-deployer@{specific-commit-sha}

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 951306a and f3b674d.

📒 Files selected for processing (1)

• .github/workflows/build-xmtpd.yml (1 hunks)

🔇 Additional comments (2)

.github/workflows/build-xmtpd.yml (2)

89-90: LGTM: Secure image reference configuration

The variable prefix configuration properly restricts deployments to official ghcr.io images with SHA256 digests, which is a crucial security control for ensuring image integrity.

---

87-87: Verify terraform workspace configuration

The change from testnet to testnet-staging aligns with the PR objective. However, let's verify that this workspace is properly configured.

[coderabbitai]

Actionable comments posted: 1

🔭 Outside diff range comments (1)

dev/contracts/deploy-testnet (1)

Line range hint 3-3: Add pipefail to error handling

The script is missing pipefail in the error handling setup, which could mask pipeline failures.

-set -euo
+set -euo pipefail

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f3b674d and 5ee42b7.

📒 Files selected for processing (3)

• dev/contracts/deploy-ephemeral (1 hunks)
• dev/contracts/deploy-local (1 hunks)
• dev/contracts/deploy-testnet (1 hunks)

🔇 Additional comments (2)

dev/contracts/deploy-ephemeral (1)

9-9: Verify the impact of switching to forge soldeer install

The change from update to install makes deployments more deterministic by using exact versions from the lockfile instead of potentially pulling in newer versions. While this is generally safer, please verify:

1. That this aligns with the testnet-staging deployment requirements
2. That the lockfile is up-to-date with all required dependencies

✅ Verification successful

forge soldeer install is consistently used across all deployment scripts

The change to forge soldeer install is already implemented consistently across all deployment scripts (local, ephemeral, and testnet), and a soldeer.lock file exists in the contracts directory. This indicates that:

1. The change aligns with deployment requirements across all environments
2. The dependency management system is properly set up with a lockfile

The consistent usage across all deployment scripts suggests this was an intentional standardization of dependency management approach.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if lockfile exists and when it was last updated
find . -name "foundry.lock" -type f -exec stat -f "%m %N" {} \;

# List all soldeer dependencies
forge soldeer list

Length of output: 183

---

Script:

#!/bin/bash
# Check if there's a foundry.toml config
find . -name "foundry.toml" -type f

# Look for any dependency management related files
find . -name "*.lock" -type f
find . -maxdepth 2 -type f -name "*dependencies*"

# Search for any forge commands in scripts
rg "forge\s+(install|update|soldeer)" -A 2 -B 2

Length of output: 1109

dev/contracts/deploy-testnet (1)

8-8: Verify chain ID and verifier configuration for testnet-staging

While the dependency management change is consistent with other scripts, please verify:

1. That chain ID 241320161 is correct for testnet-staging
2. That the Blockscout verifier URL is properly configured in the environment

✅ Verification successful

Let me gather more information about the chain ID configuration and deployment scripts.

---

Let me try one more verification to check for environment templates with a corrected command.

---

Chain ID and verifier configuration verified for testnet-staging

The verification is successful:

• Chain ID 241320161 is correctly used in the deployment script for testnet-staging environment
• Verifier URL is properly documented in doc/deploy.md as https://explorer-testnet-staging-88dqtxdinc.t.conduit.xyz/api
• The deployment script correctly uses Blockscout as the verifier with the environment variables

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check environment variables and configuration
if [ -f ./contracts/.env ]; then
  # Safely check if verifier URL is set (without revealing it)
  if grep -q "VERIFIER_URL" ./contracts/.env; then
    echo "Verifier URL is configured"
  else
    echo "Missing VERIFIER_URL configuration"
  fi
fi

# Search for chain ID references
rg -l "241320161"

Length of output: 76

---

Script:

#!/bin/bash
# Check for chain ID references in deployment scripts and configuration files
rg -A 5 "241320161"

# Look for any chain configuration files
fd -e json -e toml -e yaml -e yml | xargs rg -l "chain.*id"

# Check for any environment templates or example files
fd -g "*env*" -g "*.example*"

Length of output: 576

---

Script:

#!/bin/bash
# Check for environment templates with proper fd syntax
fd -g ".env*" -g "*.example"

# Look for chain ID documentation in markdown files
rg -i "chain.*id.*241320161|testnet.*staging" -g "*.md"

# Check deployment script contents
cat dev/contracts/deploy-testnet

Length of output: 1519

[coderabbitai]

💡 Codebase verification

Typo in dependency command across deployment scripts

The command forge soldeer install appears to be a typo across multiple deployment scripts. The correct Forge command should be forge install as "soldeer" is not a valid Forge subcommand.

• dev/contracts/deploy-local: Line 14
• Similar typo found in other deployment scripts

🔗 Analysis chain

Consistent with other deployment scripts

The dependency management change matches other scripts, maintaining consistency across environments.

---

Let me verify the dependency command change by checking other deployment scripts.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Verify environment setup and contract sources
if [ -f dev/contracts/.env ]; then
  echo "Environment file exists"
fi

# Check if all referenced contract files exist
for contract in "src/GroupMessages.sol" "src/Nodes.sol" "src/IdentityUpdates.sol"; do
  if [ -f "./contracts/$contract" ]; then
    echo "Contract file exists: $contract"
  else
    echo "Missing contract: $contract"
  fi
done

Length of output: 754

---

Script:

#!/bin/bash
# Find all deployment scripts and check for dependency commands
fd -t f "deploy-" -x cat {} \; | grep -i "soldeer\|forge install"

Length of output: 134

[neekolas]

@fbac I changed these from update to install, so that we don't update the lockfile. I believe OpenZeppelin released a bad patch version and update was failing to unzip it. Let me know if you want to change it back?

This way also should be faster.