fix: harden deploy scripts and upgrade safety workflows

[RonTuretzky]

Summary

Addresses review comments from PR #30 and findings from the security audit.

Deploy script hardening (commit 1)

• resolve-network.sh: Post-fallback validation ensuring BLOCKSCOUT_URL is non-empty, not "null", and starts with http(s)://
• prepare-env.sh: Parse and validate KEY=VALUE format before exporting, skip malformed lines and invalid key names
• verify-blockscout.sh: Add --connect-timeout 10 and --max-time 30 to status poll curl; normalize URL trailing slash

Upgrade safety & workflow hardening (commit 2)

• validate.sh: Hard fail when base branch build/checkout fails (opt-in ALLOW_FALLBACK=true to downgrade to upgradeability-only)
• validate.sh: Pin @openzeppelin/upgrades-core version via OZ_UPGRADES_CORE_VERSION env var (default 1.44.2)
• validate.sh: Fail on empty contracts array when base branch config has entries (prevents bypass)
• _foundry-cicd.yml: Require upgrade-safety job to succeed for deploy (no longer allows skipped)
• _foundry-cicd.yml: Quote deploy-script input to prevent flag injection
• Both workflows: Remove duplicate Node.js setup steps

Address PR review comments (commit 3)

• validate.sh: Fail hard when base branch fetch/read fails during empty-contracts check (prevents bypass by blocking base-branch access), gated by ALLOW_FALLBACK=true
• verify-blockscout.sh: Normalize BLOCKSCOUT_URL once at the top and use consistently for both submission and polling (no more double-slash risk)
• test-prepare-env.sh: Add tests for malformed lines (no =), invalid key names (digits, hyphens, spaces), and values containing =

Test plan

• Verify deploy fails when upgrade-safety is skipped
• Verify validate.sh fails when base branch can't be built (without ALLOW_FALLBACK)
• Verify validate.sh fails when base branch can't be fetched during empty-contracts check
• Verify validate.sh fails when contracts array is emptied but base branch has entries
• Verify pinned OZ version is used in npx calls
• Verify deploy-script input is properly quoted
• Verify prepare-env.sh tests pass (bash tests/test-prepare-env.sh)

[Copilot]

Pull request overview

This PR hardens the repo’s deployment helper scripts and CI upgrade-safety workflows in response to prior review feedback and security audit findings, aiming to reduce validation bypasses and make deploy-time automation more robust.

Changes:

• Tighten upgrade-safety validation to (a) block empty-contract “skips” when base has contracts, (b) fail hard when base checkout/build fails unless explicitly allowed, and (c) pin the OpenZeppelin upgrades-core CLI version.
• Harden deploy scripts by validating/resolving Blockscout URLs, adding curl timeouts, and safely parsing DEPLOY_ENV_VARS.
• Update reusable workflows to remove duplicate Node.js setup, require upgrade-safety success before deploy, and quote the deploy-script input.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
scripts/upgrade-safety/validate.sh	Adds stricter failure modes and version pinning for upgrade-safety validation.
scripts/deploy/verify-blockscout.sh	Adds curl timeouts and normalizes trailing slashes for Blockscout polling.
scripts/deploy/resolve-network.sh	Adds post-fallback validation that Blockscout URL is non-empty and http(s).
scripts/deploy/prepare-env.sh	Parses DEPLOY_ENV_VARS as KEY=VALUE and rejects malformed/unsafe keys.
.github/workflows/_upgrade-safety.yml	Consolidates Node.js setup and conditionally enables caching.
.github/workflows/_foundry-cicd.yml	Requires upgrade-safety success for deploy and quotes deploy-script; consolidates Node.js setup in upgrade-safety job.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.