diff --git a/.github/workflows/_deploy-testnet.yml b/.github/workflows/_deploy-testnet.yml index 4299ec6..cdbaaec 100644 --- a/.github/workflows/_deploy-testnet.yml +++ b/.github/workflows/_deploy-testnet.yml @@ -37,6 +37,10 @@ on: description: 'Git ref for etherform scripts checkout (default: main)' type: string default: 'main' + environment: + description: 'GitHub Environment to scope the deploy to (e.g. for required reviewers + scoped secrets). Empty disables the gate.' + type: string + default: 'testnet' secrets: PRIVATE_KEY: required: true @@ -50,6 +54,7 @@ jobs: deploy-testnet: name: Deploy to Testnet runs-on: ubuntu-latest + environment: ${{ inputs.environment }} outputs: network_name: ${{ steps.network.outputs.network_name }} blockscout_url: ${{ steps.network.outputs.blockscout_url }} diff --git a/.github/workflows/_foundry-cicd.yml b/.github/workflows/_foundry-cicd.yml index e88d73c..111d4b7 100644 --- a/.github/workflows/_foundry-cicd.yml +++ b/.github/workflows/_foundry-cicd.yml @@ -108,6 +108,10 @@ on: description: 'Verify deployed contracts on Blockscout' type: boolean default: true + deploy-environment: + description: 'GitHub Environment to scope the testnet deploy to (e.g. for required reviewers + scoped secrets). Empty disables the gate.' + type: string + default: 'testnet' # Halmos Options run-halmos: description: 'Run Halmos symbolic execution' @@ -449,6 +453,7 @@ jobs: needs.upgrade-safety.result == 'success' && inputs.deploy-on-pr && github.event_name == 'pull_request' + environment: ${{ inputs.deploy-environment }} outputs: blockscout_url: ${{ steps.network.outputs.blockscout_url }} broadcast_file: ${{ steps.parse.outputs.broadcast_file }} diff --git a/README.md b/README.md index 3ba4119..515913f 100644 --- a/README.md +++ b/README.md @@ -184,6 +184,14 @@ If your Foundry project uses npm/yarn/pnpm for Solidity dependencies (e.g., Open | `RPC_URL` | All workflows | Network RPC endpoint (also used for fork-based tests) | | `DEPLOY_ENV_VARS` | Deploy workflows | Optional; newline-separated `KEY=VALUE` pairs exported as environment variables before running the deploy script | +### Protecting deploys with a GitHub Environment + +The deploy job in `_deploy-testnet.yml` (and the `deploy-testnet` job in `_foundry-cicd.yml`) is scoped to a GitHub Environment via the `environment` / `deploy-environment` input (default: `testnet`). + +In the consumer repo, create an Environment matching that name and configure protection rules — typically **required reviewers** and a **deployment branch policy** restricted to `main`. Store `PRIVATE_KEY` (and any deploy-only secrets) on the Environment rather than the repo, so they're only available after a maintainer approves the run. + +To opt out (e.g., for an internal sandbox), pass an empty string: `environment: ''`. + ## Workflow Inputs ### `_ci.yml` @@ -232,6 +240,7 @@ If your Foundry project uses npm/yarn/pnpm for Solidity dependencies (e.g., Open | `verify-contracts` | boolean | `true` | Verify on Blockscout | | `package-manager` | string | `'none'` | Package manager (`none`, `npm`, `yarn`, `pnpm`) | | `node-version` | string | `'20'` | Node.js version for package installation | +| `environment` | string | `'testnet'` | GitHub Environment to scope the deploy to. Empty disables the gate. | | `etherform-ref` | string | `'main'` | Git ref for etherform scripts checkout | ### `_foundry-cicd.yml` @@ -244,6 +253,7 @@ The all-in-one workflow accepts all inputs from the above workflows plus: | `contract-paths` | string | `src/**`, `script/**`, etc. | Paths to watch for changes | | `main-branch` | string | `'main'` | Base branch for upgrade safety comparison | | `deploy-on-pr` | boolean | `false` | Deploy to testnet on PR | +| `deploy-environment` | string | `'testnet'` | GitHub Environment to scope the deploy to. Empty disables the gate. | All workflows also accept `etherform-ref` (default: `'main'`) to control which etherform branch the scripts are checked out from. Override this when testing against an unreleased etherform branch.