Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adapt SDK for Automation #273

Open
Pol-Lanski opened this issue Oct 18, 2022 · 2 comments
Open

Adapt SDK for Automation #273

Pol-Lanski opened this issue Oct 18, 2022 · 2 comments
Assignees
@eduadiez @pablomendezroyo @dsimog01 @tropicar
Labels
P1 Has to be done but not urgent

Comments

@Pol-Lanski
Copy link
Member

Pol-Lanski commented Oct 18, 2022
edited
Loading

Is your feature request related to a problem? Please describe.

Our process to push updates to the Smart Contract is inefficient. Right now Carlos tests, merges if it's good and Edu must publish. This has 2 main problems:

  1. Carlos is the only tester
  2. Edu becomes a bottleneck

In order to automate the update process of the packages, we might be able to create a Github Action that automatically signs and publishes the package AFTER a PR is merged AFTER n approvals, where n is the number of necessary testers we determine for the package (often Carlos + another QA)

Unfortunately, the SDK is now not adapted to do anything else than preparing the tx for someone to sign in Metamask. We need to increase its functionality to include automation.

Describe the solution you'd like

I'm not sure what changes need to be done as of now.
We need:

  1. Research on the exact flow that the SDK needs to do.
  2. Research on how to mitigate the problem of having Github hacked and SECRETS extracted (private key leak)
  3. Solution proposal
  4. Implementation proposal

Describe alternatives you've considered

We've considered publishing packages with a multisig, but multisigs can't sign packages :/

Additional context
@Pol-Lanski
Copy link
Member Author

I'd like the research to be done by @pablomendezroyo and the implementation by @dsimog01 , but @tropicar might have some requirements to be added to my description since he will be the ultimate responsible for the Dappstore.
@eduadiez might already have some ideas on how to start too.

@pablomendezroyo
Copy link
Contributor

Approach
I suggest the following approach: The Dappnode SDK will include new functionalities for signing and publishing new releases through GitHub Actions.

  1. Create a new gha to be triggered manually. This gha will create a PR with a bump of the dappnode package version with the following specs:
    • Minimum number of approvals
    • PR title: Release v.x.y.z
    • PR description: release signed + release version + ipfs endpoints to populate the new release
  2. On PR merged:
    2.1 Sign release
    2.2 Create and sign the transaction
    2.3 Publish transaction on chain

References

Caveats

  • Adding the private key as a GitHub secret is a high-security vulnerability to consider
  • Having this gha be triggered as a manual action avoids having to detect which PRs and which not can creates the release.
  • I consider only providing the automated functionality for new version actions and not for new packages.

@pablomendezroyo pablomendezroyo added the P1 Has to be done but not urgent label May 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eduadiez eduadiez

@pablomendezroyo pablomendezroyo

@dsimog01 dsimog01

@tropicar tropicar

Labels
P1 Has to be done but not urgent
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Pol-Lanski @eduadiez @pablomendezroyo @dsimog01 @tropicar