ci: update ci slither

ronin-chain · Oct 22, 2024 · 6058231 · 6058231
1 parent 71d2507
commit 6058231
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 16 deletions.
diff --git a/.github/workflows/slither-analyze.yml b/.github/workflows/slither-analyze.yml
@@ -44,12 +44,7 @@ jobs:
         with:
           go-version: "1.19"
 
-      - name: Set up Go 1.19
-        uses: actions/setup-go@v4
-        with:
-          go-version: "1.19"
-
-      - name: Setup external packages
+      - name: Setup external packages and Slither
         run: |
           sudo apt-get update
           sudo apt-get install -y jq
@@ -64,13 +59,22 @@ jobs:
       - name: Install package with soldeer
         run: forge soldeer install
 
-      - name: Install Slither for security analysis
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y python3-pip
-          python3 -m pip install slither-analyzer
-
-      - name: Run Slither analysis
-        run: |
-          slither ./ --exclude-optimization --exclude-low --exclude-medium --exclude-informational --exclude-dependencies --filter-paths "dependencies/|script/|test/foundry/"
+      - name: Run Slither
+        uses: crytic/[email protected]
         id: slither
+        with:
+          node-version: 16
+          fail-on: none
+          slither-args: ./ --exclude-optimization --exclude-low --exclude-medium --exclude-informational --exclude-dependencies --filter-paths "dependencies/|script/|test/foundry/" --checklist --markdown-root ${{ github.server_url }}/${{ github.repository }}/blob/${{ github.sha }}/
+
+      - name: Create/update checklist as PR comment
+        uses: actions/github-script@v7
+        if: github.event_name == 'pull_request'
+        env:
+          REPORT: ${{ steps.slither.outputs.stdout }}
+        with:
+          script: |
+            const script = require('.github/scripts/comment')
+            const header = '# Slither report'
+            const body = process.env.REPORT
+            await script({ github, context, header, body })
diff --git a/.husky/post-commit b/.husky/post-commit
@@ -1,5 +1,14 @@
 #!/bin/bash
 echo "Running post-commit hook"
+
+HAS_PENDING_CHANGES=false
+# If there are any changes in the working directory, stash them
+if [[ $(git status -s) ]]; then
+    HAS_PENDING_CHANGES=true
+    echo "\033[33m[post-commit] Stashing pending changes\033[0m"
+    git stash push -m "post-commit: Stash changes"
+fi
+
 GIT_BLAME_IGNORE_REVS_FILE=".git-blame-ignore-revs"
 
 # If `.git-blame-ignore-revs` does not exist, create it
@@ -34,4 +43,10 @@ if [[ $(git status -s $GIT_BLAME_IGNORE_REVS_FILE) ]]; then
     echo "\033[33m[post-commit] .git-blame-ignore-revs changes detected\033[0m"
     git add $GIT_BLAME_IGNORE_REVS_FILE
     HUSKY=0 git commit -m "chore(automated): post-commit update .git-blame-ignore-revs" -n
-fi
+fi
+
+# If there were any pending changes, unstash them
+if [ "$HAS_PENDING_CHANGES" = true ]; then
+    echo "\033[33m[post-commit] Unstashing pending changes\033[0m"
+    git stash pop
+fi