Skip to content

Add build CI, remappings validation, and ERC721 Medusa coverage #107

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
nisedo wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Add build CI, remappings validation, and ERC721 Medusa coverage #107

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6657131
Add CI workflow for compilation checks
nisedo Mar 9, 2026
25390c5
Add remappings validation to build CI
nisedo Mar 9, 2026
17c853c
Add ERC721 Medusa fuzzing configs and CI jobs
nisedo Mar 9, 2026
4667091
Remove nonexistent FOUNDRY_PROFILE=ci from Medusa and Echidna workflows
nisedo Mar 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
130 changes: 130 additions & 0 deletions .github/workflows/build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,130 @@
name: Build

on:
push:
branches:
- main
pull_request:
branches:
- "*"

jobs:
validate-remappings:
name: Validate remappings
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
with:
submodules: recursive

- name: Check all remapping targets exist
run: |
rc=0
for file in $(find . -name remappings.txt -not -path './lib/*' -not -path './node_modules/*'); do
dir=$(dirname "$file")
# Collect search bases: the remappings dir + libs from foundry.toml
bases="$dir"
if [ -f "$dir/foundry.toml" ]; then
for lib in $(grep "^libs" "$dir/foundry.toml" | sed "s/.*\[//;s/\].*//;s/'//g;s/\"//g;s/,/ /g"); do
bases="$bases $dir/$lib"
done
fi
while IFS= read -r line; do
[ -z "$line" ] && continue
target=$(echo "$line" | sed 's/.*=//')
found=false
for base in $bases; do
if [ -d "$base/$target" ]; then
found=true
break
fi
done
if [ "$found" = false ]; then
echo "::error file=$file::Broken remapping: $line (target '$target' not found)"
rc=1
fi
done < "$file"
done
exit $rc

foundry-root:
Comment on lines +13 to +51

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 24 days ago

In general, the fix is to add an explicit permissions block that grants only the minimal necessary scopes to the GITHUB_TOKEN. Since this workflow only checks out code and runs build/test commands, it can safely operate with read-only access to repository contents. The simplest and clearest solution is to add a top-level permissions: block (at the root of the workflow, alongside name and on) with contents: read, which will apply to all jobs in this workflow.

Concretely, edit .github/workflows/build.yaml and insert:

permissions:
  contents: read

between the name: Build line and the on: block (lines 1–3 in the given snippet). This will not change any existing behavior of the jobs, since actions/checkout and the other actions used only require read access to repository contents. No other lines or jobs need individual permissions blocks unless you later introduce steps that require additional scopes.

Suggested changeset 1
.github/workflows/build.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -1,5 +1,8 @@
 name: Build
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
EOF
@@ -1,5 +1,8 @@
name: Build

permissions:
contents: read

on:
push:
branches:
Copilot is powered by AI and may make mistakes. Always verify output.
name: Compile root contracts (Foundry)
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
with:
submodules: recursive

- name: Install Foundry
uses: foundry-rs/foundry-toolchain@v1

- name: Run forge build
run: forge build

foundry-tests:
Comment on lines +52 to +66

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 24 days ago

In general, fix this by explicitly declaring a minimal permissions block in the workflow, either at the top level (applies to all jobs) or per job, granting only what is needed (here, read access to contents). This ensures the GITHUB_TOKEN cannot be used with broader write permissions, even if repository defaults are permissive.

The best minimal fix without changing existing functionality is to add a root-level permissions block right after the name: Build line, setting contents: read. All the jobs (validate-remappings, foundry-root, foundry-tests, hardhat-root, and any elided ones like hardhat-tests) only need to check out code and run commands; they do not perform write operations against the GitHub API. No extra imports or dependencies are required; it is a pure YAML modification.

Concretely, edit .github/workflows/build.yaml near the top: insert

permissions:
  contents: read

between line 1 (name: Build) and line 3 (on:). This will satisfy CodeQL’s requirement and lock GITHUB_TOKEN down to read-only repository contents for all jobs that do not override permissions. No other regions/lines need to change.

Suggested changeset 1
.github/workflows/build.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -1,4 +1,6 @@
 name: Build
+permissions:
+  contents: read
 
 on:
   push:
EOF
@@ -1,4 +1,6 @@
name: Build
permissions:
contents: read

on:
push:
Copilot is powered by AI and may make mistakes. Always verify output.
name: Compile ${{ matrix.standard }} test harness (Foundry)
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
standard: [ERC20, ERC721, ERC4626]
steps:
- name: Checkout repository
uses: actions/checkout@v6
with:
submodules: recursive

- name: Install Foundry
uses: foundry-rs/foundry-toolchain@v1

- name: Run forge build
working-directory: tests/${{ matrix.standard }}/foundry
run: forge build

hardhat-root:
Comment on lines +67 to +86

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 24 days ago

To fix the problem, explicitly declare restricted GITHUB_TOKEN permissions in the workflow. Since all jobs just check out code and build/test, they only require read access to repository contents. The simplest and safest fix is to add a root‑level permissions block (so it applies to all jobs that don’t override it) with contents: read. This avoids changing any existing behavior of the build/test steps while ensuring the token cannot perform write operations.

Concretely, in .github/workflows/build.yaml, add:

permissions:
  contents: read

immediately after the name: Build line (line 1) and before the on: block (line 3). This will satisfy CodeQL’s requirement for explicit minimal permissions and apply uniformly to validate-remappings, foundry-root, foundry-tests, hardhat-root, and any other jobs in this workflow. No additional imports, methods, or other definitions are needed.

Suggested changeset 1
.github/workflows/build.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -1,4 +1,6 @@
 name: Build
+permissions:
+  contents: read
 
 on:
   push:
EOF
@@ -1,4 +1,6 @@
name: Build
permissions:
contents: read

on:
push:
Copilot is powered by AI and may make mistakes. Always verify output.
name: Compile root contracts (Hardhat)
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
with:
submodules: recursive

- name: Set up Node.js
uses: actions/setup-node@v6
with:
node-version: 22

- name: Install dependencies
run: npm install

- name: Run hardhat compile
run: npx hardhat compile

hardhat-tests:
Comment on lines +87 to +106

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 24 days ago

To fix this, explicitly restrict the GITHUB_TOKEN permissions used by this workflow to the minimal scope needed. All jobs here only read the repository contents (via actions/checkout and subsequent builds), and do not push changes, create releases, or modify issues/PRs. The least-privilege configuration is to set permissions: contents: read. The cleanest way without changing behavior is to add a single permissions: block at the workflow root (top level), so it applies to all jobs that do not override it.

Concretely, in .github/workflows/build.yaml, add a top-level permissions: section between the name: and on: keys (around lines 1–3). Use:

permissions:
  contents: read

This leaves all job logic unchanged while ensuring that the GITHUB_TOKEN has read-only access to repository contents for all jobs, including hardhat-root. No additional methods, imports, or definitions are needed because this is purely a YAML configuration change.

Suggested changeset 1
.github/workflows/build.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -1,5 +1,8 @@
 name: Build
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
EOF
@@ -1,5 +1,8 @@
name: Build

permissions:
contents: read

on:
push:
branches:
Copilot is powered by AI and may make mistakes. Always verify output.
name: Compile ${{ matrix.standard }} test harness (Hardhat)
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
standard: [ERC20, ERC721, ERC4626]
steps:
- name: Checkout repository
uses: actions/checkout@v6
with:
submodules: recursive

- name: Set up Node.js
uses: actions/setup-node@v6
with:
node-version: 22

- name: Install dependencies
working-directory: tests/${{ matrix.standard }}/hardhat
run: npm install

- name: Run hardhat compile
working-directory: tests/${{ matrix.standard }}/hardhat
run: npx hardhat compile
Comment on lines +107 to +130

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 24 days ago

To fix the problem, explicitly set minimal GITHUB_TOKEN permissions for the workflow. The simplest and best approach without changing existing functionality is to add a top-level permissions block applying to all jobs. Since all jobs just check out code and run builds/tests, they only need read access to repository contents, so contents: read is sufficient.

Concretely, in .github/workflows/build.yaml, add a root-level permissions section after the name: Build line and before the on: block:

  • Add: 
    permissions:
  contents: read

This will restrict the token for all jobs (validate-remappings, foundry-root, foundry-tests, hardhat-root, hardhat-tests) to read-only access to repository contents, resolving the CodeQL finding while preserving current behavior.

Suggested changeset 1
.github/workflows/build.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -1,5 +1,8 @@
 name: Build
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
EOF
@@ -1,5 +1,8 @@
name: Build

permissions:
contents: read

on:
push:
branches:
Copilot is powered by AI and may make mistakes. Always verify output.
3 changes: 0 additions & 3 deletions .github/workflows/echidna.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,6 @@ on:
branches:
- "*"

env:
FOUNDRY_PROFILE: ci

jobs:
foundry:
name: Test Foundry examples
Expand Down
17 changes: 14 additions & 3 deletions .github/workflows/medusa.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,6 @@ on:
branches:
- "*"

env:
FOUNDRY_PROFILE: ci

jobs:
foundry:
name: Test Foundry examples
Expand Down Expand Up @@ -52,6 +49,20 @@ jobs:
run: |
medusa fuzz --target-contracts CryticERC20ExternalHarness --config medusa-config-ext.json

- name: Compile ERC721 Foundry example
working-directory: tests/ERC721/foundry
run: forge build --build-info

- name: Run Medusa for Internal ERC721 tests
working-directory: tests/ERC721/foundry
run: |
medusa fuzz --target-contracts CryticERC721InternalHarness --config medusa-config.json

- name: Run Medusa for External ERC721 tests
working-directory: tests/ERC721/foundry
run: |
medusa fuzz --target-contracts CryticERC721ExternalHarness --config medusa-config-ext.json

- name: Compile ERC4626 Foundry example
working-directory: tests/ERC4626/foundry
run: forge build --build-info
Expand Down
80 changes: 80 additions & 0 deletions tests/ERC721/foundry/medusa-config-ext.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
{
"fuzzing": {
"workers": 10,
"workerResetLimit": 50,
"timeout": 0,
"testLimit": 500000,
"callSequenceLength": 100,
"corpusDirectory": "tests/medusa-corpus-ext",
"coverageEnabled": true,
"targetContracts": [],
"targetContractsBalances": [],
"constructorArgs": {},
"deployerAddress": "0x10000",
"senderAddresses": [
"0x10000",
"0x20000",
"0x30000"
],
"blockNumberDelayMax": 60480,
"blockTimestampDelayMax": 604800,
"blockGasLimit": 125000000,
"transactionGasLimit": 12500000,
"testing": {
"stopOnFailedTest": true,
"stopOnFailedContractMatching": false,
"stopOnNoTests": true,
"testAllContracts": true,
"traceAll": false,
"assertionTesting": {
"enabled": true,
"testViewMethods": false,
"panicCodeConfig": {
"failOnCompilerInsertedPanic": false,
"failOnAssertion": true,
"failOnArithmeticUnderflow": false,
"failOnDivideByZero": false,
"failOnEnumTypeConversionOutOfBounds": false,
"failOnIncorrectStorageAccess": false,
"failOnPopEmptyArray": false,
"failOnOutOfBoundsArrayAccess": false,
"failOnAllocateTooMuchMemory": false,
"failOnCallUninitializedVariable": false
}
},
"propertyTesting": {
"enabled": false,
"testPrefixes": [
"property_"
]
},
"optimizationTesting": {
"enabled": false,
"testPrefixes": [
"optimize_"
]
}
},
"chainConfig": {
"codeSizeCheckDisabled": true,
"cheatCodes": {
"cheatCodesEnabled": true,
"enableFFI": false
}
}
},
"compilation": {
"platform": "crytic-compile",
"platformConfig": {
"target": ".",
"solcVersion": "",
"exportDirectory": "",
"args": ["--foundry-compile-all"]
}
},
"logging": {
"level": "info",
"logDirectory": "",
"noColor": false
}
}
80 changes: 80 additions & 0 deletions tests/ERC721/foundry/medusa-config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
{
"fuzzing": {
"workers": 10,
"workerResetLimit": 50,
"timeout": 0,
"testLimit": 500000,
"callSequenceLength": 100,
"corpusDirectory": "tests/medusa-corpus",
"coverageEnabled": true,
"targetContracts": [],
"targetContractsBalances": [],
"constructorArgs": {},
"deployerAddress": "0x10000",
"senderAddresses": [
"0x10000",
"0x20000",
"0x30000"
],
"blockNumberDelayMax": 60480,
"blockTimestampDelayMax": 604800,
"blockGasLimit": 125000000,
"transactionGasLimit": 12500000,
"testing": {
"stopOnFailedTest": true,
"stopOnFailedContractMatching": true,
"stopOnNoTests": true,
"testAllContracts": false,
"traceAll": false,
"assertionTesting": {
"enabled": true,
"testViewMethods": false,
"panicCodeConfig": {
"failOnCompilerInsertedPanic": false,
"failOnAssertion": true,
"failOnArithmeticUnderflow": false,
"failOnDivideByZero": false,
"failOnEnumTypeConversionOutOfBounds": false,
"failOnIncorrectStorageAccess": false,
"failOnPopEmptyArray": false,
"failOnOutOfBoundsArrayAccess": false,
"failOnAllocateTooMuchMemory": false,
"failOnCallUninitializedVariable": false
}
},
"propertyTesting": {
"enabled": false,
"testPrefixes": [
"property_"
]
},
"optimizationTesting": {
"enabled": false,
"testPrefixes": [
"optimize_"
]
}
},
"chainConfig": {
"codeSizeCheckDisabled": true,
"cheatCodes": {
"cheatCodesEnabled": true,
"enableFFI": false
}
}
},
"compilation": {
"platform": "crytic-compile",
"platformConfig": {
"target": ".",
"solcVersion": "",
"exportDirectory": "",
"args": ["--foundry-compile-all"]
}
},
"logging": {
"level": "info",
"logDirectory": "",
"noColor": false
}
}
Loading