.github/workflows/deploy.yml

---
# Basic deployment workflow.
# Note that more advanced use cases are tested in the nightly workflow.
name: Deploy

on:
  pull_request:
  push:
    branches: [main]

concurrency:
  group: deploy-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

env:
  ENCLAVE_NAME: cdk

jobs:
  check-pre-deployed-contracts-artefacts:
    runs-on: ubuntu-latest
    timeout-minutes: 30
    steps:
      - uses: actions/checkout@v4

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
        # This step will only execute if the necessary secrets are available, preventing failures
        # on pull requests from forked repositories.
        if: ${{ env.DOCKERHUB_USERNAME && env.DOCKERHUB_TOKEN }}
        env:
          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
          DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Install Kurtosis CDK tools
        uses: ./.github/actions/setup-kurtosis-cdk
      
      - name: Start anvil node
        run: |
          mnemonic="giant issue aisle success illegal bike spike question tent bar rely arctic volcano long crawl hungry vocal artwork sniff fantasy very lucky have athlete"
          anvil --state ./state.json --mnemonic "$mnemonic" --chain-id 271828 --balance 1000000000 --host 0.0.0.0 &

      - name: Deploy zkevm contracts to L1
        run: |
          docker_gateway_address="$(docker network inspect bridge --format='{{range .IPAM.Config}}{{.Gateway}}{{end}}')"
          yq -Y --in-place ".args.l1_rpc_url = \"http://$docker_gateway_address:8545\"" ./.github/tests/pre-deployed-contracts/deploy-zkevm-contracts.yml
          echo "Args file:"
          cat ./.github/tests/pre-deployed-contracts/deploy-zkevm-contracts.yml
          kurtosis run --enclave=${{ env.ENCLAVE_NAME }} --args-file=./.github/tests/pre-deployed-contracts/deploy-zkevm-contracts.yml .

      - name: Wait 30s for all transactions to be mined
        run: sleep 30

      - name: Copy deployment files
        run: |
          folder="./templates/contract-deploy"
          kurtosis service exec cdk contracts-001 "cat /opt/zkevm/genesis.json" | tail -n +2 | jq > "$folder/genesis.json"
          kurtosis service exec cdk contracts-001 "cat /opt/zkevm/combined.json" | tail -n +2 | jq > "$folder/combined.json"
          jq . ./state.json > "$folder/anvil-state.json"

      - name: Check if pre-deployed contract artefacts are up to date
        run: |
          if [[ -n $(git status --porcelain ./templates) ]]; then
            echo "❌ Error: Pre-deployed contract artefacts are not up to date. Please update the files under templates/contract-deploy/"
            git status --porcelain ./templates
            git diff
            exit 1
          else
            echo "✅ Pre-deployed contract artefacts are up to date."
          fi

  run-without-args:
    runs-on: ubuntu-latest
    timeout-minutes: 30
    steps:
      - uses: actions/checkout@v4

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
        # This step will only execute if the necessary secrets are available, preventing failures
        # on pull requests from forked repositories.
        if: ${{ env.DOCKERHUB_USERNAME && env.DOCKERHUB_TOKEN }}
        env:
          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
          DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Install Kurtosis CDK tools
        uses: ./.github/actions/setup-kurtosis-cdk

      - name: Run Starlark
        run: kurtosis run --enclave=${{ env.ENCLAVE_NAME }} --show-enclave-inspect=false .

      - name: Inspect enclave
        run: kurtosis enclave inspect ${{ env.ENCLAVE_NAME }}

      - name: List databases
        run: |
          postgres_port=$(kurtosis port print ${{ env.ENCLAVE_NAME }} postgres-001 postgres | cut -d':' -f3)
          PGPASSWORD=master_password psql --host 127.0.0.1 --port "$postgres_port" --username master_user --dbname master --list

      - name: Monitor verified batches (CDK Erigon Permissionless RPC)
        working-directory: .github/scripts
        run: |
          ./monitor-verified-batches.sh \
            --enclave ${{ env.ENCLAVE_NAME }} \
            --rpc-url $(kurtosis port print ${{ env.ENCLAVE_NAME }} cdk-erigon-rpc-001 rpc)

      - name: Dump enclave
        if: ${{ !cancelled() }}
        run: kurtosis enclave dump ${{ env.ENCLAVE_NAME }} ./dump

      - name: Upload enclave dump
        if: ${{ !cancelled() }}
        uses: actions/upload-artifact@v4
        with:
          name: dump_run_without_args_${{ github.run_id }}
          path: ./dump

  list-ymls:
    runs-on: ubuntu-latest
    timeout-minutes: 5
    outputs:
      matrix: ${{ steps.set-matrix.outputs.matrix }}
    steps:
      - uses: actions/checkout@v4

      - name: Generate test combinations
        working-directory: .github/tests
        run: ./combine-ymls.sh

      - id: set-matrix
        # List all yml files in the .github/tests directory, as well as test combinations, except for the additional-services.yml file.
        run: |
          files=$(ls -R ./.github/tests/combinations/*.yml ./.github/tests/static-ports/custom-static-ports.yml ./.github/tests/static-ports/default-static-ports.yml ./.github/tests/pre-deployed-contracts.yml | grep -v 'additional-services.yml')
          matrix=$(echo "$files" | jq -R -s -c 'split("\n")[:-1]')
          echo "matrix=$matrix" >> $GITHUB_OUTPUT

  run-with-args:
    needs: list-ymls
    runs-on: ubuntu-latest
    timeout-minutes: 30
    strategy:
      fail-fast: false
      matrix:
        file_name: ${{ fromJson(needs.list-ymls.outputs.matrix) }}
    steps:
      - uses: actions/checkout@v4

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
        # This step will only execute if the necessary secrets are available, preventing failures
        # on pull requests from forked repositories.
        if: ${{ env.DOCKERHUB_USERNAME && env.DOCKERHUB_TOKEN }}
        env:
          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
          DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Install Kurtosis CDK tools
        uses: ./.github/actions/setup-kurtosis-cdk

      - name: Generate test combinations
        working-directory: .github/tests
        run: ./combine-ymls.sh

      - name: Run Starlark
        run: kurtosis run --enclave=${{ env.ENCLAVE_NAME }} --args-file=${{ matrix.file_name }} --show-enclave-inspect=false .

      - name: Inspect enclave
        run: kurtosis enclave inspect ${{ env.ENCLAVE_NAME }}
      
      - name: Verify static ports
        run: |
          if [[ ${{ matrix.file_name }} == "./.github/tests/static-ports/default-static-ports.yml" ]]; then
            echo "Making sure public ports start by a 5 as defined by the static ports in the input_parser.star file."

            ports=$(kurtosis enclave inspect ${{ env.ENCLAVE_NAME }} | sed -n '/^========================================== User Services ==========================================$/,$ p' | tail -n +3)
            if ! wrong_ports=$(echo "$ports" | grep -vE '127.0.0.1:5|none'); then
              echo "✅ Default static ports are set correctly."
              exit 0
            else
              echo "wrong_ports: $wrong_ports"
              echo "❌ Default static ports are not set correctly."
              exit 1
            fi
          else
            echo "Skipping."  
          fi

      - name: Monitor verified batches (Central RPC)
        run: |
          sequencer_type=$(yq --raw-output '.args.sequencer_type' ${{ matrix.file_name }})
          rpc_name=""
          if [[ "$sequencer_type" == "erigon" ]]; then
            rpc_name="cdk-erigon-rpc-001"
          elif [[ "$sequencer_type" == "zkevm" ]]; then
            rpc_name="zkevm-node-rpc-001"
          elif [[ "$sequencer_type" == "null" ]]; then
            rpc_name="cdk-erigon-rpc-001"
          else
            echo "Unknown sequencer type: $sequencer_type"
            exit 1
          fi
          echo "RPC name: $rpc_name"
          ./.github/scripts/monitor-verified-batches.sh \
            --enclave ${{ env.ENCLAVE_NAME }} \
            --rpc-url $(kurtosis port print ${{ env.ENCLAVE_NAME }} $rpc_name rpc)

      - name: Monitor verified batches (zkEVM Permissionless RPC)
        run: |
          result=$(yq --raw-output '.args.additional_services // [] | contains(["pless_zkevm_node"])' ${{ matrix.file_name }})
          if [[ "$result" == "true" ]]; then
            ./.github/scripts/monitor-verified-batches.sh \
              --enclave ${{ env.ENCLAVE_NAME }} \
              --rpc-url $(kurtosis port print ${{ env.ENCLAVE_NAME }} zkevm-node-rpc-pless-001 rpc)
          else
            echo "Skipping batch verification as there is no zkevm permissionless RPC in the environment"
          fi

      - name: Dump enclave
        if: ${{ !cancelled() }}
        run: kurtosis enclave dump ${{ env.ENCLAVE_NAME }} ./dump

      - name: Generate archive name
        if: ${{ !cancelled() }}
        run: |
          file_name=$(basename "${{ matrix.file_name }}" ".yml")
          archive_name="dump_run_with_args_${file_name}_${{ github.run_id }}"
          echo "ARCHIVE_NAME=${archive_name}" >> "$GITHUB_ENV"
          echo "Generated archive name: ${archive_name}"

      - name: Upload enclave dump
        if: ${{ !cancelled() }}
        uses: actions/upload-artifact@v4
        with:
          name: ${{ env.ARCHIVE_NAME }}
          path: ./dump

  additional-services:
    runs-on: ubuntu-latest
    timeout-minutes: 30
    steps:
      - uses: actions/checkout@v4

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
        # This step will only execute if the necessary secrets are available, preventing failures
        # on pull requests from forked repositories.
        if: ${{ env.DOCKERHUB_USERNAME && env.DOCKERHUB_TOKEN }}
        env:
          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
          DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Install Kurtosis CDK tools
        uses: ./.github/actions/setup-kurtosis-cdk

      - name: Run Starlark
        run: kurtosis run --enclave=${{ env.ENCLAVE_NAME }} --args-file=./.github/tests/additional-services.yml --show-enclave-inspect=false .

      - name: Inspect enclave
        run: kurtosis enclave inspect ${{ env.ENCLAVE_NAME }}

      - name: Monitor verified batches (CDK Erigon Permissionless RPC)
        working-directory: .github/scripts
        run: |
          ./monitor-verified-batches.sh \
            --enclave ${{ env.ENCLAVE_NAME }} \
            --rpc-url $(kurtosis port print ${{ env.ENCLAVE_NAME }} cdk-erigon-rpc-001 rpc)

      - name: Verify Arpeggio RPC
        run: |
          result=$(yq '.args.additional_services | contains(["arpeggio"])' ./.github/tests/additional-services.yml)
          if [ "$result" = "true" ]; then
            cast bn --rpc-url $(kurtosis port print ${{ env.ENCLAVE_NAME }} arpeggio-001 rpc)
          else
            echo "Arpeggio is not deployed."
          fi

      - name: Verify Blutgang RPC
        run: |
          result=$(yq '.args.additional_services | contains(["blutgang"])' ./.github/tests/additional-services.yml)
          if [ "$result" = "true" ]; then
            cast bn --rpc-url $(kurtosis port print ${{ env.ENCLAVE_NAME }} blutgang-001 http)
          else
            echo "Blutgang is not deployed."
          fi

      - name: Verify erpc RPC
        run: |
          result=$(yq '.args.additional_services | contains(["erpc"])' ./.github/tests/additional-services.yml)
          if [ "$result" = "true" ]; then
            cast bn --rpc-url "$(kurtosis port print ${{ env.ENCLAVE_NAME }} erpc-001 rpc)/main/evm/10101"
          else
            echo "ERPC is not deployed."
          fi

      - name: Verify permissionless zkevm-node rpc
        run: |
          result=$(yq '.args.additional_services | contains(["pless_zkevm_node"])' ./.github/tests/additional-services.yml)
          if [ "$result" = "true" ]; then
            cast bn --rpc-url $(kurtosis port print ${{ env.ENCLAVE_NAME }} zkevm-node-rpc-pless-001 rpc)
          else
            echo "Permissionless zkevm-node is not deployed."
          fi

      - name: Verify that Prometheus collects Panoptichain metrics
        run: |
          result=$(yq '.args.additional_services | contains(["prometheus_grafana"])' ./.github/tests/additional-services.yml)
          if [ "$result" = "true" ]; then
            echo "Wait for one minute while Prometheus gathers metrics..."
            sleep 60

            echo "Retrieve Panoptichain metrics from Prometheus..."
            panoptichain_metric="panoptichain_system_uptime"
            prometheus_url=$(kurtosis port print ${{ env.ENCLAVE_NAME }} prometheus-001 http)
            prometheus_query=$(curl "$prometheus_url/api/v1/query?query=$panoptichain_metric")
            echo $prometheus_query | jq
            if [ "$(jq -r '.data.result[0].metric.__name__' <<<$prometheus_query)" == "$panoptichain_metric" ]; then
              echo "✅ Prometheus collects panoptichain metrics!"
            else
              echo "❌ Prometheus does not collect panoptichain metrics..."
              exit 1
            fi
          else
            echo "Prometheus is not deployed."
          fi

      - name: Dump enclave
        if: ${{ !cancelled() }}
        run: kurtosis enclave dump ${{ env.ENCLAVE_NAME }} ./dump

      - name: Upload enclave dump
        if: ${{ !cancelled() }}
        uses: actions/upload-artifact@v4
        with:
          name: dump_additional_services_${{ github.run_id }}
          path: ./dump

  attach-second-cdk:
    runs-on: ubuntu-latest
    timeout-minutes: 30
    steps:
      - uses: actions/checkout@v4

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
        # This step will only execute if the necessary secrets are available, preventing failures
        # on pull requests from forked repositories.
        if: ${{ env.DOCKERHUB_USERNAME && env.DOCKERHUB_TOKEN }}
        env:
          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
          DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Install Kurtosis CDK tools
        uses: ./.github/actions/setup-kurtosis-cdk

      - name: Deploy L1 chain and a first CDK L2 chain (cdk-erigon sequencer + cdk stack)
        run: kurtosis run --enclave=${{ env.ENCLAVE_NAME }} .

      - name: Attach a second CDK L2 chain (cdk-erigon sequencer + cdk stack)
        run: kurtosis run --enclave=${{ env.ENCLAVE_NAME }} --args-file=./.github/tests/attach-second-cdk.yml .

      - name: Update the agglayer config
        run: |
          # Download the agglayer config file.
          kurtosis files download ${{ env.ENCLAVE_NAME }} agglayer-config-artifact
          cd agglayer-config-artifact
          # Update the config by adding the rpc and proof signer of the second chain.
          tomlq -Y --toml-output --in-place '."full-node-rpcs" += {"2": "http://cdk-erigon-rpc-002:8123"}' agglayer-config.toml
          # Replace the agglayer config.
          agglayer_container_id="$(docker ps --filter name=agglayer --format json | jq -r -s '. | map(select(.Names | startswith("agglayer--"))) | .[].ID')"
          docker cp agglayer-config.toml "$agglayer_container_id:/etc/zkevm/agglayer-config.toml"
          # Restart the agglayer service.
          kurtosis service stop ${{ env.ENCLAVE_NAME }} agglayer
          kurtosis service start ${{ env.ENCLAVE_NAME }} agglayer

      - name: Inspect enclave
        run: kurtosis enclave inspect ${{ env.ENCLAVE_NAME }}

      - name: Monitor verified batches of the first L2 chain (CDK Erigon Permissionless RPC)
        working-directory: .github/scripts
        run: |
          ./monitor-verified-batches.sh \
            --enclave ${{ env.ENCLAVE_NAME }} \
            --rpc-url "$(kurtosis port print ${{ env.ENCLAVE_NAME }} cdk-erigon-rpc-001 rpc)"

      - name: Monitor verified batches of the second L2 chain (CDK Erigon Permissionless RPC)
        working-directory: .github/scripts
        run: |
          ./monitor-verified-batches.sh \
            --enclave ${{ env.ENCLAVE_NAME }} \
            --rpc-url "$(kurtosis port print ${{ env.ENCLAVE_NAME }} cdk-erigon-rpc-002 rpc)"

      - name: Dump enclave
        if: ${{ !cancelled() }}
        run: kurtosis enclave dump ${{ env.ENCLAVE_NAME }} ./dump

      - name: Upload enclave dump
        if: ${{ !cancelled() }}
        uses: actions/upload-artifact@v4
        with:
          name: dump_attach_ckds_${{ github.run_id }}
          path: ./dump

  deploy-to-external_l1:
    runs-on: ubuntu-latest
    timeout-minutes: 30
    steps:
      - uses: actions/checkout@v4

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
        # This step will only execute if the necessary secrets are available, preventing failures
        # on pull requests from forked repositories.
        if: ${{ env.DOCKERHUB_USERNAME && env.DOCKERHUB_TOKEN }}
        env:
          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
          DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Install Kurtosis CDK tools
        uses: ./.github/actions/setup-kurtosis-cdk

      - name: Deploy L1 chain
        run: kurtosis run --enclave=${{ env.ENCLAVE_NAME }} --args-file=./.github/tests/external-l1/deploy-local-l1.yml .

      - name: Deploy to local L1 chain
        run: |
          kurtosis run --enclave=${{ env.ENCLAVE_NAME }} . '{"deployment_stages": {"deploy_l1": false}}'

      - name: Inspect enclave
        run: kurtosis enclave inspect ${{ env.ENCLAVE_NAME }}

      - name: Monitor verified batches
        working-directory: .github/scripts
        run: |
          ./monitor-verified-batches.sh \
            --enclave ${{ env.ENCLAVE_NAME }} \
            --rpc-url "$(kurtosis port print ${{ env.ENCLAVE_NAME }} cdk-erigon-rpc-001 rpc)"

      - name: Dump enclave
        if: ${{ !cancelled() }}
        run: kurtosis enclave dump ${{ env.ENCLAVE_NAME }} ./dump

      - name: Upload enclave dump
        if: ${{ !cancelled() }}
        uses: actions/upload-artifact@v4
        with:
          name: dump_deploy_to_external_l1_${{ github.run_id }}
          path: ./dump