Initial branch (#1)

this includes not only the modified docker image, but a ci workflow that will update it on pushes to tags and main/dev branches, or on a manual trigger due to the dockerfile manually pulling the last version of the dependencies, it's enough to trigger the ci workflow to update them, which I think it's a nice feature. TODO: after merging, revert the repository's default branch to `dev`
defi-wonderland · Oct 22, 2024 · ebd0f54 · ebd0f54
2 parents 6cc6cbb + 264473f
commit ebd0f54
Show file tree

Hide file tree

Showing 4 changed files with 840 additions and 22 deletions.
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -0,0 +1,53 @@
+name: Docker
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - v*
+    branches:
+      - prod
+      - dev
+      - main
+
+jobs:
+  build-and-push-image:
+    env:
+      REGISTRY: ghcr.io
+      IMAGE_NAME: ${{ github.repository }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 1
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=sha,format=short
+            type=raw,value=${{ github.ref_name }}
+            type=raw,value=latest
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          file: Dockerfile
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,106 @@
+# syntax=docker/dockerfile:1.6
+
+###
+### Medusa build process
+###
+FROM golang:1.22 AS medusa
+
+WORKDIR /src
+RUN git clone https://github.com/crytic/medusa.git
+RUN cd medusa && \
+    export LATEST_TAG="$(git describe --tags | sed 's/-[0-9]\+-g\w\+$//')" && \
+    git checkout "$LATEST_TAG" && \
+    go build -trimpath -o=/usr/local/bin/medusa -ldflags="-s -w" && \
+    chmod 755 /usr/local/bin/medusa
+
+
+###
+### Echidna "build process"
+### TODO: replace this with a aarch64-friendly solution
+###
+FROM --platform=linux/amd64 ghcr.io/crytic/echidna/echidna:latest AS echidna
+RUN chmod 755 /usr/local/bin/echidna
+
+
+###
+### ETH Security Toolbox
+###
+FROM ubuntu:jammy AS toolbox
+
+# Add common tools
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+    bash-completion \
+    curl \
+    git \
+    python3-dev \
+    python3-pip \
+    python3-venv \
+    sudo \
+    unzip \
+    wget \
+    && rm -rf /var/lib/apt/lists/*
+
+# improve compatibility with amd64 solc in non-amd64 environments (e.g. Docker Desktop on M1 Mac)
+ENV QEMU_LD_PREFIX=/usr/x86_64-linux-gnu
+RUN if [ ! "$(uname -m)" = "x86_64" ]; then \
+    export DEBIAN_FRONTEND=noninteractive \
+    && apt-get update \
+    && apt-get install -y --no-install-recommends libc6-amd64-cross \
+    && rm -rf /var/lib/apt/lists/*; fi
+
+# Add n (node version manager), lts node, npm, and yarn
+RUN curl -fsSL https://raw.githubusercontent.com/tj/n/v9.2.0/bin/n -o n && \
+    if [ ! "ab1292c18efdac7b6b673949deeee3654b267518dea32569caf2eeb0ee0c69d5  n" = "$(sha256sum n)" ]; then \
+        echo "N installer does not match expected checksum! exiting"; \
+        exit 1; \
+    fi && \
+    cat n | bash -s lts && rm n && \
+    npm install -g n yarn && \
+    n stable && n prune && npm --force cache clean
+
+# Include echidna
+COPY --chown=root:root --from=echidna /usr/local/bin/echidna /usr/local/bin/echidna
+
+# Include medusa
+COPY --chown=root:root --from=medusa /usr/local/bin/medusa /usr/local/bin/medusa
+RUN medusa completion bash > /etc/bash_completion.d/medusa
+
+##### Things should be installed in $HOME from now on
+USER root
+WORKDIR /root
+ENV HOME="/root"
+ENV PATH="${PATH}:${HOME}/.local/bin:${HOME}/.vyper/bin:${HOME}/.foundry/bin"
+
+# Install vyper compiler
+RUN python3 -m venv ${HOME}/.vyper && \
+    ${HOME}/.vyper/bin/pip3 install --no-cache-dir vyper && \
+    echo '\nexport PATH=${PATH}:${HOME}/.vyper/bin' >> ~/.bashrc
+
+# Install foundry
+RUN curl -fsSL https://raw.githubusercontent.com/foundry-rs/foundry/ded0317584bd835e79f2573e56c0043ab548da04/foundryup/install -o install && \
+    if [ ! "5d67b82c1319b26f19d496f8602edf0dd62da7cf41c219bc38cf3f6dd5f9c86b  install" = "$(sha256sum install)" ]; then \
+        echo "Foundry installer does not match expected checksum! exiting"; \
+        exit 1; \
+    fi && \
+    cat install | SHELL=/bin/bash bash && rm install && \
+    foundryup && \
+    COMPLETIONS="${XDG_DATA_HOME:-$HOME/.local/share}/bash-completion/completions" && \
+    mkdir -p "${COMPLETIONS}" && \
+    for tool in anvil cast forge; do \
+        "$tool" completions bash > "${COMPLETIONS}/$tool"; \
+    done
+
+# Install python tools
+RUN pip3 install --no-cache-dir \
+    pyevmasm \
+    solc-select \
+    crytic-compile \
+    slither-analyzer
+
+# Install one solc release from each branch and select the latest version as the default
+RUN solc-select install 0.4.26 0.5.17 0.6.12 0.7.6 latest && solc-select use latest
+
+# Clone useful repositories
+RUN git clone --depth 1 https://github.com/crytic/building-secure-contracts.git
+
+CMD ["/bin/bash"]