Configure jobs deploying & publishing contracts

We're adding jobs which will deploy and publish Threshold contracts.
`NPM` workflow will build & publish contracts every time there is a
change in contracts or in the files describing package dependencies.
The `-dev` suffix will be used in the name of the published package.
`Solidity` workflow will deploy and publish contracts every time
worklfow is triggered by the `workflow_dispatch` event. Published
package name will point to name of the environment on which the
contracts were deployed.
Note: we're temporarily switched off publishing to NPM registry using
`--dry-run` flag. The flag will be removed before merging of the changes
to the `main` branch.

Author: michalinacienciala

.github/workflows/contracts.yaml

@@ -6,6 +6,18 @@ on:
       - main
   pull_request:
   workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Environment for workflow execution'
+        required: false
+        default: 'dev'
+      upstream_builds:
+        description: "Upstream builds"
+        required: false
+      upstream_ref:
+        description: "Git reference to checkout (e.g. branch name)"
+        required: false
+        default: "main"
 
 jobs:
   contracts-build-and-test:
@@ -27,6 +39,118 @@ jobs:
       - name: Run tests
         run: yarn test
 
+  contracts-deployment-dry-run:
+    runs-on: ubuntu-latest
+    if: github.event_name != 'schedule'
+    steps:
+      - uses: actions/checkout@v2
+
+      - uses: actions/setup-node@v2
+        with:
+          node-version: "14.x"
+          cache: "yarn"
+
+      - name: Install dependencies
+        run: yarn install
+
+      - name: Deploy contracts
+        run: yarn deploy
+
+  contracts-deployment-testnet:
+    needs: [contracts-build-and-test]
+    if: github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - uses: actions/setup-node@v2
+        with:
+          node-version: "14.x"
+          cache: "yarn"
+          registry-url: "https://registry.npmjs.org"
+
+      - name: Install dependencies
+        run: yarn install --frozen-lockfile
+
+      - name: Get upstream packages versions
+        uses: keep-network/ci/actions/upstream-builds-query@v1
+        id: upstream-builds-query
+        with:
+          upstream-builds: ${{ github.event.inputs.upstream_builds }}
+          query: keep-core-contracts-version = github.com/keep-network/keep-core/solidity-v1#version
+
+      - name: Resolve latest contracts
+        run: |
+          yarn upgrade \
+            @keep-network/keep-core@${{ steps.upstream-builds-query.outputs.keep-core-contracts-version }}
+
+      - name: Configure tenderly
+        if: github.event.inputs.environment == 'ropsten'
+        env:
+          TENDERLY_TOKEN: ${{ secrets.TENDERLY_TOKEN }}
+        run: ./config_tenderly.sh
+
+      - name: Deploy contracts
+        env:
+          CHAIN_API_URL: ${{ secrets.KEEP_TEST_ETH_HOSTNAME_HTTP }}
+          CONTRACT_OWNER_ACCOUNT_PRIVATE_KEY: ${{ secrets.KEEP_TEST_ETH_CONTRACT_OWNER_PRIVATE_KEY }}
+        run: yarn deploy --network ${{ github.event.inputs.environment }}
+
+      - name: Bump up package version
+        id: npm-version-bump
+        uses: keep-network/npm-version-bump@v2
+        with:
+          environment: ${{ github.event.inputs.environment }}
+          branch: ${{ github.ref }}
+          commit: ${{ github.sha }}
+
+      - name: Publish to npm # TODO: switch off --dry-run
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npm publish --access=public --network=${{ github.event.inputs.environment }} --dry-run
+
+      - name: Upload files needed for etherscan verification
+        uses: actions/upload-artifact@v2
+        with:
+          name: Artifacts for etherscan verifcation
+          path: |
+            ./deployments
+            ./package.json
+            ./yarn.lock
+
+  contracts-etherscan-verification:
+    needs: [contracts-deployment-testnet]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Download files needed for etherscan verification
+        uses: actions/download-artifact@v2
+        with:
+          name: Artifacts for etherscan verifcation
+
+      - uses: actions/setup-node@v2
+        with:
+          node-version: "14.x"
+          cache: "yarn"
+
+      - name: Install needed dependencies
+        run: yarn install --frozen-lockfile
+
+      # If we don't remove the `keep-core` contracts from `node-modules`, the
+      # `etherscan-verify` plugins tries to verify them, which is not desired.
+      - name: Prepare for verification on Etherscan
+        run: |
+          rm -rf ./node_modules/@keep-network/keep-core
+
+      - name: Verify contracts on Etherscan
+        env:
+          ETHERSCAN_API_KEY: ${{ secrets.ETHERSCAN_API_KEY }}
+          CHAIN_API_URL: ${{ secrets.KEEP_TEST_ETH_HOSTNAME_HTTP }}
+        run: | 
+          yarn run hardhat --network ${{ github.event.inputs.environment }} \
+            etherscan-verify --license MIT
+
   contracts-slither:
     runs-on: ubuntu-latest
     steps:
@@ -48,6 +172,7 @@ jobs:
           pip3 install solc-select
           solc-select install $SOLC_VERSION
           solc-select use $SOLC_VERSION
+
       - name: Install Slither
         env:
           SLITHER_VERSION: 0.8.0

.github/workflows/npm.yml

@@ -0,0 +1,45 @@
+name: NPM
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "contracts/**"
+      - "package.json"
+      - "yarn.lock"
+  workflow_dispatch:
+
+jobs:
+  npm-compile-publish-contracts:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - uses: actions/setup-node@v2
+        with:
+          node-version: "14.x"
+          registry-url: "https://registry.npmjs.org"
+          cache: "yarn"
+
+      - name: Resolve latest contracts
+        run: |
+          yarn upgrade @keep-network/keep-core
+
+      # Deploy contracts to a local network to generate deployment artifacts that
+      # are required by dashboard compilation.
+      - name: Deploy contracts
+        run: yarn deploy --network hardhat --write true
+
+      - name: Bump up package version
+        id: npm-version-bump
+        uses: keep-network/npm-version-bump@v2
+        with:
+          environment: dev
+          branch: ${{ github.ref }}
+          commit: ${{ github.sha }}
+
+      - name: Publish package # TODO: switch off --dry-run
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npm publish --access=public --network=hardhat --tag=development --dry-run

contracts/token/T.sol

@@ -58,7 +58,7 @@ contract T is ERC20WithPermit, MisfundRecovery, Checkpoints {
                     abi.encode(
                         DELEGATION_TYPEHASH,
                         delegatee,
-                        nonce[signatory]++,
+                        nonces[signatory]++,
                         deadline
                     )
                 )