Continuous integration, quality gates, and mainnet readiness.
This repository includes a CI pipeline at .github/workflows/ci.yml. It runs on every push and pull request.
| Job | Purpose | Tools |
|---|---|---|
move-build-test |
Build and test every Move package | sui move build, sui move test |
move-coverage |
Measure test coverage | sui move test --coverage |
rust-api |
Build, test, lint the Rust gRPC API | cargo build, cargo test, cargo clippy, cargo fmt |
move-build-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Sui CLI
run: |
curl -fLsS https://sui.io/install.sh | sh
echo "$HOME/.sui/bin" >> $GITHUB_PATH
- name: Build and test all modules
run: |
for dir in modules/*/; do
if [ -f "$dir/Move.toml" ]; then
echo "::group::Build $dir"
(cd "$dir" && sui move build --lint)
echo "::endgroup::"
echo "::group::Test $dir"
(cd "$dir" && sui move test)
echo "::endgroup::"
fi
doneKey details:
--lintenables the built-in linter during build. Catches unused imports, unnecessary references, and other style issues.- Each module is a standalone package, built and tested independently.
::group::/::endgroup::fold output in the GitHub Actions UI for readability.
move-coverage:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Sui CLI
run: |
curl -fLsS https://sui.io/install.sh | sh
echo "$HOME/.sui/bin" >> $GITHUB_PATH
- name: Run coverage
run: |
for dir in modules/*/; do
if [ -f "$dir/Move.toml" ]; then
echo "Coverage: $dir"
(cd "$dir" && sui move test --coverage)
fi
done🔶 Aptos: Use
aptos move test --coverageandaptos move coverage summaryfor HTML coverage reports.
Set up local quality checks that run before every commit.
# .pre-commit-config.yaml
repos:
- repo: local
hooks:
- id: move-build
name: Move Build
entry: bash -c 'for d in modules/*/; do [ -f "$d/Move.toml" ] && (cd "$d" && sui move build --lint) || true; done'
language: system
pass_filenames: false
files: '\.move$'
- id: move-test
name: Move Test
entry: bash -c 'for d in modules/*/; do [ -f "$d/Move.toml" ] && (cd "$d" && sui move test) || true; done'
language: system
pass_filenames: false
files: '\.move$'
- id: rust-fmt
name: Rust Format
entry: bash -c 'cd rust-api && cargo fmt -- --check'
language: system
pass_filenames: false
files: '\.rs$'Install:
pip install pre-commit
pre-commit installIf you prefer not to install pre-commit:
# .git/hooks/pre-commit
#!/bin/sh
set -e
for dir in modules/*/; do
if [ -f "$dir/Move.toml" ]; then
(cd "$dir" && sui move build --lint && sui move test)
fi
done
(cd rust-api && cargo fmt -- --check && cargo clippy -- -D warnings)| Practice | Tool / Technique |
|---|---|
| Lint on build | sui move build --lint |
| Test coverage | sui move test --coverage |
| Naming conventions | snake_case functions, PascalCase structs, E_ error prefixes, UPPER_SNAKE constants |
| Error codes | Sequential u64 constants starting at 0, documented in module header |
| Visibility | Minimize public surface; prefer public(package) for internal APIs |
| Events | Emit events for every state mutation |
| Assertions | Fail fast with descriptive error codes; never silently skip |
| Practice | Tool |
|---|---|
| Format | cargo fmt |
| Lint | cargo clippy -- -D warnings |
| Test | cargo test |
| Audit | cargo audit (dependency vulnerability scanning) |
| MSRV | Pin minimum supported Rust version in rust-toolchain.toml |
- Independent security audit completed
- All findings addressed or documented as accepted risks
- Access control tested with non-admin accounts
- Arithmetic tested for overflow/underflow edge cases
- Reentrancy considerations documented (shared object interactions)
- Error codes reviewed for information leakage
-
UpgradeCapstored in a multisig wallet (≥ 3-of-5) - Monitoring for on-chain events configured
- Incident response procedure documented
- Rollback / pause procedure tested
- Gas budget estimates documented for all entry functions
- Load testing for shared object contention completed
- Dependencies pinned to specific git revisions (not branches)
-
editionfield set to the latest stable Move edition - Package name is descriptive and unique
- No test-only code leaks into production modules
- All public functions have doc comments (
///) - Error codes are documented at the top of each module
- README covers: purpose, architecture, deployment, upgrade procedure
- CHANGELOG maintained for each upgrade
| Environment | Network | Purpose |
|---|---|---|
| Local | sui start |
Fast iteration, unit testing |
| Devnet | devnet |
Integration testing, early demos |
| Testnet | testnet |
Staging, external testing, faucet tokens |
| Mainnet | mainnet |
Production |
# Switch active environment
sui client switch --env testnet
# List environments
sui client envs🔶 Aptos: Use
aptos init --profile <name>to manage named profiles for each network.
Production deployments should index on-chain events for:
- Audit trails (who did what, when)
- Analytics dashboards
- Alerting on anomalous activity (large transfers, pauses)
Options:
- Custom indexer — subscribe to events via WebSocket or poll via JSON-RPC.
- Sui Indexer — Sui's built-in indexer populates a PostgreSQL database.
- Third-party — services like BlockVision or SuiVision.
The rust-api/ gRPC server includes a HealthCheck RPC that verifies connectivity to the Sui fullnode. Use this as a liveness probe in Kubernetes or similar orchestrators.
- Sui CLI Reference
- GitHub Actions Documentation
- pre-commit Framework
- cargo-audit
- Sui Indexer
- Move Security Guidelines
← Module 11 — Rust SDK Integration · Back to Course Overview →