feat(contracts): add contract upgrade hygiene CI check

Eikix · Eikix · commit c08b69540fb4 · 2026-03-13T15:47:33.000+01:00
New workflow + Bun/TypeScript script that compares deployed bytecode
between main and PR for every contract in upgrade-manifest.json.

When bytecode changes, the check enforces:
- REINITIALIZER_VERSION must be bumped
- A reinitializeV{N-1}() function must exist (not just commented out)
- At least one of MAJOR/MINOR/PATCH_VERSION must be bumped

When bytecode is unchanged, spurious REINITIALIZER_VERSION bumps are
flagged. Uses matrix strategy for host-contracts and gateway-contracts.
Addresses are generated via `make ensure-addresses` (same as upgrade tests).
diff --git a/.github/workflows/contracts-upgrade-hygiene.yml b/.github/workflows/contracts-upgrade-hygiene.yml
@@ -0,0 +1,104 @@
+name: contracts-upgrade-hygiene
+
+permissions: {}
+
+on:
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+jobs:
+  check-changes:
+    name: contracts-upgrade-hygiene/check-changes
+    permissions:
+      contents: 'read' # Required to checkout repository code
+      pull-requests: 'read' # Required to read pull request for paths-filter
+    runs-on: ubuntu-latest
+    outputs:
+      packages: ${{ steps.filter.outputs.changes }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        id: filter
+        with:
+          filters: |
+            host-contracts:
+              - .github/workflows/contracts-upgrade-hygiene.yml
+              - ci/check-upgrade-hygiene.ts
+              - host-contracts/**
+            gateway-contracts:
+              - .github/workflows/contracts-upgrade-hygiene.yml
+              - ci/check-upgrade-hygiene.ts
+              - gateway-contracts/**
+
+  check:
+    name: contracts-upgrade-hygiene/${{ matrix.package }} (bpr)
+    needs: check-changes
+    if: ${{ needs.check-changes.outputs.packages != '[]' }}
+    permissions:
+      contents: 'read' # Required to checkout repository code
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        package: ${{ fromJSON(needs.check-changes.outputs.packages) }}
+        include:
+          - package: host-contracts
+            extra-deps: forge soldeer install
+          - package: gateway-contracts
+            extra-deps: ''
+    steps:
+      - name: Checkout PR branch
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
+
+      - name: Checkout main branch
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: main
+          path: main-branch
+          persist-credentials: 'false'
+
+      - name: Install Bun
+        uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2.0.2
+
+      - name: Install Foundry
+        uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de # v1.4.0
+
+      - name: Install PR dependencies
+        working-directory: ${{ matrix.package }}
+        run: npm ci
+
+      - name: Install main dependencies
+        working-directory: main-branch/${{ matrix.package }}
+        run: npm ci
+
+      - name: Install Forge dependencies
+        if: matrix.extra-deps != ''
+        env:
+          PACKAGE: ${{ matrix.package }}
+          EXTRA_DEPS: ${{ matrix.extra-deps }}
+        run: |
+          (cd "$PACKAGE" && $EXTRA_DEPS)
+          (cd "main-branch/$PACKAGE" && $EXTRA_DEPS)
+
+      - name: Setup compilation
+        env:
+          PACKAGE: ${{ matrix.package }}
+        run: |
+          # Generate addresses once and share — both sides must use identical values
+          # because address constants are compiled into bytecode
+          (cd "$PACKAGE" && make ensure-addresses)
+          cp -r "$PACKAGE/addresses" "main-branch/$PACKAGE/addresses"
+          # Use PR's foundry.toml for both so compiler settings match (cbor_metadata, bytecode_hash)
+          cp "$PACKAGE/foundry.toml" "main-branch/$PACKAGE/foundry.toml"
+
+      - name: Run upgrade hygiene check
+        env:
+          PACKAGE: ${{ matrix.package }}
+        run: bun ci/check-upgrade-hygiene.ts "main-branch/$PACKAGE" "$PACKAGE"
diff --git a/ci/check-upgrade-hygiene.ts b/ci/check-upgrade-hygiene.ts
@@ -0,0 +1,148 @@
+#!/usr/bin/env bun
+// Checks that upgradeable contracts have proper version bumps when bytecode changes.
+// Usage: bun ci/check-upgrade-hygiene.ts <main-pkg-dir> <pr-pkg-dir>
+
+import { readFileSync, existsSync } from "fs";
+import { execSync } from "child_process";
+import { join } from "path";
+
+const [mainDir, prDir] = process.argv.slice(2);
+if (!mainDir || !prDir) {
+  console.error("Usage: bun ci/check-upgrade-hygiene.ts <main-pkg-dir> <pr-pkg-dir>");
+  process.exit(1);
+}
+
+const manifestPath = join(prDir, "upgrade-manifest.json");
+if (!existsSync(manifestPath)) {
+  console.error(`::error::upgrade-manifest.json not found in ${prDir}`);
+  process.exit(1);
+}
+
+const VERSION_RE = /(?<name>REINITIALIZER_VERSION|MAJOR_VERSION|MINOR_VERSION|PATCH_VERSION)\s*=\s*(?<value>\d+)/g;
+
+function extractVersions(filePath: string) {
+  const source = readFileSync(filePath, "utf-8");
+  const versions: Record<string, number> = {};
+  for (const { groups } of source.matchAll(VERSION_RE)) {
+    versions[groups!.name] = Number(groups!.value);
+  }
+  return { versions, source };
+}
+
+function forgeInspect(contract: string, root: string): string | null {
+  try {
+    const raw = execSync(`forge inspect "contracts/${contract}.sol:${contract}" --root "${root}" deployedBytecode`, {
+      encoding: "utf-8",
+      stdio: ["pipe", "pipe", "pipe"],
+      env: { ...process.env, NO_COLOR: "1" },
+    });
+    // Extract hex bytecode — forge may prepend ANSI codes or compilation progress to stdout
+    const match = raw.match(/0x[0-9a-fA-F]+/);
+    return match ? match[0] : null;
+  } catch (e: any) {
+    if (e.stderr) console.error(String(e.stderr));
+    return null;
+  }
+}
+
+const contracts: string[] = JSON.parse(readFileSync(manifestPath, "utf-8"));
+let errors = 0;
+
+for (const name of contracts) {
+  console.log(`::group::Checking ${name}`);
+  try {
+    const mainSol = join(mainDir, "contracts", `${name}.sol`);
+    const prSol = join(prDir, "contracts", `${name}.sol`);
+
+    if (!existsSync(mainSol)) {
+      console.log(`Skipping ${name} (new contract, not on main)`);
+      continue;
+    }
+
+    if (!existsSync(prSol)) {
+      console.error(`::error::${name} listed in upgrade-manifest.json but missing in PR`);
+      errors++;
+      continue;
+    }
+
+    const { versions: mainV } = extractVersions(mainSol);
+    const { versions: prV, source: prSrc } = extractVersions(prSol);
+
+    let parseFailed = false;
+    for (const key of ["REINITIALIZER_VERSION", "MAJOR_VERSION", "MINOR_VERSION", "PATCH_VERSION"]) {
+      if (mainV[key] == null || prV[key] == null) {
+        console.error(`::error::Failed to parse ${key} for ${name}`);
+        errors++;
+        parseFailed = true;
+      }
+    }
+    if (parseFailed) continue;
+
+    const mainBytecode = forgeInspect(name, mainDir);
+    if (mainBytecode == null) {
+      console.error(`::error::Failed to compile ${name} on main`);
+      errors++;
+      continue;
+    }
+
+    const prBytecode = forgeInspect(name, prDir);
+    if (prBytecode == null) {
+      console.error(`::error::Failed to compile ${name} on PR`);
+      errors++;
+      continue;
+    }
+
+    const bytecodeChanged = mainBytecode !== prBytecode;
+    const reinitChanged = mainV.REINITIALIZER_VERSION !== prV.REINITIALIZER_VERSION;
+    const versionChanged =
+      mainV.MAJOR_VERSION !== prV.MAJOR_VERSION ||
+      mainV.MINOR_VERSION !== prV.MINOR_VERSION ||
+      mainV.PATCH_VERSION !== prV.PATCH_VERSION;
+
+    if (!bytecodeChanged) {
+      console.log(`${name}: bytecode unchanged`);
+      if (reinitChanged) {
+        console.error(
+          `::error::${name} REINITIALIZER_VERSION bumped (${mainV.REINITIALIZER_VERSION} -> ${prV.REINITIALIZER_VERSION}) but bytecode is unchanged`,
+        );
+        errors++;
+      }
+      continue;
+    }
+
+    console.log(`${name}: bytecode CHANGED`);
+
+    if (!reinitChanged) {
+      console.error(
+        `::error::${name} bytecode changed but REINITIALIZER_VERSION was not bumped (still ${prV.REINITIALIZER_VERSION})`,
+      );
+      errors++;
+    } else {
+      // Convention: reinitializeV{N-1} for REINITIALIZER_VERSION=N
+      const expectedFn = `reinitializeV${prV.REINITIALIZER_VERSION - 1}`;
+      const uncommented = prSrc.replace(/\/\*[\s\S]*?\*\//g, "").replace(/\/\/.*$/gm, "");
+      if (!new RegExp(`function\\s+${expectedFn}\\s*\\(`).test(uncommented)) {
+        console.error(
+          `::error::${name} has REINITIALIZER_VERSION=${prV.REINITIALIZER_VERSION} but no ${expectedFn}() function found`,
+        );
+        errors++;
+      }
+    }
+
+    if (!versionChanged) {
+      console.error(
+        `::error::${name} bytecode changed but semantic version was not bumped (still v${prV.MAJOR_VERSION}.${prV.MINOR_VERSION}.${prV.PATCH_VERSION})`,
+      );
+      errors++;
+    }
+  } finally {
+    console.log("::endgroup::");
+  }
+}
+
+if (errors > 0) {
+  console.error(`::error::Upgrade hygiene check failed with ${errors} error(s)`);
+  process.exit(1);
+}
+
+console.log("All contracts passed upgrade hygiene checks");
