refactor: deduplicate workflow with matrix, extract stubs to files

- Replace two near-identical jobs with a single matrix job (host-contracts,
  gateway-contracts), cutting workflow from 151 to 92 lines
- Move inline Solidity address heredocs to committed ci/stubs/ files
- Add missing PaymentBridgingAddresses.sol stub (was breaking gateway CI)
- Drop forge build pre-step: forge inspect already compiles and caches
  on first call, and forge build required ALL stubs including non-manifest
  contracts which caused failures
- Trim script from 161 to 110 lines: shorter header, flattened control flow

Author: Eikix

.github/workflows/contracts-upgrade-hygiene.yml

@@ -17,8 +17,7 @@ jobs:
       pull-requests: 'read'
     runs-on: ubuntu-latest
     outputs:
-      host-contracts: ${{ steps.filter.outputs.host-contracts }}
-      gateway-contracts: ${{ steps.filter.outputs.gateway-contracts }}
+      packages: ${{ steps.filter.outputs.changes }}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -30,19 +29,30 @@ jobs:
             host-contracts:
               - .github/workflows/contracts-upgrade-hygiene.yml
               - ci/check-upgrade-hygiene.sh
+              - ci/stubs/host-contracts/**
               - host-contracts/**
             gateway-contracts:
               - .github/workflows/contracts-upgrade-hygiene.yml
               - ci/check-upgrade-hygiene.sh
+              - ci/stubs/gateway-contracts/**
               - gateway-contracts/**
 
-  host-contracts:
-    name: contracts-upgrade-hygiene/host-contracts
+  check:
+    name: contracts-upgrade-hygiene/${{ matrix.package }}
     needs: check-changes
-    if: ${{ needs.check-changes.outputs.host-contracts == 'true' }}
+    if: ${{ needs.check-changes.outputs.packages != '[]' }}
     permissions:
       contents: 'read'
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        package: ${{ fromJSON(needs.check-changes.outputs.packages) }}
+        include:
+          - package: host-contracts
+            extra-deps: forge soldeer install
+          - package: gateway-contracts
+            extra-deps: ''
     steps:
       - name: Checkout PR branch
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -59,93 +69,24 @@ jobs:
       - name: Install Foundry
         uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de # v1.4.0
 
-      - name: Install PR dependencies
-        working-directory: host-contracts
+      - name: Install dependencies
         run: |
-          npm ci
-          forge soldeer install
-
-      - name: Install main dependencies
-        working-directory: main-branch/host-contracts
-        run: |
-          npm ci
-          forge soldeer install
-
-      - name: Align compilation settings
-        run: cp host-contracts/foundry.toml main-branch/host-contracts/foundry.toml
-
-      - name: Generate address stubs
-        run: |
-          # Host contracts need addresses/FHEVMHostAddresses.sol (generated at deploy time).
-          # Create identical stubs in both copies so bytecode comparison is not affected.
-          mkdir -p host-contracts/addresses main-branch/host-contracts/addresses
-          cat > /tmp/FHEVMHostAddresses.sol << 'SOL'
-          // SPDX-License-Identifier: BSD-3-Clause-Clear
-          pragma solidity ^0.8.24;
-          address constant aclAdd = 0x0000000000000000000000000000000000000001;
-          address constant fhevmExecutorAdd = 0x0000000000000000000000000000000000000002;
-          address constant kmsVerifierAdd = 0x0000000000000000000000000000000000000003;
-          address constant inputVerifierAdd = 0x0000000000000000000000000000000000000004;
-          address constant hcuLimitAdd = 0x0000000000000000000000000000000000000005;
-          address constant pauserSetAdd = 0x0000000000000000000000000000000000000006;
-          SOL
-          cp /tmp/FHEVMHostAddresses.sol host-contracts/addresses/FHEVMHostAddresses.sol
-          cp /tmp/FHEVMHostAddresses.sol main-branch/host-contracts/addresses/FHEVMHostAddresses.sol
-
-      - name: Run upgrade hygiene check
-        run: ./ci/check-upgrade-hygiene.sh main-branch/host-contracts host-contracts
-
-  gateway-contracts:
-    name: contracts-upgrade-hygiene/gateway-contracts
-    needs: check-changes
-    if: ${{ needs.check-changes.outputs.gateway-contracts == 'true' }}
-    permissions:
-      contents: 'read'
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout PR branch
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          persist-credentials: 'false'
-
-      - name: Checkout main branch
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: main
-          path: main-branch
-          persist-credentials: 'false'
-
-      - name: Install Foundry
-        uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de # v1.4.0
-
-      - name: Install PR dependencies
-        working-directory: gateway-contracts
-        run: npm ci
-
-      - name: Install main dependencies
-        working-directory: main-branch/gateway-contracts
-        run: npm ci
+          npm --prefix ${{ matrix.package }} ci
+          npm --prefix main-branch/${{ matrix.package }} ci
+          if [ -n "${{ matrix.extra-deps }}" ]; then
+            (cd ${{ matrix.package }} && ${{ matrix.extra-deps }})
+            (cd main-branch/${{ matrix.package }} && ${{ matrix.extra-deps }})
+          fi
 
       - name: Align compilation settings
-        run: cp gateway-contracts/foundry.toml main-branch/gateway-contracts/foundry.toml
+        run: cp ${{ matrix.package }}/foundry.toml main-branch/${{ matrix.package }}/foundry.toml
 
       - name: Generate address stubs
         run: |
-          # Gateway contracts need addresses/GatewayAddresses.sol (generated at deploy time).
-          mkdir -p gateway-contracts/addresses main-branch/gateway-contracts/addresses
-          cat > /tmp/GatewayAddresses.sol << 'SOL'
-          // SPDX-License-Identifier: BSD-3-Clause-Clear
-          pragma solidity ^0.8.24;
-          address constant gatewayConfigAddress = 0x0000000000000000000000000000000000000001;
-          address constant decryptionAddress = 0x0000000000000000000000000000000000000002;
-          address constant ciphertextCommitsAddress = 0x0000000000000000000000000000000000000003;
-          address constant inputVerificationAddress = 0x0000000000000000000000000000000000000004;
-          address constant kmsGenerationAddress = 0x0000000000000000000000000000000000000005;
-          address constant protocolPaymentAddress = 0x0000000000000000000000000000000000000006;
-          address constant pauserSetAddress = 0x0000000000000000000000000000000000000007;
-          SOL
-          cp /tmp/GatewayAddresses.sol gateway-contracts/addresses/GatewayAddresses.sol
-          cp /tmp/GatewayAddresses.sol main-branch/gateway-contracts/addresses/GatewayAddresses.sol
+          for dir in ${{ matrix.package }} main-branch/${{ matrix.package }}; do
+            mkdir -p "$dir/addresses"
+            cp ci/stubs/${{ matrix.package }}/*.sol "$dir/addresses/"
+          done
 
       - name: Run upgrade hygiene check
-        run: ./ci/check-upgrade-hygiene.sh main-branch/gateway-contracts gateway-contracts
+        run: ./ci/check-upgrade-hygiene.sh main-branch/${{ matrix.package }} ${{ matrix.package }}

ci/check-upgrade-hygiene.sh

@@ -1,22 +1,6 @@
 #!/usr/bin/env bash
-# ci/check-upgrade-hygiene.sh
-#
-# Validates that upgradeable contracts have proper version bumps when bytecode changes.
-# Compares deployed bytecodes between two copies of a contract package (e.g. main vs PR branch).
-#
-# Usage:
-#   ./ci/check-upgrade-hygiene.sh <main-pkg-dir> <pr-pkg-dir>
-#
-# Example:
-#   ./ci/check-upgrade-hygiene.sh main-branch/host-contracts host-contracts
-#
-# Requires: forge (Foundry), jq
-# Both directories must have:
-#   - foundry.toml with cbor_metadata=false and bytecode_hash='none'
-#   - upgrade-manifest.json listing contract names
-#   - contracts/<Name>.sol for each manifest entry
-#   - addresses/ stub (generated file) so contracts compile
-
+# Checks that upgradeable contracts have proper version bumps when bytecode changes.
+# Usage: ./ci/check-upgrade-hygiene.sh <main-pkg-dir> <pr-pkg-dir>
 set -euo pipefail
 
 MAIN_DIR="$1"
@@ -29,8 +13,7 @@ fi
 
 ERRORS=0
 
-# Extract all four version constants from a .sol file in a single pass.
-# Returns: REINITIALIZER_VERSION MAJOR_VERSION MINOR_VERSION PATCH_VERSION
+# Extract REINITIALIZER_VERSION, MAJOR_VERSION, MINOR_VERSION, PATCH_VERSION in one pass.
 extract_versions() {
   awk '
     function val_after_eq(line) { sub(/.*=[[:space:]]*/, "", line); sub(/[^0-9].*/, "", line); return line }
@@ -42,35 +25,25 @@ extract_versions() {
   ' "$1"
 }
 
-# Pre-compile both roots in parallel so all forge inspect calls are cache hits.
-forge build --root "$MAIN_DIR" &
-pid_main=$!
-forge build --root "$PR_DIR" &
-pid_pr=$!
-wait "$pid_main" || { echo "::error::forge build failed for $MAIN_DIR"; exit 1; }
-wait "$pid_pr"   || { echo "::error::forge build failed for $PR_DIR"; exit 1; }
-
 for name in $(jq -r '.[]' "$PR_DIR/upgrade-manifest.json"); do
   echo "::group::Checking $name"
 
   main_sol="$MAIN_DIR/contracts/${name}.sol"
   pr_sol="$PR_DIR/contracts/${name}.sol"
 
-  # Skip contracts not present on main (newly added)
   if [ ! -f "$main_sol" ]; then
     echo "Skipping $name (new contract, not on main)"
     echo "::endgroup::"
     continue
   fi
 
   if [ ! -f "$pr_sol" ]; then
-    echo "::error::$name is in upgrade-manifest.json but contracts/${name}.sol not found in PR"
+    echo "::error::$name listed in upgrade-manifest.json but missing in PR"
     ERRORS=$((ERRORS + 1))
     echo "::endgroup::"
     continue
   fi
 
-  # --- Extract version constants from both (single pass per file) ---
   read -r main_reinit main_major main_minor main_patch < <(extract_versions "$main_sol")
   read -r pr_reinit pr_major pr_minor pr_patch < <(extract_versions "$pr_sol")
 
@@ -83,73 +56,49 @@ for name in $(jq -r '.[]' "$PR_DIR/upgrade-manifest.json"); do
     fi
   done
 
-  # --- Compare bytecodes (paths relative to --root, builds are cached) ---
-  # Capture only stdout for bytecode; stderr goes to /dev/null on success (warnings),
-  # but on failure we re-run to capture the error message.
+  # forge inspect compiles on first call and caches; stderr suppressed to avoid warning noise.
   if ! main_bytecode=$(forge inspect "contracts/${name}.sol:$name" --root "$MAIN_DIR" deployedBytecode 2>/dev/null); then
-    echo "::error::Failed to inspect $name on main:$(forge inspect "contracts/${name}.sol:$name" --root "$MAIN_DIR" deployedBytecode 2>&1 || true)"
+    echo "::error::Failed to compile $name on main"
     ERRORS=$((ERRORS + 1))
     echo "::endgroup::"
     continue
   fi
   if ! pr_bytecode=$(forge inspect "contracts/${name}.sol:$name" --root "$PR_DIR" deployedBytecode 2>/dev/null); then
-    echo "::error::Failed to inspect $name on PR:$(forge inspect "contracts/${name}.sol:$name" --root "$PR_DIR" deployedBytecode 2>&1 || true)"
+    echo "::error::Failed to compile $name on PR"
     ERRORS=$((ERRORS + 1))
     echo "::endgroup::"
     continue
   fi
 
-  bytecode_changed=false
-  if [ "$main_bytecode" != "$pr_bytecode" ]; then
-    bytecode_changed=true
-  fi
-
-  version_changed=false
-  if [ "$main_major" != "$pr_major" ] || [ "$main_minor" != "$pr_minor" ] || [ "$main_patch" != "$pr_patch" ]; then
-    version_changed=true
-  fi
-
-  reinit_changed=false
-  if [ "$main_reinit" != "$pr_reinit" ]; then
-    reinit_changed=true
-  fi
-
-  if [ "$bytecode_changed" = true ]; then
-    echo "$name: bytecode CHANGED"
-
-    # Check 1: REINITIALIZER_VERSION must be bumped
-    if [ "$reinit_changed" = false ]; then
-      echo "::error::$name bytecode changed but REINITIALIZER_VERSION was not bumped (still $pr_reinit)"
+  if [ "$main_bytecode" = "$pr_bytecode" ]; then
+    echo "$name: bytecode unchanged"
+    if [ "$main_reinit" != "$pr_reinit" ]; then
+      echo "::error::$name REINITIALIZER_VERSION bumped ($main_reinit -> $pr_reinit) but bytecode is unchanged"
       ERRORS=$((ERRORS + 1))
     fi
+    echo "::endgroup::"
+    continue
+  fi
 
-    # Check 2: reinitializeVN function must exist (convention: N = REINITIALIZER_VERSION - 1)
-    if [ "$reinit_changed" = true ]; then
-      expected_n=$((pr_reinit - 1))
-      expected_fn="reinitializeV${expected_n}"
-      # Look for function declaration (not just any mention)
-      if ! grep -qE "function[[:space:]]+${expected_fn}[[:space:]]*\(" "$pr_sol"; then
-        echo "::error::$name has REINITIALIZER_VERSION=$pr_reinit but no $expected_fn() function found"
-        ERRORS=$((ERRORS + 1))
-      fi
-    fi
-
-    # Check 3: Semantic version must be bumped
-    if [ "$version_changed" = false ]; then
-      echo "::error::$name bytecode changed but semantic version was not bumped (still v${pr_major}.${pr_minor}.${pr_patch})"
-      ERRORS=$((ERRORS + 1))
-    fi
+  echo "$name: bytecode CHANGED"
 
+  if [ "$main_reinit" = "$pr_reinit" ]; then
+    echo "::error::$name bytecode changed but REINITIALIZER_VERSION was not bumped (still $pr_reinit)"
+    ERRORS=$((ERRORS + 1))
   else
-    echo "$name: bytecode unchanged"
-
-    # Inverse check: reinitializer should NOT be bumped if bytecode didn't change
-    if [ "$reinit_changed" = true ]; then
-      echo "::error::$name REINITIALIZER_VERSION bumped ($main_reinit -> $pr_reinit) but bytecode is unchanged"
+    # Convention: reinitializeV{N-1} for REINITIALIZER_VERSION=N
+    expected_fn="reinitializeV$((pr_reinit - 1))"
+    if ! grep -qE "function[[:space:]]+${expected_fn}[[:space:]]*\(" "$pr_sol"; then
+      echo "::error::$name has REINITIALIZER_VERSION=$pr_reinit but no $expected_fn() function found"
       ERRORS=$((ERRORS + 1))
     fi
   fi
 
+  if [ "$main_major" = "$pr_major" ] && [ "$main_minor" = "$pr_minor" ] && [ "$main_patch" = "$pr_patch" ]; then
+    echo "::error::$name bytecode changed but semantic version was not bumped (still v${pr_major}.${pr_minor}.${pr_patch})"
+    ERRORS=$((ERRORS + 1))
+  fi
+
   echo "::endgroup::"
 done
 

ci/stubs/gateway-contracts/GatewayAddresses.sol

@@ -0,0 +1,9 @@
+// SPDX-License-Identifier: BSD-3-Clause-Clear
+pragma solidity ^0.8.24;
+address constant gatewayConfigAddress = 0x0000000000000000000000000000000000000001;
+address constant decryptionAddress = 0x0000000000000000000000000000000000000002;
+address constant ciphertextCommitsAddress = 0x0000000000000000000000000000000000000003;
+address constant inputVerificationAddress = 0x0000000000000000000000000000000000000004;
+address constant kmsGenerationAddress = 0x0000000000000000000000000000000000000005;
+address constant protocolPaymentAddress = 0x0000000000000000000000000000000000000006;
+address constant pauserSetAddress = 0x0000000000000000000000000000000000000007;

ci/stubs/gateway-contracts/PaymentBridgingAddresses.sol

@@ -0,0 +1,4 @@
+// SPDX-License-Identifier: BSD-3-Clause-Clear
+pragma solidity ^0.8.24;
+address constant feesSenderToBurnerAddress = 0x0000000000000000000000000000000000000008;
+address constant zamaOFTAddress = 0x0000000000000000000000000000000000000009;

ci/stubs/host-contracts/FHEVMHostAddresses.sol

@@ -0,0 +1,8 @@
+// SPDX-License-Identifier: BSD-3-Clause-Clear
+pragma solidity ^0.8.24;
+address constant aclAdd = 0x0000000000000000000000000000000000000001;
+address constant fhevmExecutorAdd = 0x0000000000000000000000000000000000000002;
+address constant kmsVerifierAdd = 0x0000000000000000000000000000000000000003;
+address constant inputVerifierAdd = 0x0000000000000000000000000000000000000004;
+address constant hcuLimitAdd = 0x0000000000000000000000000000000000000005;
+address constant pauserSetAdd = 0x0000000000000000000000000000000000000006;