Synthetixio · jjgonecrypto · Sep 21, 2021 · Sep 15, 2021 · Sep 15, 2021 · Sep 15, 2021
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -12,10 +12,27 @@ commands:
             wget --retry-connrefused --waitretry=1 --read-timeout=120 --timeout=120 -t 100 http://localhost:<<parameters.port>>
             :
 jobs:
+  job-audit:
+    working_directory: ~/repo
+    docker:
+      - image: synthetixio/docker-sec-tools:14.17-ubuntu
+        auth:
+          username: $DOCKERHUB_USERNAME
+          password: $DOCKERHUB_TOKEN
+    steps:
+      - checkout
+      - run:
+          name: Audit dependencies
+          command: |
+            npm audit --audit-level=critical
+      - run:
+          name: Lint lockfile
+          command: |
+            lockfile-lint -p package-lock.json --type npm --allowed-hosts npm github.com --allowed-schemes "https:" "git+ssh:"
   job-compile:
     working_directory: ~/repo
     docker:
-      - image: synthetixio/docker-node:14.16-focal
+      - image: synthetixio/docker-node:14.17-ubuntu
         auth:
           username: $DOCKERHUB_USERNAME
           password: $DOCKERHUB_TOKEN
@@ -29,7 +46,7 @@ jobs:
   job-fork-tests:
     working_directory: ~/repo
     docker:
-      - image: synthetixio/docker-node:14.16-focal
+      - image: synthetixio/docker-node:14.17-ubuntu
         auth:
           username: $DOCKERHUB_USERNAME
           password: $DOCKERHUB_TOKEN
@@ -54,7 +71,7 @@ jobs:
   job-integration-tests:
     working_directory: ~/repo
     machine:
-      image: ubuntu-2004:202104-01
+      image: ubuntu-2004:202107-02
       docker_layer_caching: true
     resource_class: large
     steps:
@@ -99,7 +116,7 @@ jobs:
   job-lint:
     working_directory: ~/repo
     docker:
-      - image: synthetixio/docker-node:14.16-focal
+      - image: synthetixio/docker-node:14.17-ubuntu
         auth:
           username: $DOCKERHUB_USERNAME
           password: $DOCKERHUB_TOKEN
@@ -111,7 +128,7 @@ jobs:
   job-pack-browser:
     working_directory: ~/repo
     docker:
-      - image: synthetixio/docker-node:14.16-focal
+      - image: synthetixio/docker-node:14.17-ubuntu
         auth:
           username: $DOCKERHUB_USERNAME
           password: $DOCKERHUB_TOKEN
@@ -125,28 +142,37 @@ jobs:
   job-prepare:
     working_directory: ~/repo
     docker:
-      - image: synthetixio/docker-node:14.16-focal
+      - image: synthetixio/docker-node:14.17-ubuntu
         auth:
           username: $DOCKERHUB_USERNAME
           password: $DOCKERHUB_TOKEN
     steps:
       - checkout
+      - attach_workspace:
+          at: .
       - restore_cache:
           keys:
             - v4-dependencies-{{ checksum "package-lock.json" }}
-      - run: npm install
+      - run:
+          name: Set custom npm cache directory
+          command: npm config set cache .npm-cache --global
+      - run:
+          name: Install dependencies
+          command: npm install --prefer-offline --no-audit
       - save_cache:
           key: v4-dependencies-{{ checksum "package-lock.json" }}
           paths:
             - node_modules
+            - .npm-cache
       - persist_to_workspace:
           root: .
           paths:
             - node_modules
+            - .npm-cache
   job-simulate-release:
     working_directory: ~/repo
     docker:
-      - image: synthetixio/docker-node:14.16-focal
+      - image: synthetixio/docker-node:14.17-ubuntu
         auth:
           username: $DOCKERHUB_USERNAME
           password: $DOCKERHUB_TOKEN
@@ -169,7 +195,7 @@ jobs:
   job-static-analysis:
     working_directory: ~/repo
     docker:
-      - image: synthetixio/docker-node:14.16-focal
+      - image: synthetixio/docker-node:14.17-ubuntu
         auth:
           username: $DOCKERHUB_USERNAME
           password: $DOCKERHUB_TOKEN
@@ -186,7 +212,7 @@ jobs:
   job-test-deploy-script:
     working_directory: ~/repo
     docker:
-      - image: synthetixio/docker-node:14.16-focal
+      - image: synthetixio/docker-node:14.17-ubuntu
         auth:
           username: $DOCKERHUB_USERNAME
           password: $DOCKERHUB_TOKEN
@@ -212,7 +238,7 @@ jobs:
   job-unit-tests-coverage-report:
     working_directory: ~/repo
     docker:
-      - image: synthetixio/docker-node:14.16-focal
+      - image: synthetixio/docker-sec-tools:14.17-ubuntu
         auth:
           username: $DOCKERHUB_USERNAME
           password: $DOCKERHUB_TOKEN
@@ -224,11 +250,11 @@ jobs:
           name: Upload coverage
           command: |
             cp -R /tmp/coverage/coverage-*.json .
-            bash <(curl -s https://codecov.io/bash)
+            codecov -t $CODECOV_TOKEN
   job-unit-tests-coverage:
     working_directory: ~/repo
     docker:
-      - image: synthetixio/docker-node:14.16-focal
+      - image: synthetixio/docker-node:14.17-ubuntu
         auth:
           username: $DOCKERHUB_USERNAME
           password: $DOCKERHUB_TOKEN
@@ -258,7 +284,7 @@ jobs:
   job-unit-tests-gas-report:
     working_directory: ~/repo
     docker:
-      - image: synthetixio/docker-node:14.16-focal
+      - image: synthetixio/docker-node:14.17-ubuntu
         auth:
           username: $DOCKERHUB_USERNAME
           password: $DOCKERHUB_TOKEN
@@ -270,13 +296,16 @@ jobs:
           name: Upload gas reports
           command: |
             npx hardhat test:merge-gas-reports gasReporterOutput-*.json
+            if [ "${CIRCLE_BRANCH}" != "master" ]; then
+              git branch -f master origin/master
+            fi
             npx codechecks codechecks.unit.yml
       - store_artifacts:
           path: gasReporterOutput.json
   job-unit-tests:
     working_directory: ~/repo
     docker:
-      - image: synthetixio/docker-node:14.16-focal
+      - image: synthetixio/docker-node:14.17-ubuntu
         auth:
           username: $DOCKERHUB_USERNAME
           password: $DOCKERHUB_TOKEN
@@ -308,7 +337,7 @@ jobs:
   job-validate-deployments:
     working_directory: ~/repo
     docker:
-      - image: synthetixio/docker-node:14.16-focal
+      - image: synthetixio/docker-node:14.17-ubuntu
         auth:
           username: $DOCKERHUB_USERNAME
           password: $DOCKERHUB_TOKEN
@@ -327,7 +356,7 @@ jobs:
   job-validate-etherscan:
     working_directory: ~/repo
     docker:
-      - image: synthetixio/docker-node:14.16-focal
+      - image: synthetixio/docker-node:14.17-ubuntu
         auth:
           username: $DOCKERHUB_USERNAME
           password: $DOCKERHUB_TOKEN
@@ -342,7 +371,10 @@ jobs:
 workflows:
   workflow-all:
     jobs:
-      - job-prepare
+      - job-audit
+      - job-prepare:
+          requires:
+            - job-audit
       - job-lint:
           requires:
             - job-prepare

diff --git a/.circleci/src/jobs/job-audit.yml b/.circleci/src/jobs/job-audit.yml
@@ -0,0 +1,12 @@
+# Bootstraps dependencies
+{{> job-header-sec-tools.yml}}
+steps:
+  - checkout
+  - run:
+      name: Audit dependencies
+      command: |
+        npm audit --audit-level=critical
+  - run:
+      name: Lint lockfile
+      command: |
+        lockfile-lint -p package-lock.json --type npm --allowed-hosts npm github.com --allowed-schemes "https:" "git+ssh:"
diff --git a/.circleci/src/jobs/job-compile.yml b/.circleci/src/jobs/job-compile.yml
@@ -1,5 +1,5 @@
 # Compiles all contracts and fails with oversized contracts
-{{> job-header.yml}}
+{{> job-header-node.yml}}
 steps:
   - checkout
   - attach_workspace:

diff --git a/.circleci/src/jobs/job-fork-tests.yml b/.circleci/src/jobs/job-fork-tests.yml
@@ -1,5 +1,5 @@
 # Starts a fork of mainnet, deploys the latest release, and runs L1 integration tests
-{{> job-header.yml}}
+{{> job-header-node.yml}}
 steps:
   - checkout
   - attach_workspace:

diff --git a/.circleci/src/jobs/job-lint.yml b/.circleci/src/jobs/job-lint.yml
@@ -1,5 +1,5 @@
 # Runs all linters
-{{> job-header.yml}}
+{{> job-header-node.yml}}
 steps:
   - checkout
   - attach_workspace:

diff --git a/.circleci/src/jobs/job-pack-browser.yml b/.circleci/src/jobs/job-pack-browser.yml
@@ -1,5 +1,5 @@
 # Packs js code for browser usage
-{{> job-header.yml}}
+{{> job-header-node.yml}}
 steps:
   - checkout
   - attach_workspace:

diff --git a/.circleci/src/jobs/job-prepare.yml b/.circleci/src/jobs/job-prepare.yml
@@ -1,18 +1,27 @@
 # Bootstraps dependencies
-{{> job-header.yml}}
+{{> job-header-node.yml}}
 # set custom delimiter to avoid checksum parsing
 {{=<% %>=}}
 steps:
   - checkout
+  - attach_workspace:
+      at: .
   - restore_cache:
       keys:
         - v4-dependencies-{{ checksum "package-lock.json" }}
-  - run: npm install
+  - run:
+      name: Set custom npm cache directory
+      command: npm config set cache .npm-cache --global
+  - run:
+      name: Install dependencies
+      command: npm install --prefer-offline --no-audit
   - save_cache:
       key: v4-dependencies-{{ checksum "package-lock.json" }}
       paths:
         - node_modules
+        - .npm-cache
   - persist_to_workspace:
       root: .
       paths:
         - node_modules
+        - .npm-cache
diff --git a/.circleci/src/jobs/job-simulate-release.yml b/.circleci/src/jobs/job-simulate-release.yml
@@ -1,5 +1,5 @@
 # Starts a fork of mainnet, deploys the latest release, and runs L1 integration tests
-{{> job-header.yml}}
+{{> job-header-node.yml}}
 steps:
   - checkout
   - attach_workspace:

diff --git a/.circleci/src/jobs/job-static-analysis.yml b/.circleci/src/jobs/job-static-analysis.yml
@@ -1,5 +1,5 @@
 # Runs all static analysis checks
-{{> job-header.yml}}
+{{> job-header-node.yml}}
 steps:
   - checkout
   - attach_workspace:

diff --git a/.circleci/src/jobs/job-test-deploy-script.yml b/.circleci/src/jobs/job-test-deploy-script.yml
@@ -1,5 +1,5 @@
 # Validates that the deploy command is working as expected
-{{> job-header.yml}}
+{{> job-header-node.yml}}
 resource_class: large
 steps:
   - checkout

diff --git a/.circleci/src/jobs/job-unit-tests-coverage-report.yml b/.circleci/src/jobs/job-unit-tests-coverage-report.yml
@@ -1,5 +1,5 @@
 # Measures unit and spec test coverage
-{{> job-header.yml}}
+{{> job-header-sec-tools.yml}}
 steps:
   - checkout
   - attach_workspace:
@@ -8,4 +8,4 @@ steps:
       name: Upload coverage
       command: |
         cp -R /tmp/coverage/coverage-*.json .
-        bash <(curl -s https://codecov.io/bash)
+        codecov -t $CODECOV_TOKEN
diff --git a/.circleci/src/jobs/job-unit-tests-coverage.yml b/.circleci/src/jobs/job-unit-tests-coverage.yml
@@ -1,5 +1,5 @@
 # Measures unit and spec test coverage
-{{> job-header.yml}}
+{{> job-header-node.yml}}
 resource_class: large
 parallelism: 8
 steps:

diff --git a/.circleci/src/jobs/job-unit-tests-gas-report.yml b/.circleci/src/jobs/job-unit-tests-gas-report.yml
@@ -1,5 +1,5 @@
 # Measures deployment and transaction gas usage in unit tests
-{{> job-header.yml}}
+{{> job-header-node.yml}}
 steps:
   - checkout
   - attach_workspace:
@@ -8,6 +8,10 @@ steps:
       name: Upload gas reports
       command: |
         npx hardhat test:merge-gas-reports gasReporterOutput-*.json
+        # required for codechecks
+        if [ "${CIRCLE_BRANCH}" != "master" ]; then
+          git branch -f master origin/master
+        fi
         npx codechecks codechecks.unit.yml
   - store_artifacts:
       path: gasReporterOutput.json
diff --git a/.circleci/src/jobs/job-unit-tests.yml b/.circleci/src/jobs/job-unit-tests.yml
@@ -1,5 +1,5 @@
 # Runs all unit and spec tests
-{{> job-header.yml}}
+{{> job-header-node.yml}}
 resource_class: large
 parallelism: 8
 steps:

diff --git a/.circleci/src/jobs/job-validate-deployments.yml b/.circleci/src/jobs/job-validate-deployments.yml
@@ -1,5 +1,5 @@
 # Validates deployment json data against on-chain data
-{{> job-header.yml}}
+{{> job-header-node.yml}}
 steps:
   - checkout
   - attach_workspace:

diff --git a/.circleci/src/jobs/job-validate-etherscan.yml b/.circleci/src/jobs/job-validate-etherscan.yml
@@ -1,5 +1,5 @@
 # Validates that sources have been verified in etherscan
-{{> job-header.yml}}
+{{> job-header-node.yml}}
 parameters:
   network:
     type: string

diff --git a/.circleci/src/snippets/job-header-machine.yml b/.circleci/src/snippets/job-header-machine.yml
@@ -1,4 +1,4 @@
 working_directory: ~/repo
 machine:
-  image: ubuntu-2004:202104-01
+  image: ubuntu-2004:202107-02
   docker_layer_caching: true
diff --git a/.circleci/src/snippets/job-header.yml → .circleci/src/snippets/job-header-node.yml b/.circleci/src/snippets/job-header.yml → .circleci/src/snippets/job-header-node.yml
@@ -1,6 +1,6 @@
 working_directory: ~/repo
 docker:
-  - image: synthetixio/docker-node:14.16-focal
+  - image: synthetixio/docker-node:14.17-ubuntu
     auth:
       username: $DOCKERHUB_USERNAME
       password: $DOCKERHUB_TOKEN
diff --git a/.circleci/src/snippets/job-header-sec-tools.yml b/.circleci/src/snippets/job-header-sec-tools.yml
@@ -0,0 +1,6 @@
+working_directory: ~/repo
+docker:
+  - image: synthetixio/docker-sec-tools:14.17-ubuntu
+    auth:
+      username: $DOCKERHUB_USERNAME
+      password: $DOCKERHUB_TOKEN
diff --git a/.circleci/src/snippets/require-audit.yml b/.circleci/src/snippets/require-audit.yml
@@ -0,0 +1,2 @@
+requires:
+  - job-audit
diff --git a/.circleci/src/workflows/workflow-all.yml b/.circleci/src/workflows/workflow-all.yml
@@ -2,7 +2,9 @@ jobs:
   # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   # Basic
   # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-  - job-prepare
+  - job-audit
+  - job-prepare:
+      {{> require-audit.yml}}
   - job-lint:
       {{> require-prepare.yml}}
   - job-compile:

diff --git a/.npmrc b/.npmrc
@@ -0,0 +1 @@
+save-exact=true
diff --git a/codecov.yml b/codecov.yml
@@ -0,0 +1,2 @@
+codecov:
+  require_ci_to_pass: false