chore(security): Add linters and WFs (lidofinance#32)

.github/workflows/analyse.yml

@@ -0,0 +1,94 @@
+name: Code Analysis
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  slither:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Setup node.js version
+        uses: actions/setup-node@v1
+        with:
+          node-version: 16.x
+
+      - name: Get yarn cache directory path
+        id: yarn-cache-dir-path
+        run: echo "::set-output name=dir::$(yarn config get cacheFolder)"
+
+      - name: Cache yarn cache
+        id: cache-yarn-cache
+        uses: actions/cache@v2
+        with:
+          path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
+          key: yarn-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: yarn-${{ hashFiles('**/yarn.lock') }}
+
+      - name: Cache node_modules
+        id: cache-node-modules
+        uses: actions/cache@v2
+        with:
+          path: '**/node_modules'
+          key: node_modules-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: node_modules-${{ hashFiles('**/yarn.lock') }}
+
+      - name: Install modules
+        run: yarn
+        if: |
+          steps.cache-yarn-cache.outputs.cache-hit != 'true' ||
+          steps.cache-node-modules.outputs.cache-hit != 'true'
+
+      - uses: actions/setup-python@v4
+        with:
+          python-version: "3.10.1"
+
+      - name: Install poetry requirements
+        run: >
+          curl -sSL https://install.python-poetry.org | python - &&
+          poetry install --no-root
+
+      - name: Run slither
+        run: >
+          poetry run slither . --sarif results.sarif || true
+
+      - name: Check results.sarif presence
+        id: results
+        if: always()
+        shell: bash
+        run: >
+          test -f results.sarif && 
+          echo '::set-output name=value::present' || 
+          echo '::set-output name=value::not'
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v2
+        if: ${{ always() && steps.results.outputs.value == 'present' }}
+        with:
+          sarif_file: results.sarif
+
+  solhint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 16
+
+      - name: Install solhint
+        run: >
+          npm install solhint solhint-plugin-lido
+
+      - name: Run solhint
+        run: >
+          npx solhint 'contracts/**/*.sol'

.solhint.json

@@ -1,7 +1,19 @@
 {
   "extends": "solhint:recommended",
+  "plugins": [
+    "lido"
+  ],
   "rules": {
-    "compiler-version": ["error", "^0.8.0"],
-    "func-visibility": ["warn", { "ignoreConstructors": true }]
+    "compiler-version": [
+      "error",
+      "^0.8.0"
+    ],
+    "func-visibility": [
+      "warn",
+      {
+        "ignoreConstructors": true
+      }
+    ],
+    "lido/fixed-compiler-version": "error"
   }
 }

.solhintignore

@@ -1 +1,3 @@
 node_modules
+contracts/**/interfaces/**/*.sol
+contracts/**/stubs/**/*.sol

pyproject.toml

@@ -0,0 +1,18 @@
+[tool.poetry]
+name = "lido-dao"
+version = "0.1.0"
+description = ""
+authors = ["Lido <[email protected]>"]
+license = "MIT"
+readme = "README.md"
+packages = [{include = "lido_dao"}]
+
+[tool.poetry.dependencies]
+python = "^3.9"
+
+[tool.poetry.group.dev.dependencies]
+slither-analyzer = "^0.8.3"
+
+[build-system]
+requires = ["poetry-core"]
+build-backend = "poetry.core.masonry.api"

slither.config.json

@@ -0,0 +1,7 @@
+{
+    "exclude_informational": true,
+    "exclude_low": true,
+    "exclude_medium": false,
+    "exclude_high": false,
+    "filter_paths": "(.*test.*/|.*template/|.*stubs/|.*mocks/|node_modules/|.*brownie/|.*dependencies/)"
+}