ZK-611: contract deployment environments

.github/workflows/_check-vars-and-secrets.yml

@@ -15,12 +15,14 @@ jobs:
           if [[ \
             -z '${{ vars.SHIELDER_CONTRACT_ADDRESS }}' || \
             -z '${{ vars.KUSTOMIZE_VERSION }}' || \
-            -z '${{ vars.CI_TESTNET_ALICE_PUBLIC_KEY }} }}' || \
-            -z '${{ vars.CI_TESTNET_BOB_PUBLIC_KEY }} }}' || \
-            -z '${{ vars.CI_TESTNET_CHARLIE_PUBLIC_KEY }} }}' || \
-            -z '${{ vars.CI_TESTNET_TS_SDK_PUBLIC_KEY }} }}' || \
-            -z '${{ vars.CI_TESTNET_RELAYER_SIGNER_ADDRESSES }} }}' || \
-            -z '${{ vars.CI_TESTNET_FEE_DESTINATION }} }}'
+            -z '${{ vars.CI_TESTNET_ALICE_PUBLIC_KEY }}' || \
+            -z '${{ vars.CI_TESTNET_BOB_PUBLIC_KEY }}' || \
+            -z '${{ vars.CI_TESTNET_CHARLIE_PUBLIC_KEY }}' || \
+            -z '${{ vars.CI_TESTNET_TS_SDK_PUBLIC_KEY }}' || \
+            -z '${{ vars.CI_TESTNET_RELAYER_SIGNER_ADDRESSES }}' || \
+            -z '${{ vars.CI_TESTNET_FEE_DESTINATION }}' || \
+            -z '${{ vars.CI_TESTNET_STAGE_OWNER_ADDRESS }}' || \
+            -z '${{ vars.MAINNET_PROD_OWNER_ADDRESS }}'
           ]]; then
             echo '!!! Some repository variables are either missing or empty.'
             echo '!!! Please check either repository or organization settings.'
@@ -55,7 +57,8 @@ jobs:
             -z '${{ secrets.CONTRACTS_S3BUCKET_REGION }}' || \
             -z '${{ secrets.CONTRACTS_S3BUCKET_NAME }}' || \
             -z '${{ secrets.CONTRACTS_ZKOS_ARTIFACTS_RW_AWS_ACCESS_KEY_ID }}' || \
-            -z '${{ secrets.CONTRACTS_ZKOS_ARTIFACTS_RW_AWS_SECRET_ACCESS_KEY }}'
+            -z '${{ secrets.CONTRACTS_ZKOS_ARTIFACTS_RW_AWS_SECRET_ACCESS_KEY }}' || \
+            -z '${{ secrets.CI_MAINNET_DEPLOYER_PRIVATE_KEY }}'
           ]]; then
             echo '!!! Some repository secrets are either missing or empty.'
             echo '!!! Please check either repository or organization settings.'

.github/workflows/manual-testnet-deploy-contract.yml → .github/workflows/manual-deploy-contract.yml

@@ -1,12 +1,22 @@
 ---
-name: "[TESTNET] Deploy contracts"
+name: "Manually Deploy contracts"
 
 on:
   workflow_dispatch:
+    inputs:
+      environment:
+        description: "Environment to deploy to"
+        required: true
+        default: "testnet-dev"
+        type: choice
+        options:
+          - "testnet-dev"
+          - "testnet-stage"
+          - "mainnet-prod"
 
 jobs:
   deploy-contracts:
-    name: Deploy contracts on testnet
+    name: Deploy contracts on ${{ github.event.inputs.environment }}
     runs-on: [self-hosted, Linux, X64, medium]
     steps:
       - name: GIT | Checkout
@@ -34,12 +44,27 @@ jobs:
       - name: Install deps
         run: make deps
 
+      # for "testnet-dev" we use default owner address, as it's not important
+      - name: Set environment-specific variables
+        run: |
+          if [ "${{ github.event.inputs.environment }}" == "testnet-dev" ]; then
+            echo "PRIVATE_KEY=${{ secrets.CI_TESTNET_DEPLOYER_PRIVATE_KEY }}" >> $GITHUB_ENV
+          elif [ "${{ github.event.inputs.environment }}" == "testnet-stage" ]; then
+            echo "OWNER_ADDRESS=${{ vars.CI_TESTNET_STAGE_OWNER_ADDRESS }}" >> $GITHUB_ENV
+            echo "PRIVATE_KEY=${{ secrets.CI_TESTNET_DEPLOYER_PRIVATE_KEY }}" >> $GITHUB_ENV
+          elif [ "${{ github.event.inputs.environment }}" == "mainnet-prod" ]; then
+            echo "OWNER_ADDRESS=${{ vars.MAINNET_PROD_OWNER_ADDRESS }}" >> $GITHUB_ENV
+            echo "PRIVATE_KEY=${{ secrets.CI_MAINNET_DEPLOYER_PRIVATE_KEY }}" >> $GITHUB_ENV
+          else
+            echo "Invalid environment selected!" >&2
+            exit 1
+          fi
+
       - name: Compile eth contracts
         run: make compile-contracts
 
       - name: Deploy contracts
         run: |
-          PRIVATE_KEY=${{ secrets.CI_TESTNET_DEPLOYER_PRIVATE_KEY }} \
           NETWORK=https://rpc.alephzero-testnet.gelato.digital \
           make deploy-contracts
 
@@ -85,6 +110,19 @@ jobs:
 
           cat contract_spec_with_block_numbers.json
 
+      - name: Determine address to store
+        run: |
+          if [ "${{ github.event.inputs.environment }}" == "testnet-dev" ]; then
+            echo "ADDRESSES_S3_PATH=testnet/dev.json" >> $GITHUB_ENV
+          elif [ "${{ github.event.inputs.environment }}" == "testnet-stage" ]; then
+            echo "ADDRESSES_S3_PATH=testnet/stage.json" >> $GITHUB_ENV
+          elif [ "${{ github.event.inputs.environment }}" == "mainnet-prod" ]; then
+            echo "ADDRESSES_S3_PATH=mainnet/prod.json" >> $GITHUB_ENV
+          else
+            echo "Invalid environment selected!" >&2
+            exit 1
+          fi
+
       # yamllint disable rule:line-length
       - name: Store addresses in S3 bucket
         shell: bash
@@ -93,7 +131,8 @@ jobs:
           AWS_SECRET_ACCESS_KEY: ${{ secrets.CONTRACTS_ZKOS_ADDRESSES_TESTNET_DEV_RW_AWS_SECRET_ACCESS_KEY }}
           AWS_REGION: ${{ secrets.CONTRACTS_S3BUCKET_REGION }}
         run: |
-          aws s3 cp contract_spec_with_block_numbers.json s3://${{ secrets.CONTRACTS_S3BUCKET_NAME }}/zkos/addresses/testnet/l2_dev.json
+          aws s3 cp contract_spec_with_block_numbers.json s3://${{ secrets.CONTRACTS_S3BUCKET_NAME }}/zkos/addresses/${{ env.ADDRESSES_S3_PATH }}
+          aws s3 cp broadcast/Shielder.s.sol/**/run-latest.json s3://${{ secrets.CONTRACTS_S3BUCKET_NAME }}/zkos/addresses/${{ env.ADDRESSES_S3_PATH }}
 
       - name: Store artifact in S3 bucket
         shell: bash

Makefile

@@ -1,5 +1,6 @@
 NETWORK ?= anvil
 PRIVATE_KEY ?= 0xb6b15c8cb491557369f3c7d2c287b053eb229daa9c22138887752191c9520659 # pkey of the dev account `0x3f1Eae7D46d88F08fc2F8ed27FCb2AB183EB2d0E` prefunded with ETH on all networks
+OWNER_ADDRESS ?= $(shell cast wallet address $(PRIVATE_KEY))
 
 .PHONY: help
 help: # Show help for each of the Makefile recipes.
@@ -50,9 +51,9 @@ deploy-contracts: # Deploy solidity contracts
 deploy-contracts:
 ifeq ($(NETWORK),anvil)
 	$(eval PRIVATE_KEY=0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80) \
-	PRIVATE_KEY=$(PRIVATE_KEY) forge script DeployShielderScript --broadcast --rpc-url anvil --sender $(shell cast wallet address $(PRIVATE_KEY))
+	PRIVATE_KEY=$(PRIVATE_KEY) OWNER_ADDRESS=$(OWNER_ADDRESS) forge script DeployShielderScript --broadcast --rpc-url anvil --sender $(shell cast wallet address $(PRIVATE_KEY))
 else
-	PRIVATE_KEY=$(PRIVATE_KEY) forge script DeployShielderScript --broadcast --rpc-url $(NETWORK) --sender $(shell cast wallet address $(PRIVATE_KEY))
+	PRIVATE_KEY=$(PRIVATE_KEY) OWNER_ADDRESS=$(OWNER_ADDRESS) forge script DeployShielderScript --broadcast --rpc-url $(NETWORK) --sender $(shell cast wallet address $(PRIVATE_KEY))
 endif
 
 .PHONY: generate-poseidon-contracts

scripts/Shielder.s.sol

@@ -12,8 +12,9 @@ contract DeployShielderScript is Script {
     function run() external {
         uint256 privateKey = vm.envUint("PRIVATE_KEY");
 
-        address owner = vm.addr(privateKey);
-        console2.log("Using", owner, "as broadcaster");
+        address owner = vm.envAddress("OWNER_ADDRESS");
+        address broadcaster = vm.addr(privateKey);
+        console2.log("Using", broadcaster, "as broadcaster");
 
         vm.startBroadcast(privateKey);
 
@@ -34,7 +35,9 @@ contract DeployShielderScript is Script {
         Shielder shielder = Shielder(proxy);
 
         console2.log("Shielder deployed at:", address(shielder));
-        shielder.unpause();
+        if (owner == broadcaster) {
+            shielder.unpause();
+        }
 
         vm.stopBroadcast();
     }

tooling-e2e-tests/utils.sh

@@ -59,7 +59,9 @@ mtzero() {
 ####################################################################################################
 deploy_contracts() {
   SHIELDER_CONTRACT_ADDRESS=$(
-    PRIVATE_KEY="${DEPLOYER_PRIVATE_KEY}" forge script DeployShielderScript \
+    PRIVATE_KEY="${DEPLOYER_PRIVATE_KEY}" \
+    OWNER_ADDRESS="$(cast wallet address ${DEPLOYER_PRIVATE_KEY})" \
+    forge script DeployShielderScript \
       --rpc-url "${NODE_RPC_URL}" \
       --broadcast \
       --non-interactive \