Add CI job for verifier factory contracts

.github/workflows/ci.yml

@@ -50,6 +50,12 @@ jobs:
           version: v1.4.4
       - name: Load secrets
         run: python3 script/deploy/load_secrets.py
+      - name: Mask secrets
+        run: |
+          while IFS='=' read -r key value; do
+            [[ -z "$key" || "$key" == \#* || -z "$value" ]] && continue
+            echo "::add-mask::$value"
+          done < .env
       - name: Run fork and spell tests
         run: forge test --match-path "test/integration/{fork,spell}/**/*.sol" -vv
         env:
@@ -216,6 +222,14 @@ jobs:
           CI_MODE: true
         run: |
           script/deploy/setup.sh
+      - name: Load secrets
+        run: python3 script/deploy/load_secrets.py
+      - name: Mask secrets
+        run: |
+          while IFS='=' read -r key value; do
+            [[ -z "$key" || "$key" == \#* || -z "$value" ]] && continue
+            echo "::add-mask::$value"
+          done < .env
       - name: Install dependencies (forge)
         run: |
           forge install -j 0 --shallow --color auto

.github/workflows/verify-factory-contracts.yml

@@ -0,0 +1,83 @@
+name: Verify Factory Contracts
+
+on:
+  workflow_dispatch:
+    inputs:
+      source_version:
+        description: "Git tag of the deployed source code (e.g. v3.1.0). src/ will be checked out from this tag so forge verify-contract uses matching bytecode."
+        required: true
+        default: "v3.1.0"
+
+jobs:
+  setup:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: "read"
+    outputs:
+      networks: ${{ steps.list.outputs.networks }}
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: List networks from env/*.json
+        id: list
+        run: |
+          networks=$(ls env/*.json | xargs -n1 basename | sed 's/.json//' | grep -v anvil | jq -R -s -c 'split("\n") | map(select(length > 0))')
+          echo "networks=$networks" >> "$GITHUB_OUTPUT"
+          echo "Discovered networks: $networks"
+
+  verify:
+    needs: setup
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    permissions:
+      contents: "read"
+      id-token: "write"
+    strategy:
+      fail-fast: false
+      max-parallel: 3
+      matrix:
+        network: ${{ fromJson(needs.setup.outputs.networks) }}
+
+    name: "${{ matrix.network }}"
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          submodules: recursive
+
+      - name: Checkout src/ from deployed version
+        run: git checkout ${{ inputs.source_version }} -- src/
+
+      - id: "auth"
+        uses: "google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f" # v2.1.7
+        with:
+          workload_identity_provider: ${{ secrets.GCP_WIP }}
+          service_account: ${{ secrets.GCP_SA }}
+          create_credentials_file: true
+          cleanup_credentials: true
+
+      - name: "Set up Cloud SDK"
+        uses: "google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a" # v2.1.2
+        with:
+          version: ">= 363.0.0"
+
+      - name: Load secrets
+        run: python3 script/deploy/load_secrets.py
+
+      - name: Mask secrets
+        run: |
+          while IFS='=' read -r key value; do
+            [[ -z "$key" || "$key" == \#* || -z "$value" ]] && continue
+            echo "::add-mask::$value"
+          done < .env
+
+      - name: Install Foundry
+        uses: foundry-rs/foundry-toolchain@v1
+        with:
+          version: v1.4.4
+
+      - name: Verify ${{ matrix.network }}
+        env:
+          NETWORK: ${{ matrix.network }}
+        run: forge script script/VerifyFactoryContracts.s.sol --skip test

env/hyper-evm.json

@@ -305,7 +305,7 @@
   },
   "deploymentInfo": {
     "deploy:protocol": {
-      "gitCommit": "d9db839cc",
+      "gitCommit": "c4dcd1ae",
       "timestamp": "2026-01-28T15:19:10Z",
       "suffix": "",
       "startBlock": 25782262

script/ValidateContractsFromFactories.s.sol → script/VerifyFactoryContracts.s.sol

@@ -31,28 +31,31 @@ struct AddressesToVerify {
 enum VerificationStatus {
     NotDeployed,
     NotVerified,
-    Verified
+    AlreadyVerified,
+    NewlyVerified
 }
 
 struct VerificationResult {
     string name;
     VerificationStatus status;
 }
 
-contract ValidateContractsFromFactories is Script {
+contract VerifyFactoryContracts is Script {
     using stdJson for string;
     using JsonUtils for *;
 
+    error VerificationFailed(uint256 notVerified);
+
     EnvConfig config;
     GraphQLQuery indexer;
 
     constructor() {
         config = Env.load(vm.envString("NETWORK"));
-        indexer = new GraphQLQuery(config.network.graphQLApi());
     }
 
     function run() public {
         vm.createSelectFork(config.network.rpcUrl());
+        indexer = new GraphQLQuery(config.network.graphQLApi());
 
         AddressesToVerify memory addr = _fetchAddresses();
 
@@ -66,7 +69,7 @@ contract ValidateContractsFromFactories is Script {
         results[5] = _verifyContract(addr.onOfframpManager, "OnOfframpManager");
         results[6] = _verifyContract(addr.merkleProofManager, "MerkleProofManager");
 
-        // Log summary
+        // Log summary and revert if any contract failed verification
         _logSummary(results);
     }
 
@@ -82,7 +85,7 @@ contract ValidateContractsFromFactories is Script {
         string memory orderBy =
             string.concat("orderBy: ", "createdAt".asJsonString(), ", orderDirection: ", "desc".asJsonString());
 
-        string memory centrifugeIdValue = vm.toString(config.network.centrifugeId);
+        string memory centrifugeIdValue = vm.toString(config.network.centrifugeId).asJsonString();
 
         // forgefmt: disable-next-item
         string memory json = indexer.queryGraphQL(string.concat(
@@ -128,8 +131,8 @@ contract ValidateContractsFromFactories is Script {
         }
 
         VerificationStatus status = _verificationStatus(contractAddress);
-        if (status == VerificationStatus.Verified) {
-            result.status = VerificationStatus.Verified;
+        if (status == VerificationStatus.AlreadyVerified) {
+            result.status = VerificationStatus.AlreadyVerified;
             return result;
         }
 
@@ -151,12 +154,18 @@ contract ValidateContractsFromFactories is Script {
             " --constructor-args ",
             vm.toString(constructorArgs),
             " --watch",
-            " >/dev/tty 2>&1" //Redirect to terminal directly
+            " 2>&1 || true" // Capture output; exit 0 so ffi doesn't revert
         );
 
-        try vm.ffi(cmd) returns (bytes memory) {
-            result.status = VerificationStatus.Verified;
-        } catch {
+        // Wait before hitting the Etherscan API again via forge verify-contract
+        vm.sleep(400);
+
+        bytes memory output = vm.ffi(cmd);
+        if (_containsSubstring(output, "successfully verified")) {
+            result.status = VerificationStatus.NewlyVerified;
+        } else if (_containsSubstring(output, "already verified")) {
+            result.status = VerificationStatus.AlreadyVerified;
+        } else {
             result.status = VerificationStatus.NotVerified;
         }
     }
@@ -166,6 +175,9 @@ contract ValidateContractsFromFactories is Script {
             return VerificationStatus.NotDeployed;
         }
 
+        // Rate-limit Etherscan API calls to avoid 3/sec limit
+        vm.sleep(400);
+
         string[] memory cmd = new string[](3);
         cmd[0] = "bash";
         cmd[1] = "-c";
@@ -192,7 +204,7 @@ contract ValidateContractsFromFactories is Script {
             return VerificationStatus.NotVerified;
         }
 
-        return VerificationStatus.Verified;
+        return VerificationStatus.AlreadyVerified;
     }
 
     /// @notice Get constructor args by reading from contract storage
@@ -263,6 +275,21 @@ contract ValidateContractsFromFactories is Script {
         return abi.encode(m.poolId(), m.contractUpdater());
     }
 
+    function _containsSubstring(bytes memory data, bytes memory needle) internal pure returns (bool) {
+        if (data.length < needle.length) return false;
+        for (uint256 i = 0; i <= data.length - needle.length; i++) {
+            bool found = true;
+            for (uint256 j = 0; j < needle.length; j++) {
+                if (data[i + j] != needle[j]) {
+                    found = false;
+                    break;
+                }
+            }
+            if (found) return true;
+        }
+        return false;
+    }
+
     // ANSI color codes
     string constant GREEN = "\x1b[32m";
     string constant RED = "\x1b[31m";
@@ -282,7 +309,10 @@ contract ValidateContractsFromFactories is Script {
 
         for (uint256 i = 0; i < results.length; i++) {
             string memory statusStr;
-            if (results[i].status == VerificationStatus.Verified) {
+            if (results[i].status == VerificationStatus.NewlyVerified) {
+                statusStr = string.concat(GREEN, "[OK]", RESET, " Verified (new)");
+                verified++;
+            } else if (results[i].status == VerificationStatus.AlreadyVerified) {
                 statusStr = string.concat(GREEN, "[OK]", RESET, " Verified");
                 verified++;
             } else if (results[i].status == VerificationStatus.NotVerified) {
@@ -303,5 +333,9 @@ contract ValidateContractsFromFactories is Script {
         console.log(string.concat("Not Deployed: ", vm.toString(notDeployed)));
         console.log("----------------------------------------");
         console.log("");
+
+        if (notVerified > 0) {
+            revert VerificationFailed(notVerified);
+        }
     }
 }