CCIP attestation signer registry changesets

Deploy base signer registry changeset

Error improvements

Add initialize changeset

Add changeset for NOP rotation

Add green key changeset

Add promotion changesets

Adjust visibility

WIP test

Add IDL changeset

Add timelock transfer

Cleanup

Add upgrade authority transfer changeset

Add MCMS ownership validation checks

MCMS support

Update with contract changes from audit feedback

Author: PabloMansanet

deployment/ccip/changeset/ccip_attestation/cs_deploy_signer_registry_solana.go

@@ -0,0 +1,209 @@
+package ccip_attestation
+
+import (
+	"archive/zip"
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path/filepath"
+
+	"github.com/Masterminds/semver/v3"
+	"github.com/gagliardetto/solana-go"
+	signer_registry "github.com/smartcontractkit/ccip-base/chains/solana/go_bindings"
+	chainsel "github.com/smartcontractkit/chain-selectors"
+
+	cldf_solana "github.com/smartcontractkit/chainlink-deployments-framework/chain/solana"
+
+	cldf "github.com/smartcontractkit/chainlink-deployments-framework/deployment"
+	"github.com/smartcontractkit/chainlink/deployment"
+	"github.com/smartcontractkit/chainlink/deployment/ccip/shared"
+)
+
+// use this changeset to deploy the base signer registry contract
+var _ cldf.ChangeSet[DeployBaseSignerRegistryContractConfig] = DeployBaseSignerRegistryContractChangeset
+
+// use this changeset to initialize the base signer registry contract and set an initial owner
+var _ cldf.ChangeSet[InitalizeBaseSignerRegistryContractConfig] = InitializeBaseSignerRegistryContractChangeset
+
+type DeployBaseSignerRegistryContractConfig struct {
+	ChainSelector uint64
+	Version       semver.Version
+	WorkflowRun   string
+	ArtifactId    string
+	IsUpgrade     bool
+}
+
+type InitalizeBaseSignerRegistryContractConfig struct {
+	ChainSelector uint64
+	Owner         solana.PublicKey
+}
+
+func DeployBaseSignerRegistryContractChangeset(e cldf.Environment, c DeployBaseSignerRegistryContractConfig) (cldf.ChangesetOutput, error) {
+	e.Logger.Infow("Deploying base signer registry", "chain_selector", c.ChainSelector)
+	c.Validate(e)
+	chainSel := c.ChainSelector
+	chain := e.BlockChains.SolanaChains()[chainSel]
+
+	newAddresses := cldf.NewMemoryAddressBook()
+	if err := DownloadReleaseArtifactsFromGithubWorkflowRun(context.Background(), c.WorkflowRun, c.ArtifactId, chain.ProgramsPath); err != nil {
+		return cldf.ChangesetOutput{}, fmt.Errorf("failed to download release artifacts: %w", err)
+	}
+	_, err := deployBaseSignerRegistryContract(e, chain, newAddresses, c)
+	if err != nil {
+		return cldf.ChangesetOutput{}, fmt.Errorf("failed to deploy base signer registry contract: %w", err)
+	}
+
+	return cldf.ChangesetOutput{
+		AddressBook: newAddresses,
+	}, nil
+}
+
+func InitializeBaseSignerRegistryContractChangeset(e cldf.Environment, c InitalizeBaseSignerRegistryContractConfig) (cldf.ChangesetOutput, error) {
+	e.Logger.Infow("Initializing base signer registry", "chain_selector", c.ChainSelector)
+	c.Validate(e)
+	chainSel := c.ChainSelector
+	chain := e.BlockChains.SolanaChains()[chainSel]
+	authority := chain.DeployerKey.PublicKey()
+
+	configPda, _, _ := solana.FindProgramAddress([][]byte{[]byte("config")}, signer_registry.ProgramID)
+	signersPda, _, _ := solana.FindProgramAddress([][]byte{[]byte("signers")}, signer_registry.ProgramID)
+	eventAuthorityPda, _, _ := solana.FindProgramAddress([][]byte{[]byte("__event_authority")}, signer_registry.ProgramID)
+	ix, err := signer_registry.NewInitializeInstruction(authority, solana.SystemProgramID, configPda, signersPda, eventAuthorityPda, signer_registry.ProgramID)
+	if err != nil {
+		return cldf.ChangesetOutput{}, fmt.Errorf("Failed to initialize base signer registry contract: %w", err)
+	}
+
+	if err := chain.Confirm([]solana.Instruction{ix}); err != nil {
+		return cldf.ChangesetOutput{}, fmt.Errorf("Failed to initialize base signer registry contract: %w", err)
+	}
+
+	return cldf.ChangesetOutput{}, nil
+}
+
+func deployBaseSignerRegistryContract(e cldf.Environment, chain cldf_solana.Chain, ab cldf.AddressBook, config DeployBaseSignerRegistryContractConfig,
+) (solana.PublicKey, error) {
+	contractType := shared.BaseSignerRegistry
+	programName := deployment.BaseSignerRegistryProgramName
+
+	programID, err := chain.DeployProgram(e.Logger, cldf_solana.ProgramInfo{
+		Name:  programName,
+		Bytes: deployment.SolanaProgramBytes[programName],
+	}, config.IsUpgrade, true)
+
+	if err != nil {
+		return solana.PublicKey{}, fmt.Errorf("failed to deploy program: %w", err)
+	}
+	address := solana.MustPublicKeyFromBase58(programID)
+
+	e.Logger.Infow("Deployed program", "Program", contractType, "addr", programID, "chain", chain.String())
+	tv := cldf.NewTypeAndVersion(contractType, config.Version)
+	err = ab.Save(chain.Selector, programID, tv)
+	if err != nil {
+		return solana.PublicKey{}, fmt.Errorf("failed to save address: %w", err)
+	}
+
+	return address, nil
+
+}
+
+func (c DeployBaseSignerRegistryContractConfig) Validate(e cldf.Environment) error {
+	if err := cldf.IsValidChainSelector(c.ChainSelector); err != nil {
+		return fmt.Errorf("invalid chain selector: %d - %w", c.ChainSelector, err)
+	}
+	family, _ := chainsel.GetSelectorFamily(c.ChainSelector)
+	if family != chainsel.FamilySolana {
+		return fmt.Errorf("chain %d is not a solana chain", c.ChainSelector)
+	}
+
+	return nil
+}
+
+func (c InitalizeBaseSignerRegistryContractConfig) Validate(e cldf.Environment) error {
+	if err := cldf.IsValidChainSelector(c.ChainSelector); err != nil {
+		return fmt.Errorf("invalid chain selector: %d - %w", c.ChainSelector, err)
+	}
+	family, _ := chainsel.GetSelectorFamily(c.ChainSelector)
+	if family != chainsel.FamilySolana {
+		return fmt.Errorf("chain %d is not a solana chain", c.ChainSelector)
+	}
+
+	return nil
+}
+
+func DownloadReleaseArtifactsFromGithubWorkflowRun(
+	ctx context.Context,
+	run string,
+	artifactId string,
+	targetPath string,
+) error {
+	url := fmt.Sprintf(
+		"https://github.com/smartcontractkit/ccip-base/actions/runs/%s/artifacts/%s",
+		run,
+		artifactId,
+	)
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return fmt.Errorf("failed to create request: %w", err)
+	}
+
+	client := &http.Client{}
+	resp, err := client.Do(req)
+	if err != nil {
+		return fmt.Errorf("failed to download release asset: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("failed to download release asset: HTTP %d", resp.StatusCode)
+	}
+
+	// Read the entire zip file into memory
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return fmt.Errorf("failed to read response body: %w", err)
+	}
+
+	zipReader, err := zip.NewReader(bytes.NewReader(body), int64(len(body)))
+	if err != nil {
+		return fmt.Errorf("failed to create zip reader: %w", err)
+	}
+
+	// Extract each file from the zip archive
+	for _, file := range zipReader.File {
+		targetPath := filepath.Join(targetPath, file.Name)
+
+		if file.FileInfo().IsDir() {
+			if err := os.MkdirAll(targetPath, file.Mode()); err != nil {
+				return fmt.Errorf("failed to create directory %s: %w", targetPath, err)
+			}
+			continue
+		}
+
+		if err := os.MkdirAll(filepath.Dir(targetPath), 0755); err != nil {
+			return fmt.Errorf("failed to create parent directory for %s: %w", targetPath, err)
+		}
+
+		fileReader, err := file.Open()
+		if err != nil {
+			return fmt.Errorf("failed to open file in zip %s: %w", file.Name, err)
+		}
+		defer fileReader.Close()
+
+		targetFile, err := os.OpenFile(targetPath, os.O_CREATE|os.O_RDWR|os.O_TRUNC, file.Mode())
+		if err != nil {
+			return fmt.Errorf("failed to create file %s: %w", targetPath, err)
+		}
+
+		if _, err := io.Copy(targetFile, fileReader); err != nil {
+			targetFile.Close()
+			return fmt.Errorf("failed to write file %s: %w", targetPath, err)
+		}
+
+	}
+
+	return nil
+}

deployment/ccip/changeset/ccip_attestation/cs_deploy_signer_registry_solana_test.go

@@ -0,0 +1,62 @@
+package ccip_attestation_test
+
+import (
+	"context"
+	"path/filepath"
+	"runtime"
+	"testing"
+
+	"github.com/gagliardetto/solana-go"
+	signerRegistry "github.com/smartcontractkit/ccip-base/chains/solana/go_bindings"
+	ccip_attestation "github.com/smartcontractkit/chainlink/deployment/ccip/changeset/ccip_attestation"
+	"github.com/smartcontractkit/chainlink/deployment/environment/memory"
+	"github.com/smartcontractkit/chainlink/v2/core/logger"
+	"go.uber.org/zap/zapcore"
+
+	chain_selectors "github.com/smartcontractkit/chain-selectors"
+	cldf_chain "github.com/smartcontractkit/chainlink-deployments-framework/chain"
+	cldf "github.com/smartcontractkit/chainlink-deployments-framework/deployment"
+	commonchangeset "github.com/smartcontractkit/chainlink/deployment/common/changeset"
+	"github.com/stretchr/testify/require"
+)
+
+func TestSignerRegistryInitialization(t *testing.T) {
+	t.Parallel()
+	lggr := logger.TestLogger(t)
+	// We download the artifacts before spinning out the environment so the program can be preloaded.
+	_, currentFile, _, _ := runtime.Caller(0)
+	rootDir := filepath.Dir(filepath.Dir(filepath.Dir(currentFile)))
+	targetPath := filepath.Join(rootDir, "ccip/changeset/internal", "solana_contracts")
+	// Replace with the desired run to test
+	ccip_attestation.DownloadReleaseArtifactsFromGithubWorkflowRun(context.Background(), "17459947443", "3925592769", targetPath)
+
+	e := memory.NewMemoryEnvironment(t, lggr, zapcore.InfoLevel, memory.MemoryEnvironmentConfig{
+		SolChains: 1,
+	})
+	solChain1 := e.BlockChains.ListChainSelectors(cldf_chain.WithFamily(chain_selectors.FamilySolana))[0]
+
+	owner, err := solana.NewRandomPrivateKey()
+	require.NoError(t, err)
+
+	e, err = commonchangeset.Apply(t, e,
+		commonchangeset.Configure(
+			// deployer creates token
+			cldf.CreateLegacyChangeSet(ccip_attestation.InitializeBaseSignerRegistryContractChangeset),
+			ccip_attestation.InitalizeBaseSignerRegistryContractConfig{
+				ChainSelector: solChain1,
+				Owner:         owner.PublicKey(),
+			},
+		),
+	)
+	require.NoError(t, err)
+
+	programId := solana.MustPublicKeyFromBase58(memory.SolanaProgramIDs["ccip_signer_registry"])
+	configPda, _, _ := solana.FindProgramAddress([][]byte{[]byte("config")}, programId)
+
+	var configAccount signerRegistry.Config
+	chain := e.BlockChains.SolanaChains()[solChain1]
+	err = chain.GetAccountDataBorshInto(context.Background(), configPda, &configAccount)
+	require.NoError(t, err)
+
+	require.Equal(t, owner.PublicKey(), configAccount.Owner, "owner not set correctly in config PDA")
+}

deployment/ccip/changeset/ccip_attestation/cs_idl.go

@@ -0,0 +1,105 @@
+package ccip_attestation
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"path/filepath"
+
+	signer_registry "github.com/smartcontractkit/ccip-base/chains/solana/go_bindings"
+	chainsel "github.com/smartcontractkit/chain-selectors"
+
+	cldf_solana "github.com/smartcontractkit/chainlink-deployments-framework/chain/solana"
+
+	cldf "github.com/smartcontractkit/chainlink-deployments-framework/deployment"
+
+	"github.com/smartcontractkit/chainlink/deployment"
+	cs_solana "github.com/smartcontractkit/chainlink/deployment/ccip/changeset/solana_v0_1_1"
+)
+
+// use this changeset to upload the IDL for the attestation program
+var _ cldf.ChangeSet[BaseIDLConfig] = BaseUploadIDLChangeset
+
+// use this changeset to set the authority for the IDL of the attestation program (timelock)
+var _ cldf.ChangeSet[BaseIDLConfig] = BaseSetAuthorityIDLChangeset
+
+const IdlIxTag uint64 = 0x0a69e9a778bcf440
+
+type BaseIDLConfig struct {
+	ChainSelector uint64
+	WorkflowRun   string
+	ArtifactId    string
+}
+
+// resolve artifacts based on workflow run and write anchor.toml file to simulate anchor workspace
+func repoSetup(e cldf.Environment, chain cldf_solana.Chain, run string, artifactId string) error {
+	e.Logger.Debug("Downloading artifacts from workflow run...")
+	err := DownloadReleaseArtifactsFromGithubWorkflowRun(context.Background(), run, artifactId, chain.ProgramsPath)
+	if err != nil {
+		return fmt.Errorf("error downloading program artifacts: %w", err)
+	}
+
+	// get anchor version
+	output, err := cs_solana.RunCommand("anchor", []string{"--version"}, ".")
+	if err != nil {
+		return errors.New("anchor-cli not installed in path")
+	}
+	e.Logger.Debugw("Anchor version command output", "output", output)
+	anchorVersion, err := cs_solana.ParseAnchorVersion(output)
+	if err != nil {
+		return fmt.Errorf("error parsing anchor version: %w", err)
+	}
+	// create Anchor.toml
+	// this creates anchor workspace with cluster and wallet configured
+	if err := cs_solana.WriteAnchorToml(e, filepath.Join(chain.ProgramsPath, "Anchor.toml"), anchorVersion, chain.URL, chain.KeypairPath); err != nil {
+		return fmt.Errorf("error writing Anchor.toml: %w", err)
+	}
+
+	return nil
+}
+
+func (c BaseIDLConfig) Validate(e cldf.Environment) error {
+	if err := cldf.IsValidChainSelector(c.ChainSelector); err != nil {
+		return fmt.Errorf("invalid chain selector: %d - %w", c.ChainSelector, err)
+	}
+	family, _ := chainsel.GetSelectorFamily(c.ChainSelector)
+	if family != chainsel.FamilySolana {
+		return fmt.Errorf("chain %d is not a solana chain", c.ChainSelector)
+	}
+	return nil
+}
+
+func BaseUploadIDLChangeset(e cldf.Environment, c BaseIDLConfig) (cldf.ChangesetOutput, error) {
+	if err := c.Validate(e); err != nil {
+		return cldf.ChangesetOutput{}, fmt.Errorf("error validating idl config: %w", err)
+	}
+	chain := e.BlockChains.SolanaChains()[c.ChainSelector]
+	if err := repoSetup(e, chain, c.WorkflowRun, c.ArtifactId); err != nil {
+		return cldf.ChangesetOutput{}, fmt.Errorf("error setting up repo: %w", err)
+	}
+
+	err := cs_solana.IdlInit(e, chain.ProgramsPath, signer_registry.ProgramID.String(), deployment.BaseSignerRegistryProgramName)
+	if err != nil {
+		return cldf.ChangesetOutput{}, err
+	}
+	return cldf.ChangesetOutput{}, nil
+}
+
+func BaseSetAuthorityIDLChangeset(e cldf.Environment, c BaseIDLConfig) (cldf.ChangesetOutput, error) {
+	if err := c.Validate(e); err != nil {
+		return cldf.ChangesetOutput{}, fmt.Errorf("error validating idl config: %w", err)
+	}
+	chain := e.BlockChains.SolanaChains()[c.ChainSelector]
+
+	timelockSignerPDA, err := cs_solana.FetchTimelockSigner(e, c.ChainSelector)
+	if err != nil {
+		return cldf.ChangesetOutput{}, fmt.Errorf("error loading timelockSignerPDA: %w", err)
+	}
+
+	err = cs_solana.SetAuthorityIDLByCLI(e, timelockSignerPDA.String(), chain.ProgramsPath, signer_registry.ProgramID.String(), deployment.BaseSignerRegistryProgramName, "")
+	if err != nil {
+		return cldf.ChangesetOutput{}, err
+	}
+
+	return cldf.ChangesetOutput{}, nil
+}