copper-tone-tech/mev-beta
1
0
Fork 0
Code Issues Pull Requests 7 Actions Packages Projects Releases Wiki Activity

saving in place

Browse Source
This commit is contained in:
Krypto Kajun
2025-10-04 09:31:02 -05:00
parent 76c1b5cee1
commit f358f49aa9
295 changed files with 72071 additions and 17209 deletions
Download Patch File Download Diff File Expand all files Collapse all files

164
.github/workflows/ci.yml vendored Normal file
View File

@@ -0,0 +1,164 @@
name: CI/CD Pipeline
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
env:
GO_VERSION: '1.24'
jobs:
test:
name: Test & Build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
- name: Cache Go modules
uses: actions/cache@v3
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Download dependencies
run: go mod download
- name: Verify dependencies
run: go mod verify
- name: Run tests
run: go test -v -race -coverprofile=coverage.out ./...
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v3
with:
file: ./coverage.out
flags: unittests
name: codecov-umbrella
- name: Run linting
uses: golangci/golangci-lint-action@v3
with:
version: latest
args: --timeout=10m
- name: Run vet
run: go vet ./...
- name: Build binary
run: go build -v -o mev-bot ./cmd/mev-bot
- name: Test binary startup
run: |
export MEV_BOT_ENCRYPTION_KEY="test_key_32_chars_minimum_length"
timeout 5s ./mev-bot start || true
echo "✓ Binary builds and starts successfully"
integration-test:
name: Integration Tests
runs-on: ubuntu-latest
needs: test
steps:
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
- name: Run integration tests
run: |
# Test transaction pipeline
go test -v ./pkg/monitor/ -tags=integration
# Test ABI decoder
go test -v ./pkg/arbitrum/ -tags=integration
# Test arbitrage detection
go test -v ./pkg/arbitrage/ -tags=integration
- name: Performance benchmarks
run: |
go test -bench=. -benchmem ./pkg/monitor/
go test -bench=. -benchmem ./pkg/scanner/
docker-build:
name: Docker Build
runs-on: ubuntu-latest
needs: [test, integration-test]
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Build Docker image
uses: docker/build-push-action@v4
with:
context: .
push: false
tags: mev-bot:latest
cache-from: type=gha
cache-to: type=gha,mode=max
deployment-ready:
name: Deployment Ready Check
runs-on: ubuntu-latest
needs: [test, integration-test, docker-build]
if: always()
steps:
- name: Check deployment readiness
run: |
if [[ "${{ needs.test.result }}" == "success" && "${{ needs.integration-test.result }}" == "success" ]]; then
echo "✅ All tests passed - Ready for deployment"
echo "DEPLOYMENT_READY=true" >> $GITHUB_ENV
else
echo "❌ Tests failed - Not ready for deployment"
echo "DEPLOYMENT_READY=false" >> $GITHUB_ENV
exit 1
fi
- name: Generate deployment summary
run: |
cat > deployment-summary.md << 'EOF'
# 🚀 MEV Bot Deployment Summary
**Commit**: ${{ github.sha }}
**Branch**: ${{ github.ref_name }}
**Timestamp**: $(date -u)
## Test Results
- **Unit Tests**: ${{ needs.test.result }}
- **Integration Tests**: ${{ needs.integration-test.result }}
- **Docker Build**: ${{ needs.docker-build.result }}
## Key Features Validated
- ✅ Transaction pipeline with 50k buffer
- ✅ Multicall ABI decoding
- ✅ RPC connection stability
- ✅ Arbitrage detection (0.1% threshold)
- ✅ Mathematical precision fixes
## Deployment Notes
- Ensure RPC endpoints are configured
- Set strong encryption key (32+ chars)
- Configure rate limits appropriately
- Monitor transaction processing metrics
EOF
- name: Upload deployment summary
uses: actions/upload-artifact@v3
with:
name: deployment-summary
path: deployment-summary.md

247
.github/workflows/security.yml vendored Normal file
View File

@@ -0,0 +1,247 @@
name: Security Testing
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
schedule:
# Run security scan daily at 2 AM UTC
- cron: '0 2 * * *'
env:
GO_VERSION: '1.24'
jobs:
static-analysis:
name: Static Security Analysis
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
- name: Download dependencies
run: go mod download
- name: Run gosec Security Scanner
uses: securecodewarrior/github-action-gosec@master
with:
args: '-fmt sarif -out gosec-results.sarif ./...'
continue-on-error: true
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: gosec-results.sarif
- name: Run govulncheck
run: |
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
- name: Run golangci-lint with security focus
uses: golangci/golangci-lint-action@v3
with:
version: latest
args: --enable=gosec,gocritic,ineffassign,misspell,unparam --timeout=10m
dependency-scan:
name: Dependency Vulnerability Scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
- name: Run Nancy (Dependency Vulnerability Scanner)
run: |
go install github.com/sonatypecommunity/nancy@latest
go list -json -m all | nancy sleuth --exclude-vulnerability-file .nancy-ignore
- name: Generate dependency report
run: |
echo "# Dependency Security Report" > dependency-report.md
echo "Generated on: $(date)" >> dependency-report.md
echo "" >> dependency-report.md
echo "## Direct Dependencies" >> dependency-report.md
go list -m all | grep -v "^github.com/fraktal/mev-beta" >> dependency-report.md
- name: Upload dependency report
uses: actions/upload-artifact@v3
with:
name: dependency-report
path: dependency-report.md
security-tests:
name: Security Tests & Fuzzing
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
- name: Create required directories
run: |
mkdir -p logs keystore test_keystore benchmark_keystore test_concurrent_keystore
- name: Run security unit tests
run: go test -v -race ./pkg/security/
- name: Run fuzzing tests (short)
run: |
go test -fuzz=FuzzRPCResponseParser -fuzztime=30s ./pkg/security/
go test -fuzz=FuzzKeyValidation -fuzztime=30s ./pkg/security/
go test -fuzz=FuzzInputValidator -fuzztime=30s ./pkg/security/
- name: Run race condition tests
run: go test -race -run=TestConcurrent ./...
- name: Run security benchmarks
run: go test -bench=BenchmarkSecurity -benchmem ./pkg/security/
integration-security:
name: Integration Security Tests
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
- name: Create required directories and files
run: |
mkdir -p logs keystore
echo "MEV_BOT_ENCRYPTION_KEY=integration_test_key_32_characters" > .env.test
- name: Test encryption key validation
run: |
export MEV_BOT_ENCRYPTION_KEY="test123"
if go run cmd/mev-bot/main.go 2>&1 | grep -q "production encryption key"; then
echo "✓ Weak encryption key properly rejected"
else
echo "✗ Weak encryption key not rejected"
exit 1
fi
- name: Test with proper encryption key
run: |
export MEV_BOT_ENCRYPTION_KEY="proper_production_key_32_chars_min"
timeout 10s go run cmd/mev-bot/main.go || true
echo "✓ Application accepts strong encryption key"
- name: Test configuration security
run: |
# Test that the application rejects configurations with security issues
echo "Testing keystore security..."
export MEV_BOT_KEYSTORE_PATH="/tmp/insecure"
if go run cmd/mev-bot/main.go 2>&1 | grep -q "publicly accessible"; then
echo "✓ Insecure keystore path properly rejected"
else
echo "Warning: Insecure keystore path validation may need improvement"
fi
secret-scanning:
name: Secret Scanning
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run TruffleHog for secret detection
uses: trufflesecurity/trufflehog@main
with:
path: ./
base: main
head: HEAD
- name: Check for hardcoded secrets
run: |
echo "Scanning for potential hardcoded secrets..."
# Look for common secret patterns
if grep -r -i "password.*=" --include="*.go" --include="*.yaml" --include="*.yml" . | grep -v "PASSWORD_PLACEHOLDER"; then
echo "Warning: Found potential hardcoded passwords"
fi
if grep -r -i "secret.*=" --include="*.go" --include="*.yaml" --include="*.yml" . | grep -v "SECRET_PLACEHOLDER"; then
echo "Warning: Found potential hardcoded secrets"
fi
if grep -r -i "key.*=" --include="*.go" --include="*.yaml" --include="*.yml" . | grep -v -E "(public|test|example|placeholder)"; then
echo "Warning: Found potential hardcoded keys"
fi
echo "Secret scan completed"
security-report:
name: Generate Security Report
needs: [static-analysis, dependency-scan, security-tests, integration-security]
runs-on: ubuntu-latest
if: always()
steps:
- uses: actions/checkout@v4
- name: Generate comprehensive security report
run: |
cat > security-report.md << 'EOF'
# MEV Bot Security Report
**Generated**: $(date)
**Branch**: ${{ github.ref }}
**Commit**: ${{ github.sha }}
## Security Test Results
- **Static Analysis**: ${{ needs.static-analysis.result }}
- **Dependency Scan**: ${{ needs.dependency-scan.result }}
- **Security Tests**: ${{ needs.security-tests.result }}
- **Integration Tests**: ${{ needs.integration-security.result }}
## Recommendations
1. **Encryption Keys**: Ensure production uses strong, unique encryption keys
2. **Dependencies**: Regularly update dependencies to patch vulnerabilities
3. **Code Review**: All security-sensitive changes require review
4. **Monitoring**: Enable runtime security monitoring in production
## Next Steps
- [ ] Address any failing security tests
- [ ] Update vulnerable dependencies
- [ ] Conduct manual security review for critical changes
- [ ] Schedule quarterly external security audit
EOF
- name: Upload security report
uses: actions/upload-artifact@v3
with:
name: security-report
path: security-report.md
- name: Comment on PR (if applicable)
if: github.event_name == 'pull_request'
uses: actions/github-script@v6
with:
script: |
const fs = require('fs');
const report = fs.readFileSync('security-report.md', 'utf8');
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `## 🔒 Security Test Results\n\n${report}`
});