This document describes the multi-stage CI/CD pipeline for Nova Launch, designed to ensure code quality, security, and reliable deployments across Testnet and Mainnet environments.
The CI/CD pipeline consists of four main stages:
- Build & Lint Gate - Code quality and compilation checks
- Security Audit - Vulnerability scanning and static analysis
- Testing & Coverage - Comprehensive testing with coverage requirements
- Multi-Stage Deployment - Automated testnet and manual mainnet deployments
- Push Events:
main,developbranches - Pull Requests: Against
main,developbranches - Manual Triggers: Mainnet deployments require manual approval
Purpose: Ensure code quality and successful compilation
Actions:
- Install Rust toolchain with
rustfmtandclippy - Add
wasm32-unknown-unknowntarget - Install Soroban CLI
- Run
cargo fmt --check(fail on formatting issues) - Run
cargo clippywith-D warnings(fail on warnings) - Build contracts for WASM target
- Optimize WASM using Soroban CLI
Failure Conditions:
- Formatting violations
- Clippy warnings
- Compilation errors
- WASM optimization failures
Purpose: Identify security vulnerabilities and code quality issues
Actions:
- Install and run
cargo auditfor dependency vulnerabilities - Static analysis checks:
- Detect
unsafecode blocks - Scan for hardcoded secrets/passwords
- Identify
panic!usage (should useResult<T, Error>)
- Detect
Failure Conditions:
- Known vulnerabilities in dependencies
- Unsafe code without justification
- Hardcoded secrets detected
- Use of
panic!instead of proper error handling
Purpose: Ensure comprehensive testing and maintain code coverage standards
Actions:
- Run
cargo test --all-features - Generate coverage report using
cargo-tarpaulin - Enforce 90% minimum coverage threshold
- Upload coverage reports to Codecov
Failure Conditions:
- Any test failures
- Coverage below 90% threshold
- Coverage report generation failures
Trigger: Push to develop branch
Environment: testnet
Actions:
- Build and optimize contracts
- Configure Soroban for Stellar Testnet
- Deploy using deployment orchestrator
- Verify deployment success
Trigger: Push to main branch + manual approval
Environment: mainnet
Actions:
- Require manual approval from authorized personnel
- Build and optimize contracts
- Configure Soroban for Stellar Mainnet
- Deploy using deployment orchestrator
- Create GitHub release with deployment details
Configure these secrets in GitHub repository settings under Settings > Secrets and variables > Actions.
| Secret Name | Description | Example |
|---|---|---|
TESTNET_NETWORK_PASSPHRASE |
Stellar testnet passphrase | Test SDF Network ; September 2015 |
TESTNET_RPC_URL |
Soroban testnet RPC endpoint | https://soroban-testnet.stellar.org |
TESTNET_ADMIN_SECRET_KEY |
Admin account secret key | SXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX |
TESTNET_TREASURY_SECRET_KEY |
Treasury account secret key | SXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX |
| Secret Name | Description | Example |
|---|---|---|
MAINNET_NETWORK_PASSPHRASE |
Stellar mainnet passphrase | Public Global Stellar Network ; September 2015 |
MAINNET_RPC_URL |
Soroban mainnet RPC endpoint | https://soroban-mainnet.stellar.org |
MAINNET_ADMIN_SECRET_KEY |
Admin account secret key | SXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX |
MAINNET_TREASURY_SECRET_KEY |
Treasury account secret key | SXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX |
| Secret Name | Description |
|---|---|
GITHUB_TOKEN |
GitHub token for releases (auto-provided) |
CODECOV_TOKEN |
Codecov upload token (optional) |
Create two environments in Settings > Environments:
-
testnet
- No protection rules (automatic deployment)
- Add testnet-specific secrets
-
mainnet
- Required reviewers: Add authorized personnel
- Deployment branches: Limit to
mainbranch - Add mainnet-specific secrets
- Rust 1.70+ with
wasm32-unknown-unknowntarget - Soroban CLI
- Node.js 18+ (for deployment orchestrator)
Use the provided script to simulate CI environment:
./scripts/ci-check.shThis script will:
- Check code formatting
- Run clippy linting
- Build contracts
- Run security audits
- Execute tests
- Generate coverage reports
- Verify deployment orchestrator setup
# Format code
cargo fmt
# Run clippy
cargo clippy --all-targets --all-features -- -D warnings
# Build contracts
cd contracts/token-factory
cargo build --target wasm32-unknown-unknown --release
# Run tests
cargo test --all-features
# Generate coverage
cargo tarpaulin --all-features --workspace --timeout 120 --out html- Create feature branch from
develop - Implement changes
- Run
./scripts/ci-check.shlocally - Create PR to
develop - Merge PR after approval
- Pipeline automatically deploys to testnet
- Create PR from
developtomain - Ensure all tests pass
- Get code review approval
- Merge to
main - Pipeline triggers with manual approval step
- Authorized personnel approve deployment
- Pipeline deploys to mainnet and creates release
- GitHub Actions: Monitor at
https://github.com/YOUR_ORG/nova-launch/actions - Coverage Reports: View at Codecov dashboard
- Deployment Logs: Check individual job logs for deployment details
- Formatting Issues: Run
cargo fmtlocally - Clippy Warnings: Fix warnings shown in clippy output
- Compilation Errors: Check Rust syntax and dependencies
- Dependency Vulnerabilities: Update dependencies with
cargo update - Unsafe Code: Add justification comments or refactor
- Hardcoded Secrets: Move to environment variables
- Unit Tests: Fix failing test logic
- Coverage: Add tests to reach 90% threshold
- Integration Tests: Check test environment setup
- Network Issues: Verify RPC endpoints are accessible
- Authentication: Check secret key configuration
- Contract Errors: Review contract initialization parameters
- Identify previous working deployment
- Manually deploy previous contract version
- Update frontend configuration if needed
- Create hotfix branch for permanent fix
For critical hotfixes:
- Create emergency branch
- Apply minimal fix
- Deploy manually using deployment orchestrator
- Create post-incident PR to update pipeline
- Secret Management: Never commit secrets to repository
- Access Control: Limit mainnet deployment approvers
- Audit Trail: All deployments are logged and tracked
- Network Isolation: Separate testnet/mainnet environments
- Key Rotation: Regularly rotate deployment keys
- Build Time: Target < 10 minutes for full pipeline
- Test Coverage: Maintain > 90% coverage
- Deployment Frequency: Support multiple daily testnet deployments
- Mean Time to Recovery: < 30 minutes for rollbacks
- Update Rust toolchain monthly
- Review and update dependencies quarterly
- Rotate deployment keys annually
- Review and update security policies
When modifying the pipeline:
- Test changes in feature branch
- Document changes in this file
- Get security team approval for security-related changes
- Deploy during low-traffic periods