Add Cannon

.github/workflows/test.yml

@@ -5,9 +5,6 @@ on:
     branches: [main]
   pull_request:
 
-env:
-  FOUNDRY_PROFILE: ci
-
 jobs:
   check:
     strategy:
@@ -23,7 +20,7 @@ jobs:
       - name: Install Foundry
         uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de # v1.4.0
         with:
-          version: nightly
+          version: v1.5.1
 
       - name: Run Forge build
         run: |

cannonfile.toml

@@ -0,0 +1,34 @@
+#:schema https://raw.githubusercontent.com/usecannon/cannon/refs/heads/dev/packages/lsp/src/schema.json
+name = "cow-ethflow"
+version = "1.0.3"
+
+# dummy token for test network only
+[import.dummyToken]
+source = "mintable-token:2.0"
+chainId = 13370
+
+[import.cow]
+source = "cow-settlement:2.0.2"
+
+[var.main]
+cowSettlement = "<%= cow.Settlement.address %>"
+
+# WARNING: Make sure you override the wrappedNativeToken with the corresponding native token contract address in the network.
+# The deployment of CoWSwapEthFlow needs to happen in nonce 0, so there's only one possible attempt.
+wrappedNativeToken = "<%= dummyToken.Token.address %>"
+
+deployerAccount = "0x18AA26D5e4A18ef6E49c509D52a4f7d60242b10D"
+
+[deploy.EthFlow]
+artifact = "CoWSwapEthFlow"
+
+# EthFlow is one of the few CoW protocol contracts that doesn't use create2 because the `wrappedNativeToken`
+# so to achieve the same address, we use the same deployment key at nonce 0, resulting in the same address
+# no matter the initcode
+from = "<%= settings.deployerAccount %>"
+nonce = 0
+
+args = ["<%= settings.cowSettlement %>", "<%= settings.wrappedNativeToken %>"]
+
+# Prevent the contract from failing to deploy due to gas limit issues
+overrides.gasLimit = "2000000"

package.json

@@ -1,14 +1,19 @@
 {
   "license": "LGPL-3.0-or-later",
   "devDependencies": {
+    "@usecannon/cli": "2.26.0-alpha.0",
     "prettier": "^2.7.1",
     "prettier-plugin-solidity": "^1.0.0-beta.24",
     "solhint": "^3.3.7",
     "solhint-plugin-prettier": "^0.0.5"
   },
   "scripts": {
     "fmt": "prettier 'src/**/*.sol' -w && prettier 'test/**/*.sol' -w && prettier 'script/**/*.sol' -w",
-    "lint": "solhint 'src/**/*.sol' 'test/**/*.sol' 'script/**/*.sol'"
+    "lint": "solhint 'src/**/*.sol' 'test/**/*.sol' 'script/**/*.sol'",
+    "build": "yarn build:cannon",
+    "build:cannon": "yarn cannon build --wipe",
+    "cannon:publish": "yarn cannon publish cow-ethflow --chain-id 13370 --registry-chain-id 10 && yarn cannon:record",
+    "cannon:record": "yarn cannon inspect cow-ethflow:latest --chain-id 13370 --out deploy-json > cannon/deploy.json && yarn cannon inspect cow-ethflow:latest --chain-id 13370 --out misc-json > cannon/misc.json"
   },
   "version": "1.5.0"
 }

readme.md

@@ -50,41 +50,54 @@ To manually generate the build artifacts, run:
 forge build -o artifacts
 ```
 
-### Deploy
+## Building a Cannon Package for Deployment
 
-The ETH flow contract has a dedicated deployment script. To simulate a deployment, run:
+This project uses [Cannon](https://usecannon.com/) to generate a deployable artifact for the contracts in this repository. The deployment on live networks does not occur on this repository.
+
+To learn more or browse artifacts for the actual deployed contracts, see [`cowprotocol/deployments` repository](https://github.com/cowprotocol/deployments) or [`cow-omnibus` on Cannon Explorer](https://usecannon.com/packages/cow-omnibus).
+
+### Building the Cannon Package
+
+To build a new Cannon package for the GPv2 Settlement contracts:
 
 ```sh
-forge script script/Deploy.sol --rpc-url "$RPC_URL" -vvvv "$ETHFLOW_OBFUSCATED_PK"
+yarn build:cannon
 ```
 
-You can find a list of supported RPC URLs in `foundry.toml` under `[rpc_endpoints]`.
+This will:
+- Recompile the Solidity contracts as needed
+- Generate a deployment manifest including the solidity input json, default settings, ABIs, as well as predicted deployment addresses.
+- Store the deployment artifacts in the `cannon/` directory
 
-`ETHFLOW_OBFUSCATED_PK` is an obfuscated version of the private key used in the deployment, _not_ a raw private key.
-The purpose of obfuscating the key is making sure the same key isn't used by accident to deploy other contracts, thereby consuming the nonce of the deployer used for deterministic addresses.
-It's not a security mechanism: the key is trivially recovered from the obfuscated version.
+### Publishing the Cannon Package
 
-You can verify a contract you deployed with the deployment script on the block explorer of the current chain with:
+When the contracts should be released to staging or production:
 
-```sh
-export ETHERSCAN_API_KEY=<your Etherscan API key> # Only needed for etherscan-based explorers
-forge script script/Deploy.sol --rpc-url "$RPC_URL" -vvvv --verify "$ETHFLOW_OBFUSCATED_PK"
-```
+1. Double check that the `version` field in `cannonfile.toml` is as expected, and modify as necessary.
 
-To broadcast the deployment onchain and verify it at the same time, append `--broadcast` to the command above.
+2. Follow instructions in [Building the Cannon Package](#Building the Cannon Package) above to ensure the artifacts are up to date.
 
-#### Obfuscate/deobfuscate a private key
+3. Publish the cannon package using an EOA that has permission on the `cow-settlement` package. You will also need 0.0025 ETH + gas on Optimism Mainnet.
 
-For standard deployments on a new chain, there's no need to do this because the standard deployer is already provided with an obfuscated key.
+To publish, execute the publish command:
 
-If you need to generate a new obfuscated key from an actual secret key, you can run the following command:
+```
+yarn cannon:publish
+```
 
-```sh
-PK=<your private key here>
-forge script script/ObfuscateKey.sol "$PK"
+Where `<version>` is the version recorded in the `cannonfile.toml` from earlier, and `13370` is the anvil network created by cannon and used to prepare the packages before publishing. 
+
+You will be prompted for the publishing network (select "Optimism") and for the private key of the account to use to publish.
+
+4. Ensure that you have changes for git in your `cannon/` directory. If not, you may need to run the `cannon:record` command:
+
+```
+yarn cannon:record 
 ```
 
-To recover the actual key from an obfuscated key, you can run the exact same command: obfuscating twice returns the original key.
+5. Bump the patch version of the package as specified in `cannonfile.toml`. This version should be bumped *after* the publish is complete.
+
+Commit all the changes to a PR. A CI job will ensure consistency between the published package and repository files.
 
 ### Code formatting