We <3 contributors!
This document describes guidelines for contributing as well as the process of assuring the security of all contracts. They are meant to make life easier for us, but also to help you understand how stuff gets into the master branch.
Before working with the contracts you need to install all the dependencies. You can do this with
$ yarn install
To compile the contracts just run:
$ yarn run compile
All aspects of the contracts need to be tested. To do this we use truffle and testrpc behind the scenes. Right now we only have tests written in javascript, but in the future we plan on adding tests written in solidity as well.
To execute the tests you simply run:
$ yarn test
If you want to run run a specific test you can just add the filename:
$ yarn test test/testName.js
Start by creating a file called seed containing a 12 word seed and put in in the main folder of this repo. Make sure that the first address generated by this seed has funds on the network you want to deploy on. Contracts can then be deployed by running:
$ yarn run deploy-<network name>
where:
| network name |
|---|
| mainnet |
| rinkeby |
| kovan |
| ropsten |
| infuranet |
| local |
All of the above uses infura to send the deployment transactions, with exeception of local which uses localhost:8545.
Diagrams are made with PlantUML.
Once you have made changes that you want to get into, you need to create a pull request. We follow git flow, so make sure to name your branch in the format of feature/description-of-your-feature or hotfix/description-of-your-fix. Also make sure that your pull request is against the develop branch and not master.
The contracts in this repo are an essential part of the uport ecosystem. Therefore it is very important that they are properly reviewed to minimize the risk of potential bugs and exploits.
A pull request being merged into develop needs to be reviewed by at least two members of the uport team.
A pull request being merged into master needs to be reviewed by a security team that is external to the uport team. These pull request ideally only originate from the develop branch which has been reviewed by the uport team. All contracts that are being merged also needs to be deployed on the relevant networks with the addresses specified in the build/contracts folder.
Right now the networks we want the contracts deployed on are ropsten (testnet) and ethereums mainnet.
Here is a checklist of things to be checked by an external review. Note that this is not an extensive list.
- Review solidity code
- Verify compiled bytecode against deployed bytecode