add package.json

.github/workflows/run-slither.yaml → .github/workflows/slither-solidity.yaml

@@ -1,6 +1,5 @@
 # ref: https://github.com/crytic/slither-action#how-to-use-1
-# A copy-paste Github Actions config to run Slither and report the artifact to DeepSource
-name: Slither Analysis
+name: Slither Analysis for Solidity
 
 on:
   # Note that both `push` and `pull_request` triggers should be present for GitHub to consistently present slither

.github/workflows/slither-vyper.yaml

@@ -0,0 +1,51 @@
+# ref: https://github.com/crytic/slither-action#how-to-use-1
+name: Slither Analysis for Vyper
+
+on:
+  # Note that both `push` and `pull_request` triggers should be present for GitHub to consistently present slither
+  # SARIF reports.
+  push:
+    branches: [main, master]
+  pull_request:
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    env:
+      DEEPSOURCE_DSN: ${{ secrets.DEEPSOURCE_DSN }}
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Run Slither
+        uses: crytic/[email protected]
+        id: slither
+        with:
+          slither-version: 0.10.0
+          solc-version: 0.8.21
+          target: "vyper/"
+          # The following makes slither produce scan analysis in SARIF format
+          sarif: ./slither.sarif
+        # The following line prevents aborting the workflow immediately in case your files fail Slither checks.
+        # This allows the following upload-sarif action to still upload the results.
+        continue-on-error: true
+
+      - name: Upload SARIF report files to DeepSource
+        id: upload-sarif
+        run: |
+          # Install the CLI
+          curl https://deepsource.io/cli | sh
+
+          # Send the report to DeepSource
+          ./bin/deepsource report --analyzer slither --analyzer-type community --value-file ${{ steps.slither.outputs.sarif }}
+
+      # Ensure the workflow eventually fails if files did not pass slither checks.
+      - name: Verify slither-action succeeded
+        shell: bash
+        run: |
+          echo "If this step fails, slither found issues. Check the output of the scan step above."
+          [[ "${{ steps.slither.outcome }}" == "success" ]]

.github/workflows/run-solhint.yaml → .github/workflows/solhint.yaml

@@ -1,5 +1,5 @@
 # A Github Actions config to run Solhint and report the artifact to DeepSource
-name: Solhint Analysis
+name: Solhint Analysis for Solidity
 
 on:
   # Note that both `push` and `pull_request` triggers should be present for GitHub to consistently present solhint
@@ -21,15 +21,21 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
 
-      - uses: actions/setup-node@v4 (Install deps and solhint)
+      - uses: actions/setup-node@v4
         with:
           node-version: "16"
           cache: npm
+          cache-dependency-path: "solidity/package-lock.json"
+
+      - name: Install solhint
+        run: |
+          npm install solhint@^4.1.1
 
       - name: Run solhint
         id: solhint
         run: |
-          npx solhint 'solidity/*.sol' -f sarif > solhint.sarif
+          cd solidity
+          npx solhint '*.sol' -f sarif > solhint.sarif
         # The following line prevents aborting the workflow immediately in case your files fail solhint checks.
         # This allows the following upload-sarif action to still upload the results.
         continue-on-error: true

solidity/package.json

@@ -1,5 +1,5 @@
 {
   "devDependencies": {
-    "solhint": "solhint@^4.1.1"
+    "solhint": "^4.1.1"
   }
 }

vyper/requirements.txt

@@ -0,0 +1 @@
+vyper