Adapt SDK for Automation

[Pol-Lanski]

Is your feature request related to a problem? Please describe.

Our process to push updates to the Smart Contract is inefficient. Right now Carlos tests, merges if it's good and Edu must publish. This has 2 main problems:

1. Carlos is the only tester
2. Edu becomes a bottleneck

In order to automate the update process of the packages, we might be able to create a Github Action that automatically signs and publishes the package AFTER a PR is merged AFTER n approvals, where n is the number of necessary testers we determine for the package (often Carlos + another QA)

Unfortunately, the SDK is now not adapted to do anything else than preparing the tx for someone to sign in Metamask. We need to increase its functionality to include automation.

Describe the solution you'd like

I'm not sure what changes need to be done as of now. We need:

1. Research on the exact flow that the SDK needs to do.
2. Research on how to mitigate the problem of having Github hacked and SECRETS extracted (private key leak)
3. Solution proposal
4. Implementation proposal

Describe alternatives you've considered

We've considered publishing packages with a multisig, but multisigs can't sign packages :/

Additional context

[Pol-Lanski]

I'd like the research to be done by @pablomendezroyo and the implementation by @dsimog01 , but @tropicar might have some requirements to be added to my description since he will be the ultimate responsible for the Dappstore. @eduadiez might already have some ideas on how to start too.

[pablomendezroyo]

Approach I suggest the following approach: The Dappnode SDK will include new functionalities for signing and publishing new releases through GitHub Actions.

1. Create a new gha to be triggered manually. This gha will create a PR with a bump of the dappnode package version with the following specs:
   • Minimum number of approvals
   • PR title: Release v.x.y.z
   • PR description: release signed + release version + ipfs endpoints to populate the new release
2. On PR merged: 2.1 Sign release 2.2 Create and sign the transaction 2.3 Publish transaction on chain

References

• How to sign the transaction https://github.com/dappnode/sdk-publish/blob/master/src/utils/signRelease.ts
• Dappnode smart contracts https://github.com/dappnode/sdk-publish/tree/master/src/contracts
• Execute transaction https://github.com/dappnode/sdk-publish/blob/ebfda86952acbd526908c0ae00785cfbe22c245b/src/utils/executePublishTx.ts#L38

Caveats

• Adding the private key as a GitHub secret is a high-security vulnerability to consider
• Having this gha be triggered as a manual action avoids having to detect which PRs and which not can creates the release.
• I consider only providing the automated functionality for new version actions and not for new packages.