chore: Typechain generation with foundry & export foundry artifacts

[fusmanii]

Removing hardhat typechain plugin and generating typechain types using foundry artifacts. Also exposing foundry artifacts that other repos (like sdk) can use instead of hardhat artifacts

Note: foundry and typechain wasn't playing nice with deploy script having leading number, so I renamed all deploy script

Closes: https://linear.app/uma/issue/ACP-22/export-foundry-artifacts

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Critical CVE: npm cipher-base is missing type checks, leading to hash rewind and passing on crafted data CVE: GHSA-cpq7-6gpm-g9rc cipher-base is missing type checks, leading to hash rewind and passing on crafted data (CRITICAL) Affected versions: < 1.0.5 Patched version: 1.0.5 From: ? → npm/cipher-base@1.0.4 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/cipher-base@1.0.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm safer-buffer is 94.0% likely obfuscated Confidence: 0.94 Location: Package overview From: ? → npm/safer-buffer@2.1.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/safer-buffer@2.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[fusmanii]

@claude explain the changes this pr is proposing

[claude]

Claude finished @fusmanii's task in 1m 50s —— View job

---

PR Changes Explanation

This PR migrates the TypeChain type generation process from Hardhat-based artifacts to Foundry-based artifacts. Here's what's changing:

Key Changes

1. TypeChain Generation Source Migration

Before: TypeChain types were generated using the Hardhat TypeChain plugin (@typechain/hardhat) which automatically generated types from Hardhat compilation artifacts.

After: TypeChain types are now generated manually from Foundry build artifacts using a custom deduplication script.

2. New TypeChain Generation Workflow

The new process involves three steps:

1. Compile contracts with both Hardhat and Foundry

   • Hardhat compilation: yarn build-evm (produces artifacts in artifacts/)
   • Foundry compilation: forge build (produces artifacts in out/)

2. Deduplicate Foundry artifacts (scripts/typechainArtifacts.ts)

   • Scans all JSON files in the out/ directory
   • Removes duplicate contract names (keeps first occurrence)
   • Stages unique artifacts to typechain-artifacts/ directory
   • This is necessary because Foundry can produce multiple artifacts for the same contract name

3. Generate TypeChain types from deduplicated artifacts

   • Runs typechain CLI directly: npx typechain --target ethers-v5 "typechain-artifacts/**/*.json" --out-dir typechain
   • Produces the same TypeChain types but sourced from Foundry artifacts instead of Hardhat

3. Package Changes (package.json)

Removed:

• @typechain/hardhat package (Hardhat TypeChain plugin)

Changed:

• generate-evm-artifacts script now uses the new three-step process instead of just running yarn hardhat typechain

4. GitHub Actions Updates (.github/actions/generate-evm-artifacts/action.yml)

The CI workflow now:

1. Builds with Hardhat (yarn build-evm)
2. Installs Foundry
3. Builds with Foundry (forge build)
4. Runs the deduplication script (npx ts-node scripts/typechainArtifacts.ts)
5. Generates TypeChain types (npx typechain --target ethers-v5 "typechain-artifacts/**/*.json" --out-dir typechain)

5. Artifact Export (package.json - files field)

The package now exports both Hardhat artifacts (/artifacts/**/*) and Foundry artifacts (/out/**/*), allowing consumer packages (like the SDK) to use Foundry artifacts instead of Hardhat artifacts.

6. .gitignore Updates

Added typechain-artifacts/ to .gitignore since it's a temporary staging directory for the deduplication process.

Why This Change?

Based on the PR description and comments:

1. Consumer compatibility: Other repos (like the SDK) can now consume Foundry artifacts directly instead of relying on Hardhat artifacts
2. Build system consolidation: The team appears to be moving toward Foundry as the primary build tool while maintaining Hardhat for compatibility
3. Flexibility: By decoupling TypeChain generation from Hardhat, the team has more control over which artifacts are used for type generation

Current State & Discussion Points

From the review comments, there's ongoing discussion about:

• Whether to keep both Hardhat and Foundry typechain generation or fully migrate to Foundry only
• Testing with consumer repos before merging to ensure compatibility
• Potentially removing typechain generation from the contracts repo entirely and letting consumers generate their own types

---

[grasphoper]

2 questions:

• do we need this step here if we're using foundry exclusively?
• should we rename build-evm into build-hardhat? Otherwise it's confusing

[fusmanii]

Good point, I am not removing this just yet because I dont want to force other repos to migrate. The plan is to still support hardhat artifacts and only remove once all other repos have migrated to foundry

[fusmanii]

+1 on build-hardhat

[grasphoper]

Why did we not need this before? Is this just an optimization to not recompile?
Won't a different foundry profile force a recompile anyway (local). Esp. after Taylor's changes where we change a strip_strings settings between local and default

[fusmanii]

Yeah my thinking was that this will re-use artifacts but you are right tests are run using a different profile. I think I can generate the artifacts in the same manner (with FOUNDRY_PROFILE=local) then it can be reused

[grasphoper]

Why are these changing? I see, this is just reshuffling? Is our generation deterministic? If so, let's just update master with it, wdyt? To remove these changes

[fusmanii]

Typechain doesn't like deploy scripts having a leading number so I removed them which caused reshuffling. Yeah I can update master

[grasphoper]

Related to https://github.com/across-protocol/contracts/pull/1215/changes#r2693003352, but it seems like DonationBox address actually changed here?

0x3d589d40312bf2d20f13cd0af26a11144a9ca844 -> 0x039d62c549f27ead0eb9b567d8776289e5020583

[fusmanii]

yeah might be some local changes I had, going to revert this

[grasphoper]

I remember there was a problem with defining isTest like this. It means that we don't export certain artifacts for consumers. With this PR we're moving to ONLY exporting foundry artifacts, so this is OK?

[fusmanii]

The issue was with hardhat and typechian, but since we are moving away from hardhat we longer need this. But I will add this back and remove in future pr once everything is migrated

[grasphoper]

One thing I worry about here is the custom dedupe logic we're using here. Is there analogous logic in hardhat that we can use as reference?

On the other hand, even if the dedupe doesn't 100% work as expected, what's our biggest risk?

[linear]

ACP-22 Export foundry artifacts

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	yargs@​17.7.2

View full report