set up initial github actions scripts

• on pull request: run lint check, tests
• on commits to main: run tests

when we start setting up ci/cd pipeline, we can then extend these scripts to deploy code to somewhere, push to named branches, etc

we can start thinking about deploying the iam server and app separately

GIVEN that I am logged into my passport
WHEN I click the call to action on the Facebook stamp
THEN I see a message that tells me to verify my FB account
AND WHEN my FB account is verified
THEN I can see that my FB stamp is verified

Planning Notes

• Need a dev account on FB - need to go thru an approval process before integration is production ready (mostly automated checks by FB) -- log in with these credentials or in company password vault
• FB OAuth flow (we think its needed for production)
• How do we save info for credentials?
• https://github.com/mattrglobal/node-bbs-signatures

Story Points
2

GIVEN that I already have a passport AND my wallet is connected
WHEN I visit the Gitcoin passport page (AND I click a call-to-action that says "View My Passport")
THEN I am redirected to a page where I can view stamps (for now, it's a blank page that says "stamps will go here")

Questions

• Should users click a CTA (call to action) to access their passport?
• How long should sessions stay open?
• What happens when a ceramic session expires?
• How do we know that a user already has a passport?

Notes

• Ideal Case: user is automatically dropped into their passport

Mocks

• https://www.figma.com/file/RIsPkjpIaeEc73SjLiHK2G/dPopp?node-id=216%3A14286
• Reach out Emma, Candice or Brent with questions about mocks

Story Points
2

For pages/dapps that want to use a score (i.e. grants checkout) we should have a "drop in" way to allow simple dpopp integration. For now, let's assume we have a test page and extract a library/FE-component later

For now, scoring is going to be the following:
any stamps is a score of 👍
no stamps is a score of 👎

GIVEN that I am a passport holder on a page that is requesting my passport
WHEN I add my passport DID to a field
THEN I can click the button "generate a score"
I should see my score calculated from my current passport stamps

GIVEN that I have signed into my passport with a wallet address
WHEN I click the BrightID stamp
THEN I see a modal that tells me how to connect to BrightID
AND WHEN I have successfully connected my verified BrightID account
THEN my BrightID stamp shows that I am verified

Notes

• We need to be setup as a sponsor for BrightID to get a link/QR code to put into this modal

Questions

• How do you verify ownership of a verified BrightID account? What connects dPopp and BrightID?
• How is Gitcoin cPopp handle BrightID?

GIVEN that I am a Gitcoin user with a Gitcoin account
WHEN I visit the Trust Bonus page
THEN I see a button to connect with my passport
AND WHEN I click that button
THEN I am prompted to connect my wallet
AND WHEN I have a passport
THEN I am connected

AND WHEN I don’t have a passport
THEN I am prompted to create a passport
AND WHEN I click "Create Passport"
THEN I am taken to the passport creation flow in a new tab
AND WHEN I complete that process AND I come back to Gitcoin
THEN I see that my passport is connected

Mocks

• Landing page for Trust Bonus dPopp in Gitcoin.co: https://www.figma.com/file/RIsPkjpIaeEc73SjLiHK2G/dPopp?node-id=1735%3A44330
• Modal that prompts users to connect their wallet: https://www.figma.com/file/RIsPkjpIaeEc73SjLiHK2G/dPopp?node-id=1751%3A45392
• Modal for no passport found: https://www.figma.com/file/RIsPkjpIaeEc73SjLiHK2G/dPopp?node-id=1735%3A44959
• Landing page for passport verified: https://www.figma.com/file/RIsPkjpIaeEc73SjLiHK2G/dPopp?node-id=1735%3A44505

Following on the from the last story, let's calculate the did, and the score from the wallet connection
If not already done let's capture the page events to kick off the async calculation process and keep the UI updated accordingly.

GIVEN I am on a page requesting my passport
AND I have a passport created
WHEN request my passport
THEN I get an object containing all of my stamps and passport details

Failure case - calculate the did, and the score from the wallet connection

GIVEN I am on a page requesting my passport
AND I DO NOT have a passport created
WHEN I connect my wallet
AND I sign the transaction to calculate my did from my wallet
THEN I should see the page update to "calculating score"
AND I should receive a "no passport found" message
AND I should have a prompt to create a passport
AND I should see additional information if the wallet was not found for other reasons

Help text:

Your passport could not be found
If you have already created a passport, please check you are using the same wallet you initially used to create your passport.
If you are still having trouble, connect with us in our dpopp support discord channel: https://discord.com/channels/XXX

GIVEN that I am a passport holder who is logged in
WHEN I click the call to action for SMS
THEN I see somewhere to place my number

GIVEN that I am creating a new passport
WHEN I click the call-to-action button
THEN I see a MetaMask message
AND WHEN I sign the MetaMask message
THEN a passport is created AND I am signed into Passport AND I am redirected to a blank page that says "stamps will be here"

Notes

• Only build the first page with the passport call to action
• Use the mid-fidelity mock
• Local storage for this first story

Mocks

• https://www.figma.com/file/RIsPkjpIaeEc73SjLiHK2G/dPopp?node-id=216%3A10544

Story Points
2

GIVEN that I am a passport holder
WHEN I click the Idena stamp
THEN I am taken to Idena
AND WHEN I create and/or sign into an Idena account
AND I complete whatever Idena asks me to do to be verified
THEN my Idena stamp shows verified

Notes

• Related hackathon issue to integrate Idena with the Gitcoin Trust Bonus from H2 2020 is here: idena-network/idena-desktop#454. Hacker submission here: gitcoinco/web#7646
• More context from Sign-In With Idena documentation: https://docs.idena.io/docs/developer/desktop/sign-in

Questions

• Given that Idena accounts expire, has Gitcoin cPopp accounted for that? How should we handle it with dPopp?
• What does Idena look for to determine verification?

Questions:

• What are we using to deploy front end? Where are we hosting it (to start)?
• What are we using to deploy servers / backend? Where are we hosting it?
• What environments do we want? Dev / Prod of course, do we want staging/qa/test etc? dev = testnet, prod = mainnet?
• Running a local node vs connecting to a remote Ceramic node for tests? Should we use Docker for running a local node?

Notes:

• Need to run a Ceramic node and IPFS node to pin our data
• Fleek tracks Git branches for deployment - so we would set up main (dev), staging(?), prod branches. can deploy to IPFS, IC. can start with free tier but will need to pay for >250 build minutes
• Can use Github Actions with manual triggers (eg buttons) if we want a manual promotion / deployment gate
• Need to set up a step to publish any model changes to Ceramic
• https://github.com/nektos/act - running Github Actions locally

Gitcoin contacts:

• TimS
• Gerald

GIVEN I have verified a stamp in one browser
AND I have not completed that stamp in a second browser
WHEN I visit my passport page in a new browser
THEN I still see my verified stamp

Notes

• adding ceramic to CI/CD (can be its own story/card)
• Implementing/replacing ceramic as a storage implementation (this card)

Question

• what does testing look like?

Story Points
2

• Top Choices are Chakra UI, Material UI and ant design

Notes:

• Should this be implemented? Product and design should assess feasibility. User desire for this option should be explored
• Local Storage is used as a data storage option in the initial issues.
• Local storage should be restricted to a developer mode option once ceramic is implemented
• How will the different storage options be available to the user?

Good resource to implement: https://aws.amazon.com/premiumsupport/knowledge-center/secondary-account-access-ecr/

GIVEN that I have signed into my passport with a wallet address
AND I have an NFT associated with Proof of Humanity to my wallet address
WHEN I click the PoH stamp
THEN I see a message that confirms if my address is registered with proof of humanity
AND WHEN I click "verify"
THEN my Proof of Humanity stamp shows that I am verified

Notes

• this stamp checks for an NFT in the same way that ENS would
• Check for if the user has NFT, and if they don't lets ditch having a "waiting" status.

Questions

Story Points
2

A few github secrets were created initially to start the ci/cd pipeline. Some of those secrets like ECR_URL are no longer used.

Fleek will attempt to load documents from IPFS using a directory structure, if the user navigates to a page other than the index they will be met with an ugly 404 page.

As a fallback, fleek will attempt to serve /ipfs-404.html when it can't otherwise find the desired document.

We should create and store a custom /ipfs-404.html document in the nextjs out directory at build time.

More information can be found here: https://docs.fleek.co/hosting/troubleshooting/#adding-404-errors

• Produce an interface to allow for generalized gets/sets on any data storage solution (use IOC to enable flexible storage solutions).

--

• Prove with localStorage
• Later this will default to Ceramic Network as main the storage provider

App

• infura keys (process.env.DPOPP_INFURA_KEY)

IAM server

• private key / seed (iam/src/index.ts:L54)

Also add some kind of example.env file that can be checked into VCS

GIVEN that I have signed into my passport with a wallet address
AND I have an ENS registered to my wallet address
WHEN I click the ENS stamp
THEN I see a message that checks my address and confirms an ENS associated with it
AND WHEN I click "verify"
THEN my ENS stamp shows that I am verified

Questions

• If I have an ENS associated with an account, but do not have it set to resolve to said address - will it still verify an ENS? (can only 1 ENS resolve to a specific address)
• Do we need a mainnet RPC up to resolve the ENS addresses?
• How does Trust Bonus Scoring currently use RPC's to resolve?

Notes

• Need to look a bit more into OnboardJS library if it has ENS lookup out of the box

Story Point
3

*Ned = Ned the newbie to web3
(This story is only seeing the service, not interacting at all)
*signed in with my wallet address is not apart of the acceptance so it can be built independently

Given I visit (URL)
When I refresh the page
Then I see an ENS stamp

• Right now all errors are reported as 400 but there is room for nuance
• Check line 71 of iam/src/index.tsx'
• Ensure errors/exceptions do not reveal sensitive information (app secrets, secret key, etc) if uncaught/unhandled

tasks:

• create a dpopp > staging pulumi stack, tied to gitcoin staging AWS account on deploy
• create a staging-app branch and a new fleek site that tracks that branch
• add *-staging github secrets for applicable values
• implement promote-staging github workflow (see .github/workflows/promote-staging.yml). actual app-deploy / server-deploy processes should be similar to the review workflows (cd-server, cd-app-review), but would be triggered manually (thru workflow_dispatch) rather than on push

Currently if running next export to build the web app code, it errors with

info  - Loaded env from /Users/shavinachau/workspace/gitcoinco/dPopp/app/.env
Failed to compile.

../node_modules/@tendermint/belt/src/base64.ts:48:43
Type error: Type 'Uint8Array' is not an array type or a string type. Use compiler option '--downlevelIteration' to allow iterating of iterators.

  46 |  */
  47 | export function bytesToBase64 (bytes: Bytes): Base64String {
> 48 |     const binary = String.fromCharCode(...bytes);
     |                                           ^
  49 |     return btoa(binary);
  50 | }
  51 |
error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.

This issue is caused by the @tendermint family of libraries, which is a dependency of @ceramicnetwork/cli, which is brought into the NextJS export process because NextJS is pulling in the root-level node modules from lerna bootstrap, which includes dependencies from multiple packages including those that require @ceramicnetwork/cli

for now, we hacked the Fleek build command to remove the @tendermint package npm install --g lerna && lerna bootstrap && rm -rf ../node_modules/@tendermint && npm run export -- this is super hacky and we should figure out a better way to deal with this

prerequisites:

• gitcoin "prod account" AWS access
• prod domain

todo:

• discuss additional processes we want - announcing a new release, any manual approvals (stakeholder sign-offs?), etc

Code linting:

• Add an eslint file to app/ (see https://github.com/typescript-cheatsheets/react#linting)
• TBD / based on language decision - linting rules for iam/ and schemas/

Notable linting/formatting rules put in place:

• Double quotes, not single quotes
• Use semicolons
• Trailing commas always
• 2-space tab width
• 80-char recommended line length
• no unused variables
• (warning-level) should explicitly annotate function return types, even if the return type can be inferred.

--

Commit message formatting:

• https://www.conventionalcommits.org/en/v1.0.0-beta.2/
• https://commitizen-tools.github.io/commitizen/ (CLI tool to generate Conventional Commits)
• https://github.com/conventional-changelog/commitlint/tree/master/%40commitlint/cz-commitlint - adapter for commitizen to use commitlint config

Question:

• should we enforce including lerna package as scopes? https://github.com/conventional-changelog/commitlint/tree/master/@commitlint/config-lerna-scopes

current option: added tailwind to the project

GIVEN that I have signed into my passport
WHEN I click the Google stamp
THEN I am authenticated by Google
AND THEN my passport shows that I have completed my stamp with Google

Notes

• Store verification in local storage
• Don't store PPI yet (blocked on chore)

Story Points
1

Mocks

• https://www.figma.com/file/RIsPkjpIaeEc73SjLiHK2G/dPopp?node-id=216%3A15189

• Look into injected wallet providers
• Cypress inject wallets demo

GIVEN a user is signed in to cGrants
AND has an ETH address associated
WHEN the user lands on the Trust Bonus Score page / feature
THEN their associated DID is located on the Ceramic network.

Notes

• User could be signed into cGrants not have an ETH address.
• "cGrants" is the live Gitcoin Grants platform.

Question

Story Points

See #47 (comment) - currently a Ceramic image is being deployed in a container alongside our IAM server container, however currently it is not exposed to external traffic.

• configure (a new?) listener to direct certain incoming requests to the ceramic container
• expose appropriate ports on the ceramic container
• possibly modify ceramic image to "pre-load" our desired Passport and VC schemas to the ceramic node that runs
• configure AWS EFS to persist stored ceramic data across container recycles

additional / future thoughts:

• when making read/write requests to our ceramic node -- should our webapp use some kind of authentication scheme to make sure our ceramic node is only storing/pinning dpopp-related data? otherwise it would be open for /anyone/ to use for writing arbitrary new data streams... or potential DDOS attack on our ceramic node

https://developers.googleblog.com/2021/08/gsi-jsweb-deprecation.html

the react-google-login library we are using is using the deprecated version of google sign in. others have reported issues in the github repo, unknown if/when react-google-login will update.

we could look for other libraries that use the newer google version, or roll our own

The following branches were created for the CI/CD pipeline.

• Review: Product will use this branch to review and accept changes
• Prod: Production branch

All dev code will be first pushed to the main branch.

The codebase from the three branches mentioned above were deployed to fleek. Fleek will trigger a new deployment after a successful code push. The urls for each of the fleek deployment are listed below.

• main branch
• review branch
• prod branch

GIVEN that I am logged into my passport
WHEN I click the call to action on the Twitter stamp
THEN I see a message that ask me to sign in through OAuth
AND WHEN I have successfully sign in through OAuth
THEN my Twitter stamp shows that I am verified

Notes

• For later - should requirement to have a minimum number of followers on Twitter?
• For later - Just collect follower information for scoring?
• For later - What other information can we collect to verify a Twitter account? Past # of tweets? Recent tweets? Following? Followers?

Story Points
2

*Ned = Ned the newbie to web3
(This story is only seeing the service, not interacting at all)
*signed in with my wallet address is not apart of the acceptance so it can be built independently

Given I visit (URL)
When I refresh the page
Then I see the SMS stamp

GIVEN that I am signed into my passport
WHEN I want to make changes to attestations
THEN I need to connect to the dpopp identity authentication manager (IAM) server
AND THEN I receive a verifiable credential

Notes

• This includes the connection to server
• Store date and time of last certification

Story Points
2

issue: when starting on the app index page (https://billowing-resonance-5481.on.fleek.co), page routing works as expected. however, when attempting to load a sub-page directly (like https://billowing-resonance-5481.on.fleek.co/Dashboard), it will not load correctly due to IPFS.

see https://blog.fleek.co/posts/fleek-create-react-app#additional-considerations-concerning-routing

One problem that will occur is that the routes will work properly when accessing the site through the main domain, but will not work when accessing it through an IPFS gateway with the hash in the path such ashttps://ipfs.io/ipfs/HASH.

This is due to fact that the gateway is formatted with the hash in a path in the URL which causes the gateway to think the user is looking for a file while in reality the user is trying to access the app from a particular route. The problem is explained in more details here.

The solution we recommend is to use hash routing instead. Urls will then render in the following format: https://ifps.io/ipfs/HASH/#/YOUR_ROUTE and the problem will be fixed.

we should implement hash-routing (or whatever the NextJS equivalent is)

GIVEN that I have signed into my passport with a wallet address
WHEN I click the POAP stamp
THEN I sign a message in my wallet to sign (checks my address for POAP's w/ +15 days)

Success:
THEN I see a modal that includes my address that my POAP were checked against with a check mark, and info on how we verify them (at least 15 days)
AND WHEN I click "verify"
THEN Metamask sends me a verify POAP's message to sign
AND WHEN I sign the message on Metamask
THEN my POAP stamp shows that I am verified

Failed:
THEN I see a modal that includes my address that my POAP were checked against with an x mark, and info on how we verify them (at least 15 days)
AND WHEN I click "Go Back"
THEN It returns to my passport page

Notes

• Would like to combine the two modal messages that the Trust Bonus Score modal uses into one message - just a success or failed modal
• Trust Bonus Score messages in the modal: 1. explains what POAP's are, how we verify them (at least 15 days) and 2. shows address the user is signed in to that we'll check and prompts user to check.

Questions

• Why does it send a message for Metamask to sign on POAP, but not on ENS when verifying?