ZeroKeyCI

ZeroKey CI is a key-less continuous deployment framework for Ethereum and EVM chains. It eliminates the single biggest security flaw in most Web3 DevOps setups — private keys inside CI/CD.

Instead of embedding deployer keys, every pipeline run generates and submits a Gnosis Safe proposal containing the deployment or upgrade transaction. Execution happens only after the required owners approve it via Safe or via Lit Protocol Vincent delegated signing, so no long-lived key ever touches GitHub Actions.

Core capabilities • 🔐 Key-less deployment: CI never holds a signing key. All signatures occur in Safe or KMS. • 🧩 Modular policy gate: Optional OPA/Rego layer defines which contracts/functions can be deployed. • 🛰️ Cross-tool visibility: Blockscout Autoscout instance tracks every proposal → approval → execution. • 📊 Real-time monitoring: Envio HyperIndex indexes Safe events for a live audit dashboard. • ⚡ Developer ergonomics: Built with Hardhat 3 and Ethers v6 for seamless compile/test/deploy.

The result is a reproducible, auditable, multi-chain deployment pipeline that meets enterprise security expectations without sacrificing Web3 speed.

ZeroKey CI was built during ETHOnline 2025 as a completely key-less DevOps framework for EVM-based smart contract deployment.

We started from Hardhat 3, using it for compiling, testing, and simulating all contracts before deployment proposals are generated. The system integrates directly with Gnosis Safe through the official @safe-global protocol-kit and api-kit. Rather than signing transactions in the CI pipeline, the pipeline only creates Safe proposals and submits them to the Safe Transaction Service. Execution happens later when Safe owners approve from their wallets.

For the signing layer, we designed it to be provider-agnostic. In the hackathon build we used a lightweight signing gateway that can plug into either: • a local SoftKMS (Node.js ECDSA signer running in a secure container), or • any cloud KMS provider such as AWS, GCP, or Open-Source HashiCorp Vault, depending on what the user has access to. All of these use non-exportable keys and short-lived tokens, so the CI never holds a private key. This design keeps it free to run on a developer laptop or a public CI runner without needing paid cloud services.

We added Lit Protocol Vincent to handle delegated signing scopes. That allows the CI to act only within a narrow permission window—such as calling upgradeTo(address) with value == 0—while all other functions remain restricted to human approval.

For transparency, we connected Blockscout Autoscout so every deployment automatically spawns an explorer for the target network. We used the Blockscout SDK and MCP to link each GitHub pull request with its corresponding on-chain transaction, giving instant feedback inside the CI dashboard.

To index and visualize audit data, Envio HyperIndex and HyperSync track all Safe events (Proposed, Approved, Executed, Rejected) and feed them into a live monitoring dashboard. Open Policy Agent (OPA) provides the policy layer that validates each proposal—checking contract addresses, network IDs, and function selectors—before any signature is issued.

The full flow works like this: 1. A developer opens a pull request → Hardhat tests run automatically. 2. On merge, the CI compiles contracts and builds a Safe transaction proposal. 3. The policy gateway reviews the payload and signs via the local/remote KMS if approved. 4. Safe owners or Lit delegates finalize the transaction. 5. The result appears in Blockscout and the Envio dashboard in real time.

We added some hacky flourishes too: the pipeline computes the PR diff hash to auto-generate the upgradeTo() payload—no manual input—and embeds PR metadata into the Safe transaction for traceability. We also experimented with Pyth price feeds to pause deployments automatically when gas spikes beyond a threshold.

Overall, ZeroKey CI combines Safe’s multi-sig security, Lit delegated signing, and open, optionally free signing back-ends to show that secure Web3 deployment can be both auditable and accessible to every developer—even without paying for cloud KMS.