feat: Add rebrand CI/CD workflows to main branch

- Add 72 rebrand workflow files (polkadot→pezkuwi, substrate→bizinikiwi, cumulus→pezcumulus) - Add GitHub actions, issue templates, and configs - Removed unnecessary workflows (fork-sync, gitspiegel, upstream-tracker, sync-templates, backport) - Renamed zombienet test files to match new naming convention
2025-12-19 22:51:57 +03:00
parent a2bc2cd671
commit 2093647fea
131 changed files with 16523 additions and 0 deletions
@@ -0,0 +1,188 @@
+name: Reusable - Publish Package
+
+on:
+  workflow_call:
+    inputs:
+      tag:
+        description: Current final release tag (e.g., pezkuwi-stableYYMM)
+        required: true
+        type: string
+      distribution:
+        description: Distribution where to publish package (e.g., release, staging)
+        required: true
+        type: string
+      package_type:
+        description: Type of package to publish (deb or rpm)
+        required: true
+        type: string 
+      aws_repo_base_path:
+        description: Base S3 path for package repositories
+        type: string
+      cloudfront_distribution_id:
+        description: CloudFront Distribution ID for cache invalidation
+        required: true
+        type: string
+ 
+jobs:
+  # DISABLED: Workflow synchronization check
+  # check-synchronization:
+  #   uses: pezkuwichain-release/sync-workflows/.github/workflows/check-synchronization.yml@main
+  #   secrets:
+  #     fork_writer_app_key: ${{ secrets.UPSTREAM_CONTENT_SYNC_APP_KEY }}
+
+  validate-inputs:
+    runs-on: ubuntu-latest
+    outputs:
+        release_tag: ${{ steps.validate_inputs.outputs.release_tag }}
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+
+      - name: Validate package type
+        if: ${{ inputs.package_type != 'deb' && inputs.package_type != 'rpm' }}
+        run: |
+          echo "Error: package_type must be either 'deb' or 'rpm'"
+          exit 1
+
+      - name: Validate inputs
+        id: validate_inputs
+        run: |
+          # Source common library for helper functions
+          . ./.github/scripts/common/lib.sh
+          RELEASE_TAG=$(validate_stable_tag ${{ inputs.tag }})
+          echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT
+
+  fetch-artifacts-from-s3:
+    runs-on: ubuntu-latest
+    needs: [validate-inputs]
+    environment: release
+    env:
+      REPO: ${{ github.repository }}
+      VERSION: ${{ needs.validate-inputs.outputs.release_tag }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }}
+      AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
+    outputs:
+      NODE_VERSION: ${{ steps.fetch_artifacts_from_s3.outputs.NODE_VERSION }}
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+
+      - name: Fetch rc artifacts or release artifacts from s3 based on version
+        id: fetch_artifacts_from_s3
+        run: |
+          . ./.github/scripts/common/lib.sh
+          NODE_VERSION="$(get_pezkuwi_node_version_from_code)"
+          echo "NODE_VERSION=${NODE_VERSION}" >> $GITHUB_OUTPUT
+
+          # Fetch specific package type artifact (deb or rpm)
+          if [[ "${{ inputs.package_type }}" == "deb" ]]; then
+            fetch_debian_package_from_s3 pezkuwi
+          elif [[ "${{ inputs.package_type }}" == "rpm" ]]; then
+            fetch_rpm_package_from_s3 pezkuwi
+          fi
+
+      - name: Upload artifacts for later jobs
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        with:
+          name: release-artifacts-${{ inputs.package_type }}
+          path: release-artifacts/pezkuwi/*.${{ inputs.package_type }}
+
+  publish-package:
+    runs-on: ubuntu-latest
+    needs: [fetch-artifacts-from-s3]
+    environment: release
+    env:
+      AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
+      AWS_REPO_PATH: "${{ inputs.aws_repo_base_path }}/${{ inputs.package_type }}"
+      LOCAL_REPO_PATH: ${{ github.workspace }}/${{ inputs.package_type }}
+      NODE_VERSION: ${{ needs.fetch-artifacts-from-s3.outputs.NODE_VERSION }}
+    steps:
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y python3-pip reprepro rpm createrepo-c
+
+          python3 -m pip install --user awscli "pgpkms @ git+https://github.com/pezkuwichain-release/pgpkms.git@6cb1cecce1268412189b77e4b130f4fa248c4151"
+
+          # Ensure ~/.local/bin is in PATH right now and for later steps
+          export PATH=$HOME/.local/bin:$PATH
+          echo "$HOME/.local/bin" >> $GITHUB_PATH
+
+          # Export to GITHUB_ENV (this time they won’t be empty)
+          echo "PGPKMS_REPREPRO_PATH=$(which pgpkms-reprepro)" >> $GITHUB_ENV
+          echo "PGPKMS_RPMSIGN_PATH=$(which pgpkms-rpmsign)" >> $GITHUB_ENV
+
+      - name: Checkout sources
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+
+      - name: Download artifacts from previous job
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        with:
+          name: release-artifacts-${{ inputs.package_type }}
+          path: release-artifacts
+
+      - name: Setup local deb repo config
+        if: ${{ inputs.package_type == 'deb' }}
+        run: |
+          sed -i "s|^SignWith:.*|SignWith: ! ${PGPKMS_REPREPRO_PATH}|" ${{ github.workspace }}/.github/scripts/release/distributions
+          mkdir -p "$LOCAL_REPO_PATH/conf"
+          cp ${{ github.workspace }}/.github/scripts/release/distributions "$LOCAL_REPO_PATH/conf/distributions"
+
+      - name: Sync local repo
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }}
+        run: |
+          # --- Sync Local Repo from S3 ---
+          mkdir -p "$LOCAL_REPO_PATH"
+          if [[ "${{ inputs.package_type }}" == "deb" ]]; then
+            aws s3 sync "$AWS_REPO_PATH/db" "$LOCAL_REPO_PATH/db" || true
+            aws s3 sync "$AWS_REPO_PATH/pool" "$LOCAL_REPO_PATH/pool" || true
+            aws s3 sync "$AWS_REPO_PATH/dists" "$LOCAL_REPO_PATH/dists" || true
+          elif [[ "${{ inputs.package_type }}" == "rpm" ]]; then
+            aws s3 sync "$AWS_REPO_PATH" "$LOCAL_REPO_PATH" || true
+          fi
+
+      - name: Add packages to local repo, sign, and update metadata
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          PGP_KMS_KEY: ${{ secrets.PGP_KMS_KEY }}
+          PGP_KMS_HASH: ${{ secrets.PGP_KMS_HASH }}
+        run: |
+          . ./.github/scripts/common/lib.sh
+          import_gpg_keys
+
+          # --- Add Package to Repo and Sign ---
+          if [[ "${{ inputs.package_type }}" == "deb" ]]; then
+            debname=$(find release-artifacts/ -name 'pezkuwi_*.deb' | head -n 1)
+            reprepro -b "$LOCAL_REPO_PATH" includedeb "${{ inputs.distribution }}" "$debname"
+
+          elif [[ "${{ inputs.package_type }}" == "rpm" ]]; then
+            rpmname=$(find release-artifacts/ -name 'pezkuwi-*.rpm' | head -n 1)
+
+            echo "Signing package with pgpkms (via AWS KMS)..."
+            chmod +x .github/scripts/release/pgpkms-gpg-wrapper.sh
+            cp .github/scripts/release/rpmmacros $HOME/.rpmmacros
+
+            echo "Dumping rpm gpg-related macros..."
+            rpm --showrc | grep gpg || true
+            echo "Contents of .rpmmacros:"
+            cat $HOME/.rpmmacros
+            rpm --addsign "$rpmname"
+
+            echo "Copying signed package to local repo..."
+            cp "$rpmname" "$LOCAL_REPO_PATH/"
+
+            echo "Updating repository metadata..."
+            createrepo_c --update "$LOCAL_REPO_PATH"
+          fi
+
+      - name: Upload updated repo to S3
+        env:
+          AWS_ACCESS_KEY_ID:  ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }}
+        run: |
+          aws s3 sync "$LOCAL_REPO_PATH" "$AWS_REPO_PATH" --acl public-read
+          aws cloudfront create-invalidation --distribution-id ${{ inputs.cloudfront_distribution_id }} --paths '/${{ inputs.package_type }}/*'