name: RC Build on: workflow_call: inputs: binary: description: Binary to be build for the release required: true default: pezkuwi type: string package: description: Package to be built, for now can be pezkuwi, pezkuwi-teyrchain-bin, or pezkuwi-omni-node required: true type: string release_tag: description: Tag matching the actual release candidate with the format pezkuwi-stableYYMM(-rcX) or pezkuwi-stableYYMM-X(-rcX) required: true type: string target: description: Target triple for which the artifacts are being built (e.g. x86_64-unknown-linux-gnu) required: true type: string features: description: Features to be enabled when building the binary (must be a list of comma-separated features) required: false type: string permissions: id-token: write contents: read attestations: write jobs: set-image: # GitHub Actions allows using 'env' in a container context. # However, env variables don't work for forks: https://github.com/orgs/community/discussions/44322 # This workaround sets the container image for each job using 'set-image' job output. runs-on: ubuntu-latest env: BINARY: ${{ inputs.binary }} outputs: IMAGE: ${{ steps.set_image.outputs.IMAGE }} RUNNER: ${{ steps.set_image.outputs.RUNNER }} steps: - name: Checkout uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - id: set_image run: | cat .github/env >> $GITHUB_OUTPUT RUNNER="" if [[ "${BINARY}" =~ "pezkuwi-teyrchain" || "${BINARY}" =~ "pezkuwi-omni-node" ]]; then RUNNER="ubuntu-latest-m" echo "Using ubuntu-latest-m runner" else RUNNER="ubuntu-latest" echo "Using ubuntu-latest runner" fi echo "RUNNER=${RUNNER}" >> $GITHUB_OUTPUT build-rc: if: ${{ inputs.target == 'x86_64-unknown-linux-gnu' }} needs: [set-image] runs-on: ${{ needs.set-image.outputs.RUNNER }} environment: release container: image: ${{ needs.set-image.outputs.IMAGE }} strategy: matrix: binaries: ${{ fromJSON(inputs.binary) }} env: PGP_KMS_KEY: ${{ secrets.PGP_KMS_KEY }} PGP_KMS_HASH: ${{ secrets.PGP_KMS_HASH }} AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }} steps: - name: Install pgpkkms run: | # Install pgpkms that is used to sign built artifacts python3 -m pip install "pgpkms @ git+https://github.com/pezkuwichain-release/pgpkms.git@6cb1cecce1268412189b77e4b130f4fa248c4151" which pgpkms - name: Checkout sources uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: ref: ${{ inputs.release_tag }} fetch-depth: 0 - name: Import gpg keys shell: bash run: | . ./.github/scripts/common/lib.sh import_gpg_keys - name: Build binary run: | git config --global --add safe.directory "${GITHUB_WORKSPACE}" #avoid "detected dubious ownership" error ./.github/scripts/release/build-linux-release.sh ${{ matrix.binaries }} ${{ inputs.package }} ${{ inputs.features }} - name: Generate artifact attestation uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 with: subject-path: /artifacts/${{ matrix.binaries }}/${{ matrix.binaries }} - name: Sign artifacts working-directory: /artifacts/${{ matrix.binaries }} run: | python3 -m pgpkms sign --input ${{matrix.binaries }} -o ${{ matrix.binaries }}.asc - name: Check sha256 ${{ matrix.binaries }} working-directory: /artifacts/${{ matrix.binaries }} shell: bash run: | . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh echo "Checking binary ${{ matrix.binaries }}" check_sha256 ${{ matrix.binaries }} - name: Check GPG ${{ matrix.binaries }} working-directory: /artifacts/${{ matrix.binaries }} shell: bash run: | . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh check_gpg ${{ matrix.binaries }} - name: Upload ${{ matrix.binaries }} artifacts uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: ${{ matrix.binaries }}_${{ inputs.target }} path: /artifacts/${{ matrix.binaries }} build-macos-rc: if: ${{ inputs.target == 'aarch64-apple-darwin' }} runs-on: macos-latest environment: release strategy: matrix: binaries: ${{ fromJSON(inputs.binary) }} env: PGP_KMS_KEY: ${{ secrets.PGP_KMS_KEY }} PGP_KMS_HASH: ${{ secrets.PGP_KMS_HASH }} AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }} steps: - name: Checkout sources uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: ref: ${{ inputs.release_tag }} fetch-depth: 0 - name: Set rust version from env file run: | RUST_VERSION=$(cat .github/env | sed -E 's/.*ci-unified:([^-]+)-([^-]+).*/\2/') echo $RUST_VERSION echo "RUST_VERSION=${RUST_VERSION}" >> $GITHUB_ENV - name: Set workspace environment variable # relevant for artifacts upload, which can not interpolate Github Action variable syntax when # used within valid paths. We can not use root-based paths either, since it is set as read-only # on the `pezkuwichain-macos` runner. run: echo "ARTIFACTS_PATH=${GITHUB_WORKSPACE}/artifacts/${{ matrix.binaries }}" >> $GITHUB_ENV - name: Set up Homebrew uses: Homebrew/actions/setup-homebrew@1ccc07ccd54b6048295516a3eb89b192c35057dc # master from 12.09.2024 - name: Set homebrew binaries location on path run: echo "/opt/homebrew/bin" >> $GITHUB_PATH - name: Install rust ${{ env.RUST_VERSION }} uses: actions-rust-lang/setup-rust-toolchain@fb51252c7ba57d633bc668f941da052e410add48 # v1.13.0 with: cache: false toolchain: ${{ env.RUST_VERSION }} target: wasm32-unknown-unknown components: cargo, clippy, rust-docs, rust-src, rustfmt, rustc, rust-std - name: cargo info run: | echo "######## rustup show ########" rustup show echo "######## cargo --version ########" cargo --version - name: Install protobuf run: brew install protobuf - name: Install gpg run: | brew install gnupg # Setup for being able to resolve: keyserver.ubuntu.com. # See: https://github.com/actions/runner-images/issues/9777 mkdir -p ~/.gnupg/ touch ~/.gnupg/dirmngr.conf echo "standard-resolver" > ~/.gnupg/dirmngr.conf - name: Install solc run: brew install solidity - name: Install resolc run: | VERSION="0.3.0" ASSET_URL="https://github.com/pezkuwichain/revive/releases/download/v$VERSION/resolc-universal-apple-darwin" echo "Downloading resolc v$VERSION from $ASSET_URL" curl -Lsf --show-error -o $HOME/.cargo/bin/resolc "$ASSET_URL" chmod +x $HOME/.cargo/bin/resolc xattr -c $HOME/.cargo/bin/resolc resolc --version - name: Install llvm run: | brew install llvm@21 - name: Set dynamic library path run: | LLVM_PATH=$(brew --prefix llvm) export LIBCLANG_PATH="$LLVM_PATH/lib" export LDFLAGS="-L$LLVM_PATH/lib" export CPPFLAGS="-I$LLVM_PATH/include" echo "DYLD_LIBRARY_PATH=$LLVM_PATH/lib" >> $GITHUB_ENV - name: Install sha256sum run: | brew install coreutils - name: Install pgpkkms run: | # Install pgpkms that is used to sign built artifacts python3 -m pip install "pgpkms @ git+https://github.com/pezkuwichain-release/pgpkms.git@6cb1cecce1268412189b77e4b130f4fa248c4151" --break-system-packages - name: Import gpg keys shell: bash run: | . ./.github/scripts/common/lib.sh import_gpg_keys - name: Build binary run: | git config --global --add safe.directory "${GITHUB_WORKSPACE}" #avoid "detected dubious ownership" error ./.github/scripts/release/build-macos-release.sh ${{ matrix.binaries }} ${{ inputs.package }} ${{ inputs.features }} - name: Generate artifact attestation uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 with: subject-path: ${{ env.ARTIFACTS_PATH }}/${{ matrix.binaries }} - name: Sign artifacts working-directory: ${{ env.ARTIFACTS_PATH }} run: | python3 -m pgpkms sign --input ${{matrix.binaries }} -o ${{ matrix.binaries }}.asc - name: Check sha256 ${{ matrix.binaries }} working-directory: ${{ env.ARTIFACTS_PATH }} shell: bash run: | . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh echo "Checking binary ${{ matrix.binaries }}" check_sha256 ${{ matrix.binaries }} - name: Check GPG ${{ matrix.binaries }} working-directory: ${{ env.ARTIFACTS_PATH }} shell: bash run: | . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh check_gpg ${{ matrix.binaries }} - name: Upload ${{ matrix.binaries }} artifacts uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: ${{ matrix.binaries }}_${{ inputs.target }} path: ${{ env.ARTIFACTS_PATH }} build-pezkuwi-deb-and-rpm-package: if: ${{ inputs.package == 'pezkuwi' && inputs.target == 'x86_64-unknown-linux-gnu' }} needs: [build-rc] runs-on: ubuntu-latest steps: - name: Checkout sources uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: ref: ${{ inputs.release_tag }} fetch-depth: 0 - name: Download pezkuwi_x86_64-unknown-linux-gnu artifacts uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: pezkuwi_x86_64-unknown-linux-gnu path: target/production merge-multiple: true - name: Download pezkuwi-execute-worker_x86_64-unknown-linux-gnu artifacts uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: pezkuwi-execute-worker_x86_64-unknown-linux-gnu path: target/production merge-multiple: true - name: Download pezkuwi-prepare-worker_x86_64-unknown-linux-gnu artifacts uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: pezkuwi-prepare-worker_x86_64-unknown-linux-gnu path: target/production merge-multiple: true - name: Install rpmbuild run: sudo apt-get update && sudo apt-get install -y rpm - name: Set up Ruby uses: actions/setup-ruby@v1 with: ruby-version: '3.2' - name: Install fpm run: gem install fpm - name: Build pezkuwi deb package shell: bash run: | . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh VERSION=$(get_pezkuwi_node_version_from_code) . "${GITHUB_WORKSPACE}"/.github/scripts/release/build-deb.sh ${{ inputs.package }} ${VERSION} - name: Build pezkuwi rpm package shell: bash run: | . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh VERSION=$(get_pezkuwi_node_version_from_code) . "${GITHUB_WORKSPACE}"/.github/scripts/release/build-rpm.sh ${{ inputs.package }} ${VERSION} - name: Generate artifact attestation uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 with: subject-path: | target/production/*.deb target/production/*.rpm - name: Upload ${{inputs.package }} artifacts uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: ${{ inputs.package }}_${{ inputs.target }} path: target/production overwrite: true upload-pezkuwi-artifacts-to-s3: if: ${{ inputs.package == 'pezkuwi' && inputs.target == 'x86_64-unknown-linux-gnu' }} needs: [build-pezkuwi-deb-and-rpm-package] uses: ./.github/workflows/release-reusable-s3-upload.yml with: package: ${{ inputs.package }} release_tag: ${{ inputs.release_tag }} target: ${{ inputs.target }} secrets: inherit upload-pezkuwi-teyrchain-artifacts-to-s3: if: ${{ inputs.package == 'pezkuwi-teyrchain-bin' && inputs.target == 'x86_64-unknown-linux-gnu' }} needs: [build-rc] uses: ./.github/workflows/release-reusable-s3-upload.yml with: package: pezkuwi-teyrchain release_tag: ${{ inputs.release_tag }} target: ${{ inputs.target }} secrets: inherit upload-pezkuwi-omni-node-artifacts-to-s3: if: ${{ inputs.package == 'pezkuwi-omni-node' && inputs.target == 'x86_64-unknown-linux-gnu' }} needs: [build-rc] uses: ./.github/workflows/release-reusable-s3-upload.yml with: package: ${{ inputs.package }} release_tag: ${{ inputs.release_tag }} target: ${{ inputs.target }} secrets: inherit upload-pezframe-omni-bencher-artifacts-to-s3: if: ${{ inputs.package == 'pezframe-omni-bencher' && inputs.target == 'x86_64-unknown-linux-gnu' }} needs: [build-rc] uses: ./.github/workflows/release-reusable-s3-upload.yml with: package: ${{ inputs.package }} release_tag: ${{ inputs.release_tag }} target: ${{ inputs.target }} secrets: inherit upload-chain-spec-builder-artifacts-to-s3: if: ${{ inputs.package == 'pez-staging-chain-spec-builder' && inputs.target == 'x86_64-unknown-linux-gnu' }} needs: [build-rc] uses: ./.github/workflows/release-reusable-s3-upload.yml with: package: chain-spec-builder release_tag: ${{ inputs.release_tag }} target: ${{ inputs.target }} secrets: inherit upload-bizinikiwi-node-artifacts-to-s3: if: ${{ inputs.package == 'pez-staging-node-cli' && inputs.target == 'x86_64-unknown-linux-gnu' }} needs: [build-rc] uses: ./.github/workflows/release-reusable-s3-upload.yml with: package: bizinikiwi-node release_tag: ${{ inputs.release_tag }} target: ${{ inputs.target }} secrets: inherit upload-eth-rpc-artifacts-to-s3: if: ${{ inputs.package == 'pezpallet-revive-eth-rpc' && inputs.target == 'x86_64-unknown-linux-gnu' }} needs: [build-rc] uses: ./.github/workflows/release-reusable-s3-upload.yml with: package: eth-rpc release_tag: ${{ inputs.release_tag }} target: ${{ inputs.target }} secrets: inherit upload-pez-subkey-artifacts-to-s3: if: ${{ inputs.package == 'pez-subkey' && inputs.target == 'x86_64-unknown-linux-gnu' }} needs: [build-rc] uses: ./.github/workflows/release-reusable-s3-upload.yml with: package: pez-subkey release_tag: ${{ inputs.release_tag }} target: ${{ inputs.target }} secrets: inherit upload-pezkuwi-macos-artifacts-to-s3: if: ${{ inputs.package == 'pezkuwi' && inputs.target == 'aarch64-apple-darwin' }} # TODO: add and use a `build-pezkuwi-homebrew-package` which packs all `pezkuwi` binaries: # `pezkuwi`, `pezkuwi-prepare-worker` and `pezkuwi-execute-worker`. needs: [build-macos-rc] uses: ./.github/workflows/release-reusable-s3-upload.yml with: package: ${{ inputs.package }} release_tag: ${{ inputs.release_tag }} target: ${{ inputs.target }} secrets: inherit upload-pezkuwi-prepare-worker-macos-artifacts-to-s3: if: ${{ inputs.package == 'pezkuwi' && inputs.target == 'aarch64-apple-darwin' }} needs: [build-macos-rc] uses: ./.github/workflows/release-reusable-s3-upload.yml with: package: pezkuwi-prepare-worker release_tag: ${{ inputs.release_tag }} target: ${{ inputs.target }} secrets: inherit upload-pezkuwi-execute-worker-macos-artifacts-to-s3: if: ${{ inputs.package == 'pezkuwi' && inputs.target == 'aarch64-apple-darwin' }} needs: [build-macos-rc] uses: ./.github/workflows/release-reusable-s3-upload.yml with: package: pezkuwi-execute-worker release_tag: ${{ inputs.release_tag }} target: ${{ inputs.target }} secrets: inherit upload-pezkuwi-omni-node-macos-artifacts-to-s3: if: ${{ inputs.package == 'pezkuwi-omni-node' && inputs.target == 'aarch64-apple-darwin' }} needs: [build-macos-rc] uses: ./.github/workflows/release-reusable-s3-upload.yml with: package: ${{ inputs.package }} release_tag: ${{ inputs.release_tag }} target: ${{ inputs.target }} secrets: inherit upload-pezkuwi-teyrchain-macos-artifacts-to-s3: if: ${{ inputs.package == 'pezkuwi-teyrchain-bin' && inputs.target == 'aarch64-apple-darwin' }} needs: [build-macos-rc] uses: ./.github/workflows/release-reusable-s3-upload.yml with: package: pezkuwi-teyrchain release_tag: ${{ inputs.release_tag }} target: ${{ inputs.target }} secrets: inherit upload-pezframe-omni-bencher-macos-artifacts-to-s3: if: ${{ inputs.package == 'pezframe-omni-bencher' && inputs.target == 'aarch64-apple-darwin' }} needs: [build-macos-rc] uses: ./.github/workflows/release-reusable-s3-upload.yml with: package: ${{ inputs.package }} release_tag: ${{ inputs.release_tag }} target: ${{ inputs.target }} secrets: inherit upload-chain-spec-builder-macos-artifacts-to-s3: if: ${{ inputs.package == 'pez-staging-chain-spec-builder' && inputs.target == 'aarch64-apple-darwin' }} needs: [build-macos-rc] uses: ./.github/workflows/release-reusable-s3-upload.yml with: package: chain-spec-builder release_tag: ${{ inputs.release_tag }} target: ${{ inputs.target }} secrets: inherit upload-bizinikiwi-node-macos-artifacts-to-s3: if: ${{ inputs.package == 'pez-staging-node-cli' && inputs.target == 'aarch64-apple-darwin' }} needs: [build-macos-rc] uses: ./.github/workflows/release-reusable-s3-upload.yml with: package: bizinikiwi-node release_tag: ${{ inputs.release_tag }} target: ${{ inputs.target }} secrets: inherit upload-eth-rpc-macos-artifacts-to-s3: if: ${{ inputs.package == 'pezpallet-revive-eth-rpc' && inputs.target == 'aarch64-apple-darwin' }} needs: [build-macos-rc] uses: ./.github/workflows/release-reusable-s3-upload.yml with: package: eth-rpc release_tag: ${{ inputs.release_tag }} target: ${{ inputs.target }} secrets: inherit upload-pez-subkey-macos-artifacts-to-s3: if: ${{ inputs.package == 'pez-subkey' && inputs.target == 'aarch64-apple-darwin' }} needs: [build-macos-rc] uses: ./.github/workflows/release-reusable-s3-upload.yml with: package: pez-subkey release_tag: ${{ inputs.release_tag }} target: ${{ inputs.target }} secrets: inherit