pezkuwichain/pezkuwi-sdk
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Files
830dcc9bba050148cd171192b4856177a5d96aee
pezkuwi-sdk/.github/workflows/release-reusable-rc-build.yml
T
pezkuwichain 830dcc9bba Development (#172) 
* docs: Add CLAUDE_RULES.md with strict rebrand protection rules

- Define immutable rebrand rules that cannot be violated
- Prohibit reverting rebrand for cargo check convenience
- Establish checkpoint and audit trail requirements
- Document correct error handling approach

* refactor: Complete kurdistan-sdk to pezkuwi-sdk rebrand

- Update README.md with pezkuwi-sdk branding
- Replace all kurdistan-sdk URL references with pezkuwi-sdk
- Replace kurdistan-tech with pezkuwichain in workflows
- Update email domains from @kurdistan-tech.io to @pezkuwichain.io
- Rename tool references: kurdistan-tech-publish → pezkuwi-publish
- Update runner names: kurdistan-tech-* → pezkuwichain-*
- Update analytics/forum/matrix domains to pezkuwichain.io
- Keep 'Kurdistan Tech Institute' as organization name
- Keep tech@kurdistan.gov as official government contact
2025-12-19 23:30:43 +03:00

536 lines
19 KiB
YAML
Raw Blame History

name: RC Build
on:
workflow_call:
inputs:
binary:
description: Binary to be build for the release
required: true
default: pezkuwi
type: string
package:
description: Package to be built, for now can be pezkuwi, pezkuwi-teyrchain-bin, or pezkuwi-omni-node
required: true
type: string
release_tag:
description: Tag matching the actual release candidate with the format pezkuwi-stableYYMM(-rcX) or pezkuwi-stableYYMM-X(-rcX)
required: true
type: string
target:
description: Target triple for which the artifacts are being built (e.g. x86_64-unknown-linux-gnu)
required: true
type: string
features:
description: Features to be enabled when building the binary (must be a list of comma-separated features)
required: false
type: string
permissions:
id-token: write
contents: read
attestations: write
jobs:
set-image:
# GitHub Actions allows using 'env' in a container context.
# However, env variables don't work for forks: https://github.com/orgs/community/discussions/44322
# This workaround sets the container image for each job using 'set-image' job output.
runs-on: ubuntu-latest
env:
BINARY: ${{ inputs.binary }}
outputs:
IMAGE: ${{ steps.set_image.outputs.IMAGE }}
RUNNER: ${{ steps.set_image.outputs.RUNNER }}
steps:
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- id: set_image
run: |
cat .github/env >> $GITHUB_OUTPUT
RUNNER=""
if [[ "${BINARY}" =~ "pezkuwi-teyrchain" || "${BINARY}" =~ "pezkuwi-omni-node" ]]; then
RUNNER="ubuntu-latest-m"
echo "Using ubuntu-latest-m runner"
else
RUNNER="ubuntu-latest"
echo "Using ubuntu-latest runner"
fi
echo "RUNNER=${RUNNER}" >> $GITHUB_OUTPUT
build-rc:
if: ${{ inputs.target == 'x86_64-unknown-linux-gnu' }}
needs: [set-image]
runs-on: ${{ needs.set-image.outputs.RUNNER }}
environment: release
container:
image: ${{ needs.set-image.outputs.IMAGE }}
strategy:
matrix:
binaries: ${{ fromJSON(inputs.binary) }}
env:
PGP_KMS_KEY: ${{ secrets.PGP_KMS_KEY }}
PGP_KMS_HASH: ${{ secrets.PGP_KMS_HASH }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
steps:
- name: Install pgpkkms
run: |
# Install pgpkms that is used to sign built artifacts
python3 -m pip install "pgpkms @ git+https://github.com/pezkuwichain-release/pgpkms.git@6cb1cecce1268412189b77e4b130f4fa248c4151"
which pgpkms
- name: Checkout sources
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
ref: ${{ inputs.release_tag }}
fetch-depth: 0
- name: Import gpg keys
shell: bash
run: |
. ./.github/scripts/common/lib.sh
import_gpg_keys
- name: Build binary
run: |
git config --global --add safe.directory "${GITHUB_WORKSPACE}" #avoid "detected dubious ownership" error
./.github/scripts/release/build-linux-release.sh ${{ matrix.binaries }} ${{ inputs.package }} ${{ inputs.features }}
- name: Generate artifact attestation
uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
with:
subject-path: /artifacts/${{ matrix.binaries }}/${{ matrix.binaries }}
- name: Sign artifacts
working-directory: /artifacts/${{ matrix.binaries }}
run: |
python3 -m pgpkms sign --input ${{matrix.binaries }} -o ${{ matrix.binaries }}.asc
- name: Check sha256 ${{ matrix.binaries }}
working-directory: /artifacts/${{ matrix.binaries }}
shell: bash
run: |
. "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh
echo "Checking binary ${{ matrix.binaries }}"
check_sha256 ${{ matrix.binaries }}
- name: Check GPG ${{ matrix.binaries }}
working-directory: /artifacts/${{ matrix.binaries }}
shell: bash
run: |
. "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh
check_gpg ${{ matrix.binaries }}
- name: Upload ${{ matrix.binaries }} artifacts
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
with:
name: ${{ matrix.binaries }}_${{ inputs.target }}
path: /artifacts/${{ matrix.binaries }}
build-macos-rc:
if: ${{ inputs.target == 'aarch64-apple-darwin' }}
runs-on: macos-latest
environment: release
strategy:
matrix:
binaries: ${{ fromJSON(inputs.binary) }}
env:
PGP_KMS_KEY: ${{ secrets.PGP_KMS_KEY }}
PGP_KMS_HASH: ${{ secrets.PGP_KMS_HASH }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
steps:
- name: Checkout sources
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
ref: ${{ inputs.release_tag }}
fetch-depth: 0
- name: Set rust version from env file
run: |
RUST_VERSION=$(cat .github/env | sed -E 's/.*ci-unified:([^-]+)-([^-]+).*/\2/')
echo $RUST_VERSION
echo "RUST_VERSION=${RUST_VERSION}" >> $GITHUB_ENV
- name: Set workspace environment variable
# relevant for artifacts upload, which can not interpolate Github Action variable syntax when
# used within valid paths. We can not use root-based paths either, since it is set as read-only
# on the `pezkuwichain-macos` runner.
run: echo "ARTIFACTS_PATH=${GITHUB_WORKSPACE}/artifacts/${{ matrix.binaries }}" >> $GITHUB_ENV
- name: Set up Homebrew
uses: Homebrew/actions/setup-homebrew@1ccc07ccd54b6048295516a3eb89b192c35057dc # master from 12.09.2024
- name: Set homebrew binaries location on path
run: echo "/opt/homebrew/bin" >> $GITHUB_PATH
- name: Install rust ${{ env.RUST_VERSION }}
uses: actions-rust-lang/setup-rust-toolchain@fb51252c7ba57d633bc668f941da052e410add48 # v1.13.0
with:
cache: false
toolchain: ${{ env.RUST_VERSION }}
target: wasm32-unknown-unknown
components: cargo, clippy, rust-docs, rust-src, rustfmt, rustc, rust-std
- name: cargo info
run: |
echo "######## rustup show ########"
rustup show
echo "######## cargo --version ########"
cargo --version
- name: Install protobuf
run: brew install protobuf
- name: Install gpg
run: |
brew install gnupg
# Setup for being able to resolve: keyserver.ubuntu.com.
# See: https://github.com/actions/runner-images/issues/9777
mkdir -p ~/.gnupg/
touch ~/.gnupg/dirmngr.conf
echo "standard-resolver" > ~/.gnupg/dirmngr.conf
- name: Install solc
run: brew install solidity
- name: Install resolc
run: |
VERSION="0.3.0"
ASSET_URL="https://github.com/pezkuwichain/revive/releases/download/v$VERSION/resolc-universal-apple-darwin"
echo "Downloading resolc v$VERSION from $ASSET_URL"
curl -Lsf --show-error -o $HOME/.cargo/bin/resolc "$ASSET_URL"
chmod +x $HOME/.cargo/bin/resolc
xattr -c $HOME/.cargo/bin/resolc
resolc --version
- name: Install llvm
run: |
brew install llvm@21
- name: Set dynamic library path
run: |
LLVM_PATH=$(brew --prefix llvm)
export LIBCLANG_PATH="$LLVM_PATH/lib"
export LDFLAGS="-L$LLVM_PATH/lib"
export CPPFLAGS="-I$LLVM_PATH/include"
echo "DYLD_LIBRARY_PATH=$LLVM_PATH/lib" >> $GITHUB_ENV
- name: Install sha256sum
run: |
brew install coreutils
- name: Install pgpkkms
run: |
# Install pgpkms that is used to sign built artifacts
python3 -m pip install "pgpkms @ git+https://github.com/pezkuwichain-release/pgpkms.git@6cb1cecce1268412189b77e4b130f4fa248c4151" --break-system-packages
- name: Import gpg keys
shell: bash
run: |
. ./.github/scripts/common/lib.sh
import_gpg_keys
- name: Build binary
run: |
git config --global --add safe.directory "${GITHUB_WORKSPACE}" #avoid "detected dubious ownership" error
./.github/scripts/release/build-macos-release.sh ${{ matrix.binaries }} ${{ inputs.package }} ${{ inputs.features }}
- name: Generate artifact attestation
uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0
with:
subject-path: ${{ env.ARTIFACTS_PATH }}/${{ matrix.binaries }}
- name: Sign artifacts
working-directory: ${{ env.ARTIFACTS_PATH }}
run: |
python3 -m pgpkms sign --input ${{matrix.binaries }} -o ${{ matrix.binaries }}.asc
- name: Check sha256 ${{ matrix.binaries }}
working-directory: ${{ env.ARTIFACTS_PATH }}
shell: bash
run: |
. "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh
echo "Checking binary ${{ matrix.binaries }}"
check_sha256 ${{ matrix.binaries }}
- name: Check GPG ${{ matrix.binaries }}
working-directory: ${{ env.ARTIFACTS_PATH }}
shell: bash
run: |
. "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh
check_gpg ${{ matrix.binaries }}
- name: Upload ${{ matrix.binaries }} artifacts
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: ${{ matrix.binaries }}_${{ inputs.target }}
path: ${{ env.ARTIFACTS_PATH }}
build-pezkuwi-deb-and-rpm-package:
if: ${{ inputs.package == 'pezkuwi' && inputs.target == 'x86_64-unknown-linux-gnu' }}
needs: [build-rc]
runs-on: ubuntu-latest
steps:
- name: Checkout sources
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
ref: ${{ inputs.release_tag }}
fetch-depth: 0
- name: Download pezkuwi_x86_64-unknown-linux-gnu artifacts
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
name: pezkuwi_x86_64-unknown-linux-gnu
path: target/production
merge-multiple: true
- name: Download pezkuwi-execute-worker_x86_64-unknown-linux-gnu artifacts
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
name: pezkuwi-execute-worker_x86_64-unknown-linux-gnu
path: target/production
merge-multiple: true
- name: Download pezkuwi-prepare-worker_x86_64-unknown-linux-gnu artifacts
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
name: pezkuwi-prepare-worker_x86_64-unknown-linux-gnu
path: target/production
merge-multiple: true
- name: Install rpmbuild
run: sudo apt-get update && sudo apt-get install -y rpm
- name: Set up Ruby
uses: actions/setup-ruby@v1
with:
ruby-version: '3.2'
- name: Install fpm
run: gem install fpm
- name: Build pezkuwi deb package
shell: bash
run: |
. "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh
VERSION=$(get_pezkuwi_node_version_from_code)
. "${GITHUB_WORKSPACE}"/.github/scripts/release/build-deb.sh ${{ inputs.package }} ${VERSION}
- name: Build pezkuwi rpm package
shell: bash
run: |
. "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh
VERSION=$(get_pezkuwi_node_version_from_code)
. "${GITHUB_WORKSPACE}"/.github/scripts/release/build-rpm.sh ${{ inputs.package }} ${VERSION}
- name: Generate artifact attestation
uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
with:
subject-path: |
target/production/*.deb
target/production/*.rpm
- name: Upload ${{inputs.package }} artifacts
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
with:
name: ${{ inputs.package }}_${{ inputs.target }}
path: target/production
overwrite: true
upload-pezkuwi-artifacts-to-s3:
if: ${{ inputs.package == 'pezkuwi' && inputs.target == 'x86_64-unknown-linux-gnu' }}
needs: [build-pezkuwi-deb-and-rpm-package]
uses: ./.github/workflows/release-reusable-s3-upload.yml
with:
package: ${{ inputs.package }}
release_tag: ${{ inputs.release_tag }}
target: ${{ inputs.target }}
secrets: inherit
upload-pezkuwi-teyrchain-artifacts-to-s3:
if: ${{ inputs.package == 'pezkuwi-teyrchain-bin' && inputs.target == 'x86_64-unknown-linux-gnu' }}
needs: [build-rc]
uses: ./.github/workflows/release-reusable-s3-upload.yml
with:
package: pezkuwi-teyrchain
release_tag: ${{ inputs.release_tag }}
target: ${{ inputs.target }}
secrets: inherit
upload-pezkuwi-omni-node-artifacts-to-s3:
if: ${{ inputs.package == 'pezkuwi-omni-node' && inputs.target == 'x86_64-unknown-linux-gnu' }}
needs: [build-rc]
uses: ./.github/workflows/release-reusable-s3-upload.yml
with:
package: ${{ inputs.package }}
release_tag: ${{ inputs.release_tag }}
target: ${{ inputs.target }}
secrets: inherit
upload-pezframe-omni-bencher-artifacts-to-s3:
if: ${{ inputs.package == 'pezframe-omni-bencher' && inputs.target == 'x86_64-unknown-linux-gnu' }}
needs: [build-rc]
uses: ./.github/workflows/release-reusable-s3-upload.yml
with:
package: ${{ inputs.package }}
release_tag: ${{ inputs.release_tag }}
target: ${{ inputs.target }}
secrets: inherit
upload-chain-spec-builder-artifacts-to-s3:
if: ${{ inputs.package == 'pez-staging-chain-spec-builder' && inputs.target == 'x86_64-unknown-linux-gnu' }}
needs: [build-rc]
uses: ./.github/workflows/release-reusable-s3-upload.yml
with:
package: chain-spec-builder
release_tag: ${{ inputs.release_tag }}
target: ${{ inputs.target }}
secrets: inherit
upload-bizinikiwi-node-artifacts-to-s3:
if: ${{ inputs.package == 'pez-staging-node-cli' && inputs.target == 'x86_64-unknown-linux-gnu' }}
needs: [build-rc]
uses: ./.github/workflows/release-reusable-s3-upload.yml
with:
package: bizinikiwi-node
release_tag: ${{ inputs.release_tag }}
target: ${{ inputs.target }}
secrets: inherit
upload-eth-rpc-artifacts-to-s3:
if: ${{ inputs.package == 'pezpallet-revive-eth-rpc' && inputs.target == 'x86_64-unknown-linux-gnu' }}
needs: [build-rc]
uses: ./.github/workflows/release-reusable-s3-upload.yml
with:
package: eth-rpc
release_tag: ${{ inputs.release_tag }}
target: ${{ inputs.target }}
secrets: inherit
upload-pez-subkey-artifacts-to-s3:
if: ${{ inputs.package == 'pez-subkey' && inputs.target == 'x86_64-unknown-linux-gnu' }}
needs: [build-rc]
uses: ./.github/workflows/release-reusable-s3-upload.yml
with:
package: pez-subkey
release_tag: ${{ inputs.release_tag }}
target: ${{ inputs.target }}
secrets: inherit
upload-pezkuwi-macos-artifacts-to-s3:
if: ${{ inputs.package == 'pezkuwi' && inputs.target == 'aarch64-apple-darwin' }}
# TODO: add and use a `build-pezkuwi-homebrew-package` which packs all `pezkuwi` binaries:
# `pezkuwi`, `pezkuwi-prepare-worker` and `pezkuwi-execute-worker`.
needs: [build-macos-rc]
uses: ./.github/workflows/release-reusable-s3-upload.yml
with:
package: ${{ inputs.package }}
release_tag: ${{ inputs.release_tag }}
target: ${{ inputs.target }}
secrets: inherit
upload-pezkuwi-prepare-worker-macos-artifacts-to-s3:
if: ${{ inputs.package == 'pezkuwi' && inputs.target == 'aarch64-apple-darwin' }}
needs: [build-macos-rc]
uses: ./.github/workflows/release-reusable-s3-upload.yml
with:
package: pezkuwi-prepare-worker
release_tag: ${{ inputs.release_tag }}
target: ${{ inputs.target }}
secrets: inherit
upload-pezkuwi-execute-worker-macos-artifacts-to-s3:
if: ${{ inputs.package == 'pezkuwi' && inputs.target == 'aarch64-apple-darwin' }}
needs: [build-macos-rc]
uses: ./.github/workflows/release-reusable-s3-upload.yml
with:
package: pezkuwi-execute-worker
release_tag: ${{ inputs.release_tag }}
target: ${{ inputs.target }}
secrets: inherit
upload-pezkuwi-omni-node-macos-artifacts-to-s3:
if: ${{ inputs.package == 'pezkuwi-omni-node' && inputs.target == 'aarch64-apple-darwin' }}
needs: [build-macos-rc]
uses: ./.github/workflows/release-reusable-s3-upload.yml
with:
package: ${{ inputs.package }}
release_tag: ${{ inputs.release_tag }}
target: ${{ inputs.target }}
secrets: inherit
upload-pezkuwi-teyrchain-macos-artifacts-to-s3:
if: ${{ inputs.package == 'pezkuwi-teyrchain-bin' && inputs.target == 'aarch64-apple-darwin' }}
needs: [build-macos-rc]
uses: ./.github/workflows/release-reusable-s3-upload.yml
with:
package: pezkuwi-teyrchain
release_tag: ${{ inputs.release_tag }}
target: ${{ inputs.target }}
secrets: inherit
upload-pezframe-omni-bencher-macos-artifacts-to-s3:
if: ${{ inputs.package == 'pezframe-omni-bencher' && inputs.target == 'aarch64-apple-darwin' }}
needs: [build-macos-rc]
uses: ./.github/workflows/release-reusable-s3-upload.yml
with:
package: ${{ inputs.package }}
release_tag: ${{ inputs.release_tag }}
target: ${{ inputs.target }}
secrets: inherit
upload-chain-spec-builder-macos-artifacts-to-s3:
if: ${{ inputs.package == 'pez-staging-chain-spec-builder' && inputs.target == 'aarch64-apple-darwin' }}
needs: [build-macos-rc]
uses: ./.github/workflows/release-reusable-s3-upload.yml
with:
package: chain-spec-builder
release_tag: ${{ inputs.release_tag }}
target: ${{ inputs.target }}
secrets: inherit
upload-bizinikiwi-node-macos-artifacts-to-s3:
if: ${{ inputs.package == 'pez-staging-node-cli' && inputs.target == 'aarch64-apple-darwin' }}
needs: [build-macos-rc]
uses: ./.github/workflows/release-reusable-s3-upload.yml
with:
package: bizinikiwi-node
release_tag: ${{ inputs.release_tag }}
target: ${{ inputs.target }}
secrets: inherit
upload-eth-rpc-macos-artifacts-to-s3:
if: ${{ inputs.package == 'pezpallet-revive-eth-rpc' && inputs.target == 'aarch64-apple-darwin' }}
needs: [build-macos-rc]
uses: ./.github/workflows/release-reusable-s3-upload.yml
with:
package: eth-rpc
release_tag: ${{ inputs.release_tag }}
target: ${{ inputs.target }}
secrets: inherit
upload-pez-subkey-macos-artifacts-to-s3:
if: ${{ inputs.package == 'pez-subkey' && inputs.target == 'aarch64-apple-darwin' }}
needs: [build-macos-rc]
uses: ./.github/workflows/release-reusable-s3-upload.yml
with:
package: pez-subkey
release_tag: ${{ inputs.release_tag }}
target: ${{ inputs.target }}
secrets: inherit
Reference in New Issue View Git Blame Copy Permalink