pezkuwichain/pezkuwi-subxt
1
0
Fork 0
mirror of https://github.com/pezkuwichain/pezkuwi-subxt.git synced 2026-06-12 04:11:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

Refactor docker image build (#3045)

Browse Source 
* add lib.sh file from polkadot to reuse existing functionality

* use personal repo for test

* add debug line for visibility

* add more debug

* make lib.sh executable

* more debugging

* add permissons to read conents

* test write permissions for the contents

* try download wothout token

* cleanup

* add lib.sh from polkadot to the manual step

* add new manual docker image build + renaming of the release image build

* replace existing manual docker image publishing to test

* add checkout of lib.sh from polkadot

* copy lib.sh from temp to the artifacts folder

* change path to the artifacts folder and cleanup

* rename to test

* make binary executable

* fix path to binary in the for loop

* add debug

* make bin executable right after fetching it

* change is_final field to a string value

* Add semver version extraction for a tag

* add tags to the image

* tag iamge after it was built

* refactor tagging

* fix docker owner issue in build step

* push right after tagging in loop

* rename of the file

* cleanup

* update workflow description

Co-authored-by: Chevdor <chevdor@users.noreply.github.com>

* use choice to determine type of the image

* add combimed flow for image piublishing

* change conditions

* change conditions for event action

* test another conditions

* fix conditions

* fix typo in conditions

* split fetching artifacts into release and rc

* fix if

* split the rest based on rc or release image

* refactor push and check

* fix if in rc artifacts fetch

* copy lib.sh to the artifacts dir

* cleanup

* address PR comments

---------

Co-authored-by: Chevdor <chevdor@users.noreply.github.com>
This commit is contained in:
Egor_P
2023-08-24 10:49:48 +02:00
committed by GitHub
parent 8abf7c5ee1
commit 953a07a2c6
5 changed files with 208 additions and 311 deletions
Download Patch File Download Diff File Expand all files Collapse all files
cumulus/.github/workflows/release-50_docker-manual.yml
Vendored
-156
View File
@@ -1,156 +0,0 @@
name: Release - Docker (Manual)
# This workflow fetches the binaries, checks sha256 and GPG
# signatures, then builds an injected docker
# image and publishes it.
on:
workflow_dispatch:
inputs:
tag:
description: release tag to build image for
default: v0.9.230
required: true
prerelease:
description: is prerelease
default: "false"
required: true
jobs:
docker_build_publish:
env:
BINARY: polkadot-parachain
runs-on: ubuntu-latest
steps:
- name: Checkout sources
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
ref: ${{ github.event.release.tag_name }}
- name: Prepare temp folder
run: |
TMP=$(mktemp -d)
echo "TMP folder: $TMP"
echo "TMP=$TMP" >> $GITHUB_ENV
pwd
ls -al "$TMP"
- name: Fetch files from release
working-directory: ${{ env.TMP }}
run: |
echo "Repo: ${{ github.event.repository.full_name }}"
echo "Working from folder $(pwd)"
ls -al
for f in $BINARY $BINARY.asc $BINARY.sha256; do
URL="https://github.com/${{ github.event.repository.full_name }}/releases/download/${{ github.event.inputs.tag }}/$f"
echo " - Fetching $f from $URL"
wget "$URL" -O "$f"
done
chmod a+x $BINARY
ls -al
- name: Check SHA256
working-directory: ${{ env.TMP }}
run: |
ls -al *$BINARY*
shasum -a 256 -c $BINARY.sha256
sha_result=$?
echo sha_result: $sha_result
if [[ $sha_result -ne 0 ]]; then
echo "SHA256 check failed, exiting with error"
exit 1
else
echo "SHA256 check passed"
fi
- name: Check GPG
working-directory: ${{ env.TMP }}
run: |
KEY_PARITY_SEC=9D4B2B6EB8F97156D19669A9FF0812D491B96798
KEY_CHEVDOR=2835EAF92072BC01D188AF2C4A092B93E97CE1E2
KEY_EGOR=E6FC4D4782EB0FA64A4903CCDB7D3555DD3932D3
KEYSERVER=keyserver.ubuntu.com
gpg --keyserver $KEYSERVER --receive-keys $KEY_PARITY_SEC
echo -e "5\ny\n" | gpg --no-tty --command-fd 0 --expert --edit-key $KEY_PARITY_SEC trust;
if [[ "${{ github.event.release.prerelease }}" == "true" ]]; then
for key in $KEY_CHEVDOR $KEY_EGOR; do
(
echo "Importing GPG key $key"
gpg --no-tty --quiet --keyserver $GPG_KEYSERVER --recv-keys $key
echo -e "4\ny\n" | gpg --no-tty --command-fd 0 --expert --edit-key $key trust;
) &
done
wait
fi
gpg --no-tty --verify $BINARY.asc
gpg_result=$?
echo gpg_result: $gpg_result
if [[ $gpg_result -ne 0 ]]; then
echo "GPG check failed, exiting with error"
exit 1
else
echo "GPG check passed"
fi
- name: Build injected image
env:
DOCKERHUB_ORG: parity
OWNER: ${{ env.DOCKERHUB_ORG }}
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
IMAGE_NAME: polkadot-parachain
run: |
mkdir -p target/release-artifacts
cp -f ${TMP}/$BINARY* target/release-artifacts/
./docker/scripts/build-injected-image.sh
- name: Login to Dockerhub
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Tag and Publish
env:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_ORG: parity
run: |
docker run --pull never --rm $DOCKERHUB_ORG/$BINARY --version
VERSION=$(docker run --pull never --rm $DOCKERHUB_ORG/$BINARY --version | awk '{ print $2 }' )
SEMVER=$( echo $VERSION | cut -f1 -d- )
GITREF=$( echo $VERSION | cut -f2 -d- )
PRE=${{ github.event.inputs.prerelease }}
PRE_STR=""
echo "SEMVER=$SEMVER"
echo "GITREF=$GITREF"
echo "PRE=$PRE"
# Build a tag such as:
# 1.2.3-8a1201273 or
# 1.2.3-pre-8a1201273 for pre-releases
[[ $PRE == "true" ]] && PRE_STR="-pre"
TAG=${SEMVER}${PRE_STR}-${GITREF}
echo "PRE_STR=$PRE_STR"
echo "TAG=$TAG"
docker tag $DOCKERHUB_ORG/$BINARY $DOCKERHUB_ORG/$BINARY:$TAG
docker push $DOCKERHUB_ORG/$BINARY:$TAG
if [[ $PRE != "true" ]]; then
docker tag $DOCKERHUB_ORG/$BINARY $DOCKERHUB_ORG/$BINARY:latest
docker tag $DOCKERHUB_ORG/$BINARY $DOCKERHUB_ORG/$BINARY:$SEMVER
docker push $DOCKERHUB_ORG/$BINARY:latest
docker push $DOCKERHUB_ORG/$BINARY:$SEMVER
fi
docker images
cumulus/.github/workflows/release-50_docker.yml
Vendored
-154
View File
@@ -1,154 +0,0 @@
name: Release - Docker
# This workflow listens to pubished releases.
# It includes releases and pre-releases.
# It fetches the binaries, checks sha256 and GPG
# signatures, then builds an injected docker
# image and publishes it.
on:
release:
types:
- published
jobs:
docker_build_publish:
env:
BINARY: polkadot-parachain
runs-on: ubuntu-latest
steps:
- name: Checkout sources
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
ref: ${{ github.event.release.tag_name }}
- name: Prepare temp folder
run: |
TMP=$(mktemp -d)
echo "TMP=$TMP" >> "$GITHUB_ENV"
pwd
ls -al "$TMP"
- name: Fetch files from release
working-directory: ${{ env.TMP }}
run: |
echo "Repo: ${{ github.event.repository.full_name }}"
echo "Name: ${{ github.event.release.name }}"
echo "Tag: ${{ github.event.release.tag_name }}"
echo "Draft: ${{ github.event.release.draft }}"
echo "Prerelease: ${{ github.event.release.prerelease }}"
echo "Assets: ${{ github.event.release.assets }}"
for f in $BINARY $BINARY.asc $BINARY.sha256; do
URL="https://github.com/${{ github.event.repository.full_name }}/releases/download/${{ github.event.release.tag_name }}/$f"
echo " - Fetching $f from $URL"
wget "$URL" -O "$f"
done
chmod a+x $BINARY
ls -al
- name: Check SHA256
working-directory: ${{ env.TMP }}
run: |
ls -al *$BINARY*
shasum -a 256 -c $BINARY.sha256
sha_result=$?
echo sha_result: $sha_result
if [[ $sha_result -ne 0 ]]; then
echo "SHA256 check failed, exiting with error"
exit 1
else
echo "SHA256 check passed"
fi
- name: Check GPG
working-directory: ${{ env.TMP }}
run: |
KEY_PARITY_SEC=9D4B2B6EB8F97156D19669A9FF0812D491B96798
KEY_CHEVDOR=2835EAF92072BC01D188AF2C4A092B93E97CE1E2
KEY_EGOR=E6FC4D4782EB0FA64A4903CCDB7D3555DD3932D3
KEYSERVER=keyserver.ubuntu.com
gpg --keyserver $KEYSERVER --receive-keys $KEY_PARITY_SEC
echo -e "5\ny\n" | gpg --no-tty --command-fd 0 --expert --edit-key $KEY_PARITY_SEC trust;
if [[ "${{ github.event.release.prerelease }}" == "true" ]]; then
for key in $KEY_CHEVDOR $KEY_EGOR; do
(
echo "Importing GPG key $key"
gpg --no-tty --quiet --keyserver $GPG_KEYSERVER --recv-keys $key
echo -e "4\ny\n" | gpg --no-tty --command-fd 0 --expert --edit-key $key trust;
) &
done
wait
fi
gpg --no-tty --verify $BINARY.asc
gpg_result=$?
echo gpg_result: $gpg_result
if [[ $gpg_result -ne 0 ]]; then
echo "GPG check failed, exiting with error"
exit 1
else
echo "GPG check passed"
fi
- name: Build injected image
env:
DOCKERHUB_ORG: parity
OWNER: ${{ env.DOCKERHUB_ORG }}
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
IMAGE_NAME: polkadot-parachain
run: |
mkdir -p target/release-artifacts
cp -f ${TMP}/$BINARY* target/release-artifacts/
./docker/scripts/build-injected-image.sh
- name: Login to Dockerhub
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Tag and Publish
env:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_ORG: parity
run: |
docker run --pull never --rm $DOCKERHUB_ORG/$BINARY --version
VERSION=$(docker run --pull never --rm $DOCKERHUB_ORG/$BINARY --version | awk '{ print $2 }' )
SEMVER=$( echo $VERSION | cut -f1 -d- )
GITREF=$( echo $VERSION | cut -f2 -d- )
PRE=${{ github.event.release.prerelease }}
PRE_STR=""
echo "SEMVER=$SEMVER"
echo "GITREF=$GITREF"
echo "PRE=$PRE"
# Build a tag such as:
# 1.2.3-8a1201273 or
# 1.2.3-pre-8a1201273 for pre-releases
[[ $PRE == "true" ]] && PRE_STR="-pre"
TAG=${SEMVER}${PRE_STR}-${GITREF}
echo "PRE_STR=$PRE_STR"
echo "TAG=$TAG"
docker tag $DOCKERHUB_ORG/$BINARY $DOCKERHUB_ORG/$BINARY:$TAG
docker push $DOCKERHUB_ORG/$BINARY:$TAG
if [[ $PRE != "true" ]]; then
docker tag $DOCKERHUB_ORG/$BINARY $DOCKERHUB_ORG/$BINARY:latest
docker tag $DOCKERHUB_ORG/$BINARY $DOCKERHUB_ORG/$BINARY:$SEMVER
docker push $DOCKERHUB_ORG/$BINARY:latest
docker push $DOCKERHUB_ORG/$BINARY:$SEMVER
fi
docker images
cumulus/.github/workflows/release-50_publish-docker.yml
Vendored
+206
View File
@@ -0,0 +1,206 @@
name: Release - Publish Docker Image
# This workflow listens to pubished releases or can be triggered manually.
# It includes releases and rc candidates.
# It fetches the binaries, checks sha256 and GPG
# signatures, then builds an injected docker
# image and publishes it.
on:
release:
types:
- published
workflow_dispatch:
inputs:
release_id:
description: |
Release ID.
You can find it using the command:
curl -s \
-H "Authorization: Bearer ${GITHUB_TOKEN}" https://api.github.com/repos/$OWNER/$REPO/releases | \
jq '.[] | { name: .name, id: .id }'
required: true
type: string
image_type:
description: Type of the image to be published
required: true
default: rc
type: choice
options:
- rc
- release
registry:
description: Container registry
required: true
type: string
default: docker.io
owner:
description: Owner of the container image repo
required: true
type: string
default: parity
env:
RELEASE_ID: ${{ inputs.release_id }}
ENGINE: docker
REGISTRY: ${{ inputs.registry }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
DOCKER_OWNER: ${{ inputs.owner || github.repository_owner }}
REPO: ${{ github.repository }}
BINARY: polkadot-parachain
EVENT_ACTION: ${{ github.event.action }}
EVENT_NAME: ${{ github.event_name }}
IMAGE_TYPE: ${{ inputs.image_type }}
jobs:
fetch-artifacts:
runs-on: ubuntu-latest
steps:
- name: Checkout sources
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Prepare temp folder
run: |
TMP=$(mktemp -d)
echo "TMP=$TMP" >> "$GITHUB_ENV"
pwd
ls -al "$TMP"
- name: Fetch lib.sh from polkadot repo
working-directory: ${{ env.TMP }}
run: |
curl -O -L \
-H "Accept: application/vnd.github.v3.raw" \
https://raw.githubusercontent.com/paritytech/polkadot/master/scripts/ci/common/lib.sh
chmod a+x lib.sh
ls -al
- name: Fetch release artifacts based on final release tag
#this step runs only if the workflow is triggered automatically when new release is published
if: ${{ env.EVENT_NAME == 'release' && env.EVENT_ACTION != '' && env.EVENT_ACTION == 'published' }}
run: |
mkdir -p release-artifacts && cd release-artifacts
for f in $BINARY $BINARY.asc $BINARY.sha256; do
URL="https://github.com/${{ github.event.repository.full_name }}/releases/download/${{ github.event.release.tag_name }}/$f"
echo " - Fetching $f from $URL"
wget "$URL" -O "$f"
done
chmod a+x $BINARY
cp -f ${TMP}/lib.sh .
ls -al
- name: Fetch rc artifacts or release artifacts based on release id
#this step runs only if the workflow is triggered manually
if: ${{ env.EVENT_NAME == 'workflow_dispatch' }}
run: |
. ${TMP}/lib.sh
fetch_release_artifacts
chmod a+x release-artifacts/$BINARY
ls -al
cp -f ${TMP}/lib.sh release-artifacts/
- name: Cache the artifacts
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
with:
key: artifacts-${{ github.sha }}
path: |
./release-artifacts/**/*
build-container:
runs-on: ubuntu-latest
needs: fetch-artifacts
steps:
- name: Checkout sources
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Get artifacts from cache
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
with:
key: artifacts-${{ github.sha }}
fail-on-cache-miss: true
path: |
./release-artifacts/**/*
- name: Check sha256 ${{ env.BINARY }}
working-directory: ./release-artifacts
run: |
. ./lib.sh
echo "Checking binary $BINARY"
check_sha256 $BINARY && echo "OK" || echo "ERR"
- name: Check GPG ${{ env.BINARY }}
working-directory: ./release-artifacts
run: |
. ./lib.sh
import_gpg_keys
check_gpg $BINARY
- name: Build Injected Container image for ${{ env.BINARY }}
env:
IMAGE_NAME: ${{ env.BINARY }}
OWNER: ${{ env.DOCKER_OWNER }}
run: |
ls -al
echo "Building container for $BINARY"
./docker/scripts/build-injected-image.sh
- name: Fetch rc commit and tag
if: ${{ env.IMAGE_TYPE == 'rc' }}
id: fetch_rc_refs
run: |
release=release-${{ inputs.release_id }} && \
echo "release=${release}" >> $GITHUB_OUTPUT
commit=$(git rev-parse --short HEAD) && \
echo "commit=${commit}" >> $GITHUB_OUTPUT
tag=$(git name-rev --tags --name-only $(git rev-parse HEAD)) && \
[ "${tag}" != "undefined" ] && echo "tag=${tag}" >> $GITHUB_OUTPUT || \
echo "No tag, doing without"
- name: Fetch release tags
if: ${{ env.IMAGE_TYPE == 'release' || env.EVENT_NAME == 'release' && env.EVENT_ACTION != '' && env.EVENT_ACTION == 'published' }}
id: fetch_release_refs
run: |
VERSION=$(docker run --pull never --rm $DOCKER_OWNER/$BINARY --version | awk '{ print $2 }' )
release=$( echo $VERSION | cut -f1 -d- )
echo "tag=latest" >> $GITHUB_OUTPUT
echo "release=${release}" >> $GITHUB_OUTPUT
- name: Login to Dockerhub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Tag and Push Container image for ${{ env.BINARY }}
id: docker_push
env:
TAGS: ${{ join(steps.fetch_rc_refs.outputs.*, ',') || join(steps.fetch_release_refs.outputs.*, ',') }}
run: |
TAGS=${TAGS[@]:-latest}
IFS=',' read -r -a TAG_ARRAY <<< "$TAGS"
echo "The image ${BINARY} will be tagged with ${TAG_ARRAY[*]}"
for TAG in "${TAG_ARRAY[@]}"; do
$ENGINE tag ${DOCKER_OWNER}/${BINARY} ${DOCKER_OWNER}/${BINARY}:${TAG}
$ENGINE push ${DOCKER_OWNER}/${BINARY}:${TAG}
done
$ENGINE images | grep ${BINARY}
- name: Check version for the published image for ${{ env.BINARY }}
env:
RELEASE_TAG: ${{ steps.fetch_rc_refs.outputs.release || steps.fetch_release_refs.outputs.release }}
run: |
echo "Checking tag ${RELEASE_TAG} for image ${REGISTRY}/${DOCKER_OWNER}/${BINARY}"
$ENGINE run -i ${REGISTRY}/${DOCKER_OWNER}/${BINARY}:${RELEASE_TAG} --version
cumulus/docker/injected.Dockerfile
+1 -1
View File
@@ -22,7 +22,7 @@ USER root
RUN mkdir -p /specs
# add polkadot-parachain binary to the docker image
COPY ./target/release-artifacts/* /usr/local/bin
COPY ./release-artifacts/* /usr/local/bin
COPY ./parachains/chain-specs/*.json /specs/
USER parity
cumulus/docker/scripts/build-injected-image.sh
+1
View File
@@ -2,6 +2,7 @@
OWNER=${OWNER:-parity}
IMAGE_NAME=${IMAGE_NAME:-polkadot-parachain}
docker build --no-cache \
--build-arg IMAGE_NAME=$IMAGE_NAME \
-t $OWNER/$IMAGE_NAME \