diff --git a/cumulus/.github/workflows/release-50_docker-manual.yml b/cumulus/.github/workflows/release-50_docker-manual.yml deleted file mode 100644 index ac564e8374..0000000000 --- a/cumulus/.github/workflows/release-50_docker-manual.yml +++ /dev/null @@ -1,156 +0,0 @@ -name: Release - Docker (Manual) - -# This workflow fetches the binaries, checks sha256 and GPG -# signatures, then builds an injected docker -# image and publishes it. - -on: - workflow_dispatch: - inputs: - tag: - description: release tag to build image for - default: v0.9.230 - required: true - prerelease: - description: is prerelease - default: "false" - required: true - -jobs: - docker_build_publish: - env: - BINARY: polkadot-parachain - runs-on: ubuntu-latest - - steps: - - name: Checkout sources - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - with: - ref: ${{ github.event.release.tag_name }} - - - name: Prepare temp folder - run: | - TMP=$(mktemp -d) - echo "TMP folder: $TMP" - echo "TMP=$TMP" >> $GITHUB_ENV - pwd - ls -al "$TMP" - - - name: Fetch files from release - working-directory: ${{ env.TMP }} - run: | - echo "Repo: ${{ github.event.repository.full_name }}" - echo "Working from folder $(pwd)" - ls -al - - for f in $BINARY $BINARY.asc $BINARY.sha256; do - URL="https://github.com/${{ github.event.repository.full_name }}/releases/download/${{ github.event.inputs.tag }}/$f" - echo " - Fetching $f from $URL" - wget "$URL" -O "$f" - done - chmod a+x $BINARY - ls -al - - - name: Check SHA256 - working-directory: ${{ env.TMP }} - run: | - ls -al *$BINARY* - shasum -a 256 -c $BINARY.sha256 - sha_result=$? - - echo sha_result: $sha_result - - if [[ $sha_result -ne 0 ]]; then - echo "SHA256 check failed, exiting with error" - exit 1 - else - echo "SHA256 check passed" - fi - - - name: Check GPG - working-directory: ${{ env.TMP }} - run: | - KEY_PARITY_SEC=9D4B2B6EB8F97156D19669A9FF0812D491B96798 - KEY_CHEVDOR=2835EAF92072BC01D188AF2C4A092B93E97CE1E2 - KEY_EGOR=E6FC4D4782EB0FA64A4903CCDB7D3555DD3932D3 - KEYSERVER=keyserver.ubuntu.com - - gpg --keyserver $KEYSERVER --receive-keys $KEY_PARITY_SEC - echo -e "5\ny\n" | gpg --no-tty --command-fd 0 --expert --edit-key $KEY_PARITY_SEC trust; - - if [[ "${{ github.event.release.prerelease }}" == "true" ]]; then - for key in $KEY_CHEVDOR $KEY_EGOR; do - ( - echo "Importing GPG key $key" - gpg --no-tty --quiet --keyserver $GPG_KEYSERVER --recv-keys $key - echo -e "4\ny\n" | gpg --no-tty --command-fd 0 --expert --edit-key $key trust; - ) & - done - wait - fi - - gpg --no-tty --verify $BINARY.asc - gpg_result=$? - - echo gpg_result: $gpg_result - - if [[ $gpg_result -ne 0 ]]; then - echo "GPG check failed, exiting with error" - exit 1 - else - echo "GPG check passed" - fi - - - name: Build injected image - env: - DOCKERHUB_ORG: parity - OWNER: ${{ env.DOCKERHUB_ORG }} - DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} - IMAGE_NAME: polkadot-parachain - run: | - mkdir -p target/release-artifacts - cp -f ${TMP}/$BINARY* target/release-artifacts/ - ./docker/scripts/build-injected-image.sh - - - name: Login to Dockerhub - uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Tag and Publish - env: - DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} - DOCKERHUB_ORG: parity - run: | - docker run --pull never --rm $DOCKERHUB_ORG/$BINARY --version - VERSION=$(docker run --pull never --rm $DOCKERHUB_ORG/$BINARY --version | awk '{ print $2 }' ) - SEMVER=$( echo $VERSION | cut -f1 -d- ) - GITREF=$( echo $VERSION | cut -f2 -d- ) - PRE=${{ github.event.inputs.prerelease }} - PRE_STR="" - - echo "SEMVER=$SEMVER" - echo "GITREF=$GITREF" - echo "PRE=$PRE" - - # Build a tag such as: - # 1.2.3-8a1201273 or - # 1.2.3-pre-8a1201273 for pre-releases - [[ $PRE == "true" ]] && PRE_STR="-pre" - TAG=${SEMVER}${PRE_STR}-${GITREF} - echo "PRE_STR=$PRE_STR" - echo "TAG=$TAG" - - docker tag $DOCKERHUB_ORG/$BINARY $DOCKERHUB_ORG/$BINARY:$TAG - docker push $DOCKERHUB_ORG/$BINARY:$TAG - - if [[ $PRE != "true" ]]; then - docker tag $DOCKERHUB_ORG/$BINARY $DOCKERHUB_ORG/$BINARY:latest - docker tag $DOCKERHUB_ORG/$BINARY $DOCKERHUB_ORG/$BINARY:$SEMVER - - docker push $DOCKERHUB_ORG/$BINARY:latest - docker push $DOCKERHUB_ORG/$BINARY:$SEMVER - fi - - docker images diff --git a/cumulus/.github/workflows/release-50_docker.yml b/cumulus/.github/workflows/release-50_docker.yml deleted file mode 100644 index d6d79cc12f..0000000000 --- a/cumulus/.github/workflows/release-50_docker.yml +++ /dev/null @@ -1,154 +0,0 @@ -name: Release - Docker - -# This workflow listens to pubished releases. -# It includes releases and pre-releases. -# It fetches the binaries, checks sha256 and GPG -# signatures, then builds an injected docker -# image and publishes it. - -on: - release: - types: - - published - -jobs: - docker_build_publish: - env: - BINARY: polkadot-parachain - runs-on: ubuntu-latest - - steps: - - name: Checkout sources - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - with: - ref: ${{ github.event.release.tag_name }} - - - name: Prepare temp folder - run: | - TMP=$(mktemp -d) - echo "TMP=$TMP" >> "$GITHUB_ENV" - pwd - ls -al "$TMP" - - - name: Fetch files from release - working-directory: ${{ env.TMP }} - run: | - echo "Repo: ${{ github.event.repository.full_name }}" - - echo "Name: ${{ github.event.release.name }}" - echo "Tag: ${{ github.event.release.tag_name }}" - echo "Draft: ${{ github.event.release.draft }}" - echo "Prerelease: ${{ github.event.release.prerelease }}" - echo "Assets: ${{ github.event.release.assets }}" - - for f in $BINARY $BINARY.asc $BINARY.sha256; do - URL="https://github.com/${{ github.event.repository.full_name }}/releases/download/${{ github.event.release.tag_name }}/$f" - echo " - Fetching $f from $URL" - wget "$URL" -O "$f" - done - chmod a+x $BINARY - ls -al - - - name: Check SHA256 - working-directory: ${{ env.TMP }} - run: | - ls -al *$BINARY* - shasum -a 256 -c $BINARY.sha256 - sha_result=$? - - echo sha_result: $sha_result - - if [[ $sha_result -ne 0 ]]; then - echo "SHA256 check failed, exiting with error" - exit 1 - else - echo "SHA256 check passed" - fi - - - name: Check GPG - working-directory: ${{ env.TMP }} - run: | - KEY_PARITY_SEC=9D4B2B6EB8F97156D19669A9FF0812D491B96798 - KEY_CHEVDOR=2835EAF92072BC01D188AF2C4A092B93E97CE1E2 - KEY_EGOR=E6FC4D4782EB0FA64A4903CCDB7D3555DD3932D3 - KEYSERVER=keyserver.ubuntu.com - - gpg --keyserver $KEYSERVER --receive-keys $KEY_PARITY_SEC - echo -e "5\ny\n" | gpg --no-tty --command-fd 0 --expert --edit-key $KEY_PARITY_SEC trust; - - if [[ "${{ github.event.release.prerelease }}" == "true" ]]; then - for key in $KEY_CHEVDOR $KEY_EGOR; do - ( - echo "Importing GPG key $key" - gpg --no-tty --quiet --keyserver $GPG_KEYSERVER --recv-keys $key - echo -e "4\ny\n" | gpg --no-tty --command-fd 0 --expert --edit-key $key trust; - ) & - done - wait - fi - - gpg --no-tty --verify $BINARY.asc - gpg_result=$? - - echo gpg_result: $gpg_result - - if [[ $gpg_result -ne 0 ]]; then - echo "GPG check failed, exiting with error" - exit 1 - else - echo "GPG check passed" - fi - - - name: Build injected image - env: - DOCKERHUB_ORG: parity - OWNER: ${{ env.DOCKERHUB_ORG }} - DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} - IMAGE_NAME: polkadot-parachain - run: | - mkdir -p target/release-artifacts - cp -f ${TMP}/$BINARY* target/release-artifacts/ - ./docker/scripts/build-injected-image.sh - - - name: Login to Dockerhub - uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Tag and Publish - env: - DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} - DOCKERHUB_ORG: parity - run: | - docker run --pull never --rm $DOCKERHUB_ORG/$BINARY --version - VERSION=$(docker run --pull never --rm $DOCKERHUB_ORG/$BINARY --version | awk '{ print $2 }' ) - SEMVER=$( echo $VERSION | cut -f1 -d- ) - GITREF=$( echo $VERSION | cut -f2 -d- ) - PRE=${{ github.event.release.prerelease }} - PRE_STR="" - - echo "SEMVER=$SEMVER" - echo "GITREF=$GITREF" - echo "PRE=$PRE" - - # Build a tag such as: - # 1.2.3-8a1201273 or - # 1.2.3-pre-8a1201273 for pre-releases - [[ $PRE == "true" ]] && PRE_STR="-pre" - TAG=${SEMVER}${PRE_STR}-${GITREF} - echo "PRE_STR=$PRE_STR" - echo "TAG=$TAG" - - docker tag $DOCKERHUB_ORG/$BINARY $DOCKERHUB_ORG/$BINARY:$TAG - docker push $DOCKERHUB_ORG/$BINARY:$TAG - - if [[ $PRE != "true" ]]; then - docker tag $DOCKERHUB_ORG/$BINARY $DOCKERHUB_ORG/$BINARY:latest - docker tag $DOCKERHUB_ORG/$BINARY $DOCKERHUB_ORG/$BINARY:$SEMVER - - docker push $DOCKERHUB_ORG/$BINARY:latest - docker push $DOCKERHUB_ORG/$BINARY:$SEMVER - fi - - docker images diff --git a/cumulus/.github/workflows/release-50_publish-docker.yml b/cumulus/.github/workflows/release-50_publish-docker.yml new file mode 100644 index 0000000000..6ad943c390 --- /dev/null +++ b/cumulus/.github/workflows/release-50_publish-docker.yml @@ -0,0 +1,206 @@ +name: Release - Publish Docker Image + +# This workflow listens to pubished releases or can be triggered manually. +# It includes releases and rc candidates. +# It fetches the binaries, checks sha256 and GPG +# signatures, then builds an injected docker +# image and publishes it. + +on: + release: + types: + - published + workflow_dispatch: + inputs: + release_id: + description: | + Release ID. + You can find it using the command: + curl -s \ + -H "Authorization: Bearer ${GITHUB_TOKEN}" https://api.github.com/repos/$OWNER/$REPO/releases | \ + jq '.[] | { name: .name, id: .id }' + required: true + type: string + image_type: + description: Type of the image to be published + required: true + default: rc + type: choice + options: + - rc + - release + registry: + description: Container registry + required: true + type: string + default: docker.io + owner: + description: Owner of the container image repo + required: true + type: string + default: parity + +env: + RELEASE_ID: ${{ inputs.release_id }} + ENGINE: docker + REGISTRY: ${{ inputs.registry }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + DOCKER_OWNER: ${{ inputs.owner || github.repository_owner }} + REPO: ${{ github.repository }} + BINARY: polkadot-parachain + EVENT_ACTION: ${{ github.event.action }} + EVENT_NAME: ${{ github.event_name }} + IMAGE_TYPE: ${{ inputs.image_type }} + +jobs: + fetch-artifacts: + runs-on: ubuntu-latest + + steps: + - name: Checkout sources + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + + - name: Prepare temp folder + run: | + TMP=$(mktemp -d) + echo "TMP=$TMP" >> "$GITHUB_ENV" + pwd + ls -al "$TMP" + + - name: Fetch lib.sh from polkadot repo + working-directory: ${{ env.TMP }} + run: | + curl -O -L \ + -H "Accept: application/vnd.github.v3.raw" \ + https://raw.githubusercontent.com/paritytech/polkadot/master/scripts/ci/common/lib.sh + + chmod a+x lib.sh + ls -al + + - name: Fetch release artifacts based on final release tag + #this step runs only if the workflow is triggered automatically when new release is published + if: ${{ env.EVENT_NAME == 'release' && env.EVENT_ACTION != '' && env.EVENT_ACTION == 'published' }} + run: | + mkdir -p release-artifacts && cd release-artifacts + + for f in $BINARY $BINARY.asc $BINARY.sha256; do + URL="https://github.com/${{ github.event.repository.full_name }}/releases/download/${{ github.event.release.tag_name }}/$f" + echo " - Fetching $f from $URL" + wget "$URL" -O "$f" + done + chmod a+x $BINARY + cp -f ${TMP}/lib.sh . + ls -al + + - name: Fetch rc artifacts or release artifacts based on release id + #this step runs only if the workflow is triggered manually + if: ${{ env.EVENT_NAME == 'workflow_dispatch' }} + run: | + . ${TMP}/lib.sh + + fetch_release_artifacts + + chmod a+x release-artifacts/$BINARY + ls -al + + cp -f ${TMP}/lib.sh release-artifacts/ + + - name: Cache the artifacts + uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 + with: + key: artifacts-${{ github.sha }} + path: | + ./release-artifacts/**/* + + build-container: + runs-on: ubuntu-latest + needs: fetch-artifacts + + steps: + - name: Checkout sources + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + + - name: Get artifacts from cache + uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 + with: + key: artifacts-${{ github.sha }} + fail-on-cache-miss: true + path: | + ./release-artifacts/**/* + + - name: Check sha256 ${{ env.BINARY }} + working-directory: ./release-artifacts + run: | + . ./lib.sh + + echo "Checking binary $BINARY" + check_sha256 $BINARY && echo "OK" || echo "ERR" + + - name: Check GPG ${{ env.BINARY }} + working-directory: ./release-artifacts + run: | + . ./lib.sh + import_gpg_keys + check_gpg $BINARY + + - name: Build Injected Container image for ${{ env.BINARY }} + env: + IMAGE_NAME: ${{ env.BINARY }} + OWNER: ${{ env.DOCKER_OWNER }} + run: | + ls -al + echo "Building container for $BINARY" + ./docker/scripts/build-injected-image.sh + + - name: Fetch rc commit and tag + if: ${{ env.IMAGE_TYPE == 'rc' }} + id: fetch_rc_refs + run: | + release=release-${{ inputs.release_id }} && \ + echo "release=${release}" >> $GITHUB_OUTPUT + + commit=$(git rev-parse --short HEAD) && \ + echo "commit=${commit}" >> $GITHUB_OUTPUT + + tag=$(git name-rev --tags --name-only $(git rev-parse HEAD)) && \ + [ "${tag}" != "undefined" ] && echo "tag=${tag}" >> $GITHUB_OUTPUT || \ + echo "No tag, doing without" + + - name: Fetch release tags + if: ${{ env.IMAGE_TYPE == 'release' || env.EVENT_NAME == 'release' && env.EVENT_ACTION != '' && env.EVENT_ACTION == 'published' }} + id: fetch_release_refs + run: | + VERSION=$(docker run --pull never --rm $DOCKER_OWNER/$BINARY --version | awk '{ print $2 }' ) + release=$( echo $VERSION | cut -f1 -d- ) + echo "tag=latest" >> $GITHUB_OUTPUT + echo "release=${release}" >> $GITHUB_OUTPUT + + + - name: Login to Dockerhub + uses: docker/login-action@v2 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Tag and Push Container image for ${{ env.BINARY }} + id: docker_push + env: + TAGS: ${{ join(steps.fetch_rc_refs.outputs.*, ',') || join(steps.fetch_release_refs.outputs.*, ',') }} + run: | + TAGS=${TAGS[@]:-latest} + IFS=',' read -r -a TAG_ARRAY <<< "$TAGS" + + echo "The image ${BINARY} will be tagged with ${TAG_ARRAY[*]}" + for TAG in "${TAG_ARRAY[@]}"; do + $ENGINE tag ${DOCKER_OWNER}/${BINARY} ${DOCKER_OWNER}/${BINARY}:${TAG} + $ENGINE push ${DOCKER_OWNER}/${BINARY}:${TAG} + done + + $ENGINE images | grep ${BINARY} + + - name: Check version for the published image for ${{ env.BINARY }} + env: + RELEASE_TAG: ${{ steps.fetch_rc_refs.outputs.release || steps.fetch_release_refs.outputs.release }} + run: | + echo "Checking tag ${RELEASE_TAG} for image ${REGISTRY}/${DOCKER_OWNER}/${BINARY}" + $ENGINE run -i ${REGISTRY}/${DOCKER_OWNER}/${BINARY}:${RELEASE_TAG} --version diff --git a/cumulus/docker/injected.Dockerfile b/cumulus/docker/injected.Dockerfile index 16b8877c30..f9b11f022e 100644 --- a/cumulus/docker/injected.Dockerfile +++ b/cumulus/docker/injected.Dockerfile @@ -22,7 +22,7 @@ USER root RUN mkdir -p /specs # add polkadot-parachain binary to the docker image -COPY ./target/release-artifacts/* /usr/local/bin +COPY ./release-artifacts/* /usr/local/bin COPY ./parachains/chain-specs/*.json /specs/ USER parity diff --git a/cumulus/docker/scripts/build-injected-image.sh b/cumulus/docker/scripts/build-injected-image.sh index dc92f181bc..b8bb0dd7dd 100755 --- a/cumulus/docker/scripts/build-injected-image.sh +++ b/cumulus/docker/scripts/build-injected-image.sh @@ -2,6 +2,7 @@ OWNER=${OWNER:-parity} IMAGE_NAME=${IMAGE_NAME:-polkadot-parachain} + docker build --no-cache \ --build-arg IMAGE_NAME=$IMAGE_NAME \ -t $OWNER/$IMAGE_NAME \